Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

Another ATM pin crack in the news today!!

[goombah99]

The Register reports that Mike Bond and Piotr Zielinski have detailed how any ATM programmer (bank, repairman, etc..) insider can crack any ATM PIN in just 15 guesses. Banks use a hardware encryption scheme to avoid the having a crackable psswd-like file. Oops...turns out theres a hole in the hardware design. Direct link to download the pdf paper. Here is how the crack works. first you have to understand how the pin is generated. banks had two problems they needed to solve, first an ATM had to be able to verify a card even if it went off-line from the bank computers. Thus to allow for on the spot verification, the pin has to derivable from the card somehow. Second, they also did not want to endure the security risk having to distribute a list of all PIN numbers of all cards to all machines, even if it was encrypted. So the scheme they came up with is they take your PIN number and DES encrypt it, and the first four digits of the encrypted number becomes your base PIN. Then to allow you to change your pin, they permit an offset number. Since knowing this offset number does not tell anyone the base PIN, these offset numbers can be kept in the public domain and distributed worldwide. thus when you type in your "pin" number to an ATM the sequence of steps is the machine reads the account code off the mag stripe, DES encodes it, grabs the first four numbers, adds your public offset, and compares it to the number you typed in at the key pad. to keep everything secure the entire process is done in hardware. So even a priviledged bank employee could not have access to the encrypted account code and thus learn the PIN. But wait, there's just one teeny tiny extra step I omitted that causes all the problems. when you DES encode something you get back a HEX number and since PINS are decimal you have to convert it to a decimal number. There's lots of ways you could do this, but what is done is simply to have a table that maps the 15 hex digits 0...F many-to-one down to 0...9. Again still no problem if this mapping had been done in hardware. Unfortunately, it was not viewed as a securtiy risk and this mapping table is not fixed but is rather a software input to the hardware unit. Any one with access to the hardware device such as a priviledged bank employee or a repair man, or someone who found one at a salvage yard can send a substitute table to the hardware. And thats where the problem lies. The paper gives several crack approaches one of which takes 15 tries maximum and is not easily explianed in a few words. they also give a simpler approach that takes max of 46 steps to get the pin which I'll explain. first change the many-to-one mapping to all zeros, except for 1 digit. say this digit is a 3. Then type in a trial PIN of 0000. the hardware unit will say this pin is a correct match unless the encrypted Account number happens to have a 3 anywhere in it. (all other get mapped to zero) Next Change the map to all zeros, except say for say the digit 4, and repeat. after trying all ten digits, you know know which digits are in the PIN number. Now you just try all permuations of these. worst case is a total of 36+10=46 trials. Their other algorithm is more efficient (only 15 trials maxiumum), but you get the idea. I note that this is a big problem for the banks. The reason is that it would not simply do to replace the hardware units with ones that have a fixed map table. The PINS are crackable by anyone who still has one of the old hardware units. To fix the system they would have to both change all of the ATM hardware, change the DES salt in the hardware (to render old machines useless), and change everyone's PINS. this would all have to be done simultaneouly, world wide in every ATM for the banking systems ATMs not to stop working for customers. alternatively I guess they could upgrade all the hardware slowly if they were willing to leave the crack in place until they finished. to do this they woul have to have two sets of offsets. one for the new machines and one for the old machines. the cards would remain crackable until the last machine was removed and the users changed their PIN numbers. I note that in a real system it only takes about 5000 tries on average to crack a 4 digit pin. However, the hardware units limit the rate of trials, so that reducing the number of trials by a couple orders of magnitude is significant.