| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 74737 | 2006-12-03 16:55:00 | ATM Schemes...& They Will Affect You! | SurferJoe46 (51) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 504011 | 2006-12-03 16:55:00 | This is out on the web and having no credits, it appears to be open domain at the moment . I googled it and found no real ref to anyone/anything who might control the info . . . even BBC, Reuters, World National Press . . etc . . . U . S . Secret Service memo finds that some organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN codes Researchers working for an Israeli computer security company say they have found a fundamentally open weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks – a flaw that they say could undermine the entire debit card system . U . S . Secret Service, investigating the matter compiled a memo indicating that organized criminals are systematically attempting to invade the ATM system and unscramble encrypted PIN traffic . The report has enflammed a debate within the banking industry, with many financial industry experts downplaying the seriousness of the flaw and outside experts divided on its implications; but there is no disputing the impact that such a hack would have if successful . Using the methods outlined by the researchers, a hacker could siphon off thousands of PIN codes and compromise hundreds of banks, said Odelia Moshe Ostrovsky, the report’s principal author . Criminals could then print phony debit cards and simultaneously withdraw vast amounts of cash using ATMs around the world, she said . Automated Teller Machines and point of sale debit card sales are a massive part of the global economy . In the U . S . alone, ATMs perform about 8 billion transactions every year and dispense $600 billion in cash, according to a study released earlier this year by Dove Consulting . Volume of retail store PIN-based debit card transactions is even higher . Word of the apparent security flaw first surfaced two weeks ago, when Ostrovsky and other researchers at Algorithmic Research (ARX) published a paper stating that it would be possible for someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules . (Me here: ARX manufactured the machines in the first place!) When consumers enter their personal identification numbers, or PINs, into an ATM, the PIN and account number must travel through several computers on a special network before they arrive at their home bank for verification . The data is encrypted immediately after it’s entered at the ATM into what is known as a PIN block, then sent on its way . Rarely does the transmission go directly to a consumer’s bank . Instead, it is handed off several times on a banking network run by several third parties . Each time a bank passes the data along, it goes through a switch that contains the hardware security module and the PIN block is unscrambled and then rescrambled . It is at these intermediate points where hackers could trick the machines into divulging PINs, the ARX researchers said . “We show in these attacks that using only (a single) function we can reveal the content of every PIN block as if it’s not encrypted,” said Ostrovsky . PINs thought to be unassailable in transit The theory for attack is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank; but the ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries that would enable criminals to make educated guesses about – and possibly break -- the encryption code . (Note this part): ARX sells hardware security modules to ATM networks, but Ostrovsky said its machines also are vulnerable to the attacks because they must communicate with other ATM network computers using the flawed protocols . Ostrovsky said her company shared the research with the Visa credit card association’s risk management team and other U . S . financial industry security experts six months ago, and recommended systemwide ATM network changes . But U . S . banks weren’t reacting fast enough to the risk, she said, so ARX decided to go public with its information and two weeks ago published a paper titled “The Unbearable Lightness of PIN cracking, ( . arx . com/documents/The_Unbearable_Lightness_of_PIN_Cracking . pdf" target="_blank">www . arx . com)” which is now available on the Internet (in Adobe Acrobat format) . Kim Bruce, a spokeswoman for the Secret Service, confirmed that the agency had been in contact with ARX to discuss the paper’s findings, but declined to provide additional detail . Visa: Attack 'highly unlikely' As said by a spokeswoman for Visa, which owns part of the ATM network and helps write security standards for it, they had confirmed that the flaws described in the paper are real, but said the threats they pose are minimal . “This research paper addresses an area that has been known for some time to the payments industry,” said Rosetta Jones, (VISA) . “There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties – that make this kind of attack highly unlikely . Through these layers of security, Visa and our member financial institutions are working to prevent the kinds of attacks theorized in the paper . ” She also said there is no evidence the attacks outlined by ARX have been attempted by criminals . “We are not aware of any instance where this kind of attack has actually occurred, and there is no link between the attack outlined in this paper and any recent data compromises,” she said . It is clear, however, that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic . Russian Web sites indicate organized attacks Russian-language Web sites are abuzz with discussions about ATM network attacks, including discussion of the Israeli report, according to data gathered by the Secret Service and viewed by MSNBC . com . “In the fall of 2005 work for everyone was so successful because an employee of one of America's processors sold a database of material that went through its processing center,” . . . . . . wrote a hacker who belongs to an online gang called Mazafaka, according to an English translation of a Russian Web site compiled by the Secret Service . “This material was then successfully exploited by our carder friends . The consequences of this deal could even be monitored on CNN, as well as in our own work (this applies to cashers) . You may have noticed that after this event, ATMs more and more frequently give ‘transaction declined’ notices or give a small sum on the first transaction and then block the card . ” In another exchange cited in the Secret Service memo, a hacker offers to pay for databases of encrypted PINs, which theoretically should be useless someone had discovered a way to translate the data into valid PINs . In still another post, one claims to have recovered account data by “hijacking” hardware security modules . Industry downplays the threat Nessa Feddis, a spokeswoman for the American Bankers Association, also downplayed the scenario outlined by the Israelis and the overall hacking threat, saying that while PINs “are always going to be a target,” the ABA is “not aware of any ability to undo the encryption . ” A spokesman for First Data Corp . , which owns the STAR network, one of the largest ATM processing networks, said the company would not comment on the research paper . Other bank security groups also downplayed the threat . Catherine Allen CEO of the Financial Services Roundtable’s BITS organization, a consortium of security experts from the nation’s top 100 financial institutions, said the risk suggested by the ARX paper is minimal because U . S . banks have already addressed the security concerns . Banking analyst Avivah Litan, an industry consultant with security firm Gartner, said banks aren’t reacting strongly enough to the report . “This is nothing short of startling,” she said . “No one is paying attention to this and I don’t know why . It undermines the whole premise of ATM security . ” How the attacks would work The attacks described in the ARX paper could not be conducted remotely over the Internet . They would require a criminal to be on the same local network as the hardware security module . Because ATM switches are heavily guarded and monitored, such access is unlikely, argued a BITS representative, who spoke on condition of anonymity . Such ATM switches can be located anywhere in the world, Ostrovsky countered . That creates a “weakest link” vulnerability in which one poorly guarded switch could theoretically be used to compromise every bank whose debit cards have flowed through that switch, she said . Each switch contains a hardware security module, which is a simple computer in a tamper-proof box designed to perform a few PIN-related functions, beginning with decrypting and encrypting . The boxes also contain other small programs, or functions, which allow the machines to change a customer’s PIN or calculate other PIN-related values . Most ATM switches don’t need these tools; however, they are often available by default . This unnecessary software is exploited in some of the attacks described by ARX, which recommends that switch operators turn off the unnecessary functions . But even that’s not enough, Ostrovsky said . The one essential function of a switch -- encrypting and decrypting, a process known as “translate” -- is all an attacker needs to trick the machine into divulging PINs, a hack that would put nearly every ATM switch at risk, she said . “This is not an attack on a certain configuration or installation . This is an attack on the protocol itself . It must be updated,” Ostrovsky said . There are competing protocols, or PIN block formats, in use in the ATM network, and each machine must support all those formats, she explained . In one version, the 16-digit PIN block contains two formatting characters, four PIN characters, and 10 additional slots with information about the customer’s account number . That’s the standard used in the U . S . Another standard combines the formatting characters and PIN characters with random digits, and sends the account number separately . The translate function not only assists in encrypting – it also allows the machine to translate the PIN block from one format to another . This allows an attacker to take advantage of the weaknesses of both, creating a “least-common denominator” vulnerability, Ostrovsky said . The BITS representative who spoke on condition of anonymity conceded such attacks are feasible, but called the risk “very, very, very, very remote . ” He added that bank robbers have much easier ways of stealing money than complicated PIN prediction tactics . Litan is not so sure: she said the research paper undermines the basic premise of ATM network security – the idea that only a computer loaded with the encryption key created by the issuing bank can reveal a PIN . “The premise was ‘It doesn't matter what happens along the path,’ so even people who could access the PIN blocks couldn’t do anything with them,” she said . “This blows that out of the water . ” 'A worrisome thing' Michael McKay, an independent consultant who helped design Hewlett Packard’s hardware security module, called Atalla, described the ARX attack was “a worrisome thing, a real concern . ” “It's commonly thought that there are some organized crime groups have made concerted efforts on this,” he said . “So we believe there have been people who've cracked parts of the system . ” Ross Anderson, a cryptologist expert at the University of Cambridge in the United Kingdom who has written several papers on ATM security, called the ARX paper “a fairly big deal . ” Anderson noted that previous research also has demonstrated widespread vulnerabilities in the ATM PIN system . He cited a paper he co-wrote with student Mike Bond in 2001 that showed that many supposedly tamper-proof cryptographic systems can be fooled into divulging information by sending them confusing commands . (Acrobat) . Another paper authored by Bond, showed that a would-be ATM hacker could use flaws in the way banks generate PINs that could reduce the number of average guesses required to mathematically discover a PIN from 5,000 to as few as 15 . (Acrobat) “Customers can't rely on bank assurances that 'our systems are secure,’” Anderson said . Banks hit by a successful attack like the one described by the Israeli researchers may not even know the origin of the theft, Ostrovsky said . An insider would simply steal the PINs, create associated fake debit account cards, and steal money from ATMs around the world . Consumers who complained that money was missing from their accounts might be met with skepticism, she said . Consumers should watch their accounts for any signs of suspicious activity, but other than that there isn’t much they can do in response to this research, McKay said . Bank industry officials point out that the attacks must be carried out by someone with direct access to an ATM switch, limiting the potential for abuse . But Litan said the limitation is hardly reassuring . |
SurferJoe46 (51) | ||
| 504012 | 2006-12-03 21:31:00 | ..... Consumers should watch their accounts for any signs of suspicious activity, but other than that there isn’t much they can do in response to this research, McKay said. This bit is actually the critical bit - anyone owning/using a credit card and making transactions via the interweb or just face-to-face retail transactions should ALWAYS check their statement carefully for unexpected, unauthorised or 'amended' transactions... The rest is pretty much out of the control of Joe and Jill Average... Must have been a slow-news day :D - banks know about the issue and someone at ARX was obviously p****d off at someone enough to leak this info to the media to stir up some trouble/publicity. |
johcar (6283) | ||
| 504013 | 2006-12-04 07:36:00 | Nah. There's much more risk from someone plainly guessing your PIN. You'd be amazed at the amount of people who just choose "1234" as their PIN. | Antmannz (6583) | ||
| 504014 | 2006-12-04 08:20:00 | Or 'password' as their password :groan: | johcar (6283) | ||
| 504015 | 2006-12-06 08:27:00 | Nah. There's much more risk from someone plainly guessing your PIN. You'd be amazed at the amount of people who just choose "1234" as their PIN. hhmmm, how do you know this Antmannz?? are you one of those criminal types too huh? haha :P |
bizzack (7739) | ||
| 504016 | 2006-12-06 11:10:00 | hhmmm, how do you know this Antmannz?? are you one of those criminal types too huh? haha :P It's common knowledge. |
mikebartnz (21) | ||
| 504017 | 2006-12-07 01:46:00 | Too many years (a while ago) in the banking industry ... which is criminal. :p Actually now that I think about it, PINs were never held by the bank, they were always just written to the card. From what I remember (this may have changed), ATM cards had 4 magnetic tracks on the strip. Track 1 was for the account number. Track 2 was for the PIN. Track 3 was blank. Track 4 was for recording the last transaction and the balance of the CHQ and SAV accounts. Tracks 1 and 2 were written to when your card was first issued and are read-only when using an ATM / EFTPOS. Track 4 was writeable by ATM and EFTPOS machines. Reason being that if the machines were offline, you could still withdraw cash based on the balance recorded on the card. The ATM would then write back the calculated balance to the card. I remember that the major worry back then was having ATMs go offline sometime during benefit day - whereby those of an unscrupulous nature would be able to withdraw their benefits twice, and give the staff grief the week after when their benefit (or "wages", as most like to call it) would only cover the overdrawn amount. Some had even worked out that the ATMs went offline for about half an hour late every Friday night (when the bank switched to it's backup site). They would request a balance via the ATM earlier in the week, withdraw cash over the counter, and then withdraw as much as they could on the Friday during ATM offline time. Anyway, it's likely the tracks and information stored on the mag stripe has changed since the mid-90's, but I would still be surprised if PINs were held in a central repository in NZ. Even back then it was considered too dangerous to do so. |
Antmannz (6583) | ||
| 504018 | 2006-12-07 18:20:00 | Hey Antmannz, one thing I have been wondering about is how do banks know if you are a PR of NZ? As my fiance~ wants to get hire purchase from Harvey Norman, and she wont be a PR for another two months... is it like if you tell them? or can they tell from your IRD number? :thumbs: |
bizzack (7739) | ||
| 504019 | 2006-12-07 19:24:00 | The whole pin number system stinks! I have pin's for two credit cards. Online banking with two banks and phone banking. Everything has pin numbers and account numbers and ID numbers and verification numbers. And the bloody stupid banks rave on about not writing your numbers down , and don't use easily guessed numbers, etc. etc.. Do the banks seriously think anyone can remember all these numbers? Is there anyone who doesn't have their numbers written down somewhere? |
JJJJJ (528) | ||
| 504020 | 2006-12-07 19:38:00 | The whole pin number system stinks! I have pin's for two credit cards. Online banking with two banks and phone banking. Everything has pin numbers and account numbers and ID numbers and verification numbers. And the bloody stupid banks rave on about not writing your numbers down , and don't use easily guessed numbers, etc. etc.. Do the banks seriously think anyone can remember all these numbers? Is there anyone who doesn't have their numbers written down somewhere? I agree with you JJJJJ - however I don't have my PIN written down anywhere - I have synchronised them so they are all the same. :D If you take photo ID into your bank (so they believe you are who you say you are), you will find they have a little machine on their Customer Service counter that allows the setting (or re-setting) of PINs of EFTPOS and Credit Cards. A two minute job will have your PINs synchronised (if you have the time to wait in a queue - this being the time of year that it is! :) )... |
johcar (6283) | ||
| 1 | |||||