Slashdot Mirror

← Back to Stories (view on slashdot.org)

Possible Serious Security Flaw In ATMs

Posted by Zonk on from the my-money-is-flighty-enough-as-it-is dept.

sfjoe writes "According to a story at MSNBC.com, researchers at Algorithmic Research (ARX) have shown it may be possible for 'someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules'. Using these methods, an attacker could trick the security modules into exposing a PIN. It has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. If PINs can be compromised, the almost 8 billion transactions per year they handle may be in danger. Not to mention all the transaction at retail stores."

15 of 167 comments (clear)

  1. Poink-Poink-Poink-Poink by Stanistani · · Score: 4, Funny

    *Looks left and right*

    Stop reading my tones!

    --
    You can't talk about Wikipedia's flaws on Wikipedia
    1. Re:Poink-Poink-Poink-Poink by statusbar · · Score: 4, Interesting

      And that is why organized crime has their own ATM division:

      http://www.beyondrobson.com/tech/2006/10/avoid_ban k_fraud_i_didnt/

      Therefore, not only is the ATM network insecure, it always has been for other reasons.

      --jeffk++

      --
      ipv6 is my vpn
  2. The reality of this is... by __aaclcg7560 · · Score: 4, Funny

    Getting a bigger mattress to store my cash in.

    1. Re:The reality of this is... by mordors9 · · Score: 4, Insightful

      I know I am probably the exception amongst most of you. We don't have an ATM card, we go down to the corner bank to get money out the old fashioned way. Everyone at the branch knows the wife and I and no one else could get money out without generating a lot of questions. There's a lot to be said for the good old days.

    2. Re:The reality of this is... by Chosen+Reject · · Score: 4, Insightful

      I used to be a teller in a bank a few years ago. It is a very transitory position. I was there for nearly two years and there were few who had been there longer than I and many who had come and gone. Give it some time and people at the bank won't know who you are.

      Having said that, I hope that even if they do know who you are, that they ask to see ID every time, like my teller colleagues and I did. A lot of people have this silly notion that the only time we ask for ID is if the person in front of us is not the person on the account. For some reason they didn't understand that we had no way of knowing that until we had seen ID. When we asked we actually had idiots say "Why? I'm the owner of the account," as if we would turn red in the face and say "Of course you are. How silly of me to ask. Certainly a criminal would have provided us with ID without being asked."

      But if tellers ever get to the point that store clerks do (and I suspect many have) then any old schmoe will be able to take money out of your account. I can't tell you how many times I've had cashiers ring up a sale without ever even looking at either my ID or my signature on the back of the credit card. I've had times where I offered and was refused, as if they didn't want to have anything to do with security checks of any variety as that might bring upon them responsibility or something. I'm not talking about small purchases here either.

      So my point is, if bank tellers get to the point of laziness as most cashiers, you're money isn't safe in the bank whether or not you have an ATM card. The best you can do is keep an eye on it and report anything as soon as it happens.

      --
      Stop Global Warming!
      Just say no to irreversible processes!
    3. Re:The reality of this is... by Sillygates · · Score: 4, Insightful

      The ATM machines should directly encrypt the card info with the issuing bank's public key(or at least with the single operators public key, and then only get re-encrypted once, by that trusted machine)....that way the men in the middle/other banks along the way do not have the ability to see the transaction info

      --
      I fear the Y2038 bug
  3. Intercepting Transmission by DigitalRaptor · · Score: 4, Interesting

    I saw a news report the other day of a guy that hooked his a device (it may have been an iPod) to the back of an ATM where the phone line comes out, and intercepted the signal transmitting the information.

    He was able to get credit card numbers, pins, and all of the other information transmitted, and stole a lot of money before being caught. And he wasn't caught by bank security or software, he was caught because a clerk was paying attention, IIRC.

    --
    Lose Weight and Feel Great with Isagenix
    1. Re:Intercepting Transmission by DigitalRaptor · · Score: 4, Informative

      Here is the story.

      --
      Lose Weight and Feel Great with Isagenix
  4. Let's just get this clear right now... by Anonymous Coward · · Score: 5, Funny

    First one to refer to "ATM Machines" or "PIN numbers" gets slapped.

  5. Holding All the Cards by Doc+Ruby · · Score: 5, Interesting

    Every bank I know of with back-end offices here in NYC requires everyone passing through their building doors to use onetime password cards (usually RSA keycards) for access. Yet those banks all make us run around broadcasting our PINs to whichever fly-by-night ATM dispenses $100 latenight when we're drunk.

    The cost of chipcards that generate onetime passwords, to protect from replay attacks, is minimal. Especially compared with fraud and theft. What's taking them so long?

    --

    --
    make install -not war

  6. Easier to manually do it by Evets · · Score: 3, Insightful

    It would be easier to simply use a video camera over the shoulder of an ATM visitor, and just as effective.

    Using the information directly at an ATM to get a couple of hundred dollars would be too much effort, too high risk, and too little return. More likely, the PIN would be used to obtain larger sums of cash via other methods - calling in a bank transfer or something to that effect.

    While on the surface it seems unlikely that somebody would go through the hassle, if one gained access to the ATM network, and had means to unencrypt the traffic at least in part, there is a great deal more potential for crime than simply obtaining an ATM PIN number.

    Banks shouldn't be reliant on security at the switches either - all it takes is one bad employee to reduce the effectiveness of on site security to nothing, and I imagine with the pay rates they are kicking out, there are more than a few employees vulnerable to trouble of one sort or another.

  7. New Title to Earn? by failedlogic · · Score: 3, Funny

    So if someone cracks the system do they become "The Lord of the PINS?"

    Sorry, obvious pun joke. Had to make it. Any others?

    1. Re:New Title to Earn? by __aaclcg7560 · · Score: 3, Insightful

      No, I think that person becomes a "PIN cushion". :P

  8. So just use it as a credit card? by letsgolightning · · Score: 4, Interesting

    I realize this topic is mostly meant for using a card at an atm to take out cash and the like, but whenever I use my debit card to actually buy something, I make sure to use it as credit, even though most stores' touch-and-swipe pads love to default to a keypad to enter a pin. I just hit 'cancel' then 'credit' and sign the screen. No pin gets transferred, so I don't have to worry about anyone stealing it. Usually, they ask for an id because my signature is so awful (added security for me). I get points for my purchases, which I may be able to redeem within the next decade. And best of all, if anyone does decide to defraud me this way, Visa and my bank will give me the stolen funds back (my bank covers the $50 or so 'deductible' that Visa normally wants). To quote Micheal Scott, it's a win-win-win. I'm safer, my money's safer, and Sam Walton gets less profits because he now has to pay Visa processing fees.

    --
    2^4 * 3 * 20929
  9. This is highly unlikely by marcgvky · · Score: 3, Informative

    I personally have experience configuring the HSM's and implementing the types of security referred to in this article. To understand how unlikely this hack is, I would have to go into a deep conversation with regard to how these HSM's are supposed to be configures and implemented. The brief version: Typically, PIN's are stored by your card issuer ONLY in their encrypted format. The keys that do the encryption are stored in the HSM and SHOULDN'T be exportable. When enter your PIN at a POS or ATM, it is 3DES encrypted and sent over the wire as an encrypted pin block (EPB). When an inbound EPB is fed into the HSM, the originating bank pulls an encrypted version of your PIN and feeds that into the HSM. The HSM _should_ be a black box and decrypts both in inside of protected memory, makes a comparison of the two PIN's, and returns TRUE or FALSE. PIN's are stored by the card issuer in encrypted form and are NEVER reversible to people. When you forget/lose your PIN, the card issuer will typically issue a new PIN. That's because they CAN'T read a PIN. The PIN is DES encrypted by a symetric 128-bit key that is encrypted by another key which is NEVER NEVER known to any human. If this hack is proposing to repeatedly "guess" EPB's until they get one right, or do EPB->EPB translation until they get something that makes sense.... you would be better off buying lottery tickets. LOL