Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Banks attempt to cover up worst PIN vulnerability yet

By sjmurdoch in News
Thu Feb 20, 2003 at 02:02:14 PM EST
Tags: Security (all tags)
Security

As summarised on Cryptome, a new vulnerability (PDF) has been discovered in the crypto co-processors used by banks worldwide which allows insiders to trivially find out PINs of any or all of that bank's customers. The attack was discovered by Ross Anderson and Mike Bond in the course of their investigation into a "Phantom Withdrawal" court case where a bank customer had money debited from their account but denied that their card or PIN was used.

In a new twist Citibank has applied for a court order (PDF) which could prevent public disclosure of this flaw. Ross Anderson has produced a response (PDF) opposing such an order.


Banks rely upon tamper-resistant crypto co-processors (some of these have already been shown to have vulnerabilities) to keep customer PINs secret in the face of potential insider attack. However, the new attack requires much less sophistication than the previous state-of-the-art, so insider attack is a realistic possibility.

There have been a growing number of phantom withdrawals, however the banks have denied that these are possible due to the protection applied to PINs. Perhaps one of the reasons for the increase in cases is that corrupt employees have discovered this or other vulnerabilites and are using them to make withdrawals from unsuspecting people's accounts.

This case raises the question of vulnerability disclosure policy: Whether the banks should be forced to improve the security of their systems (through market pressure or regulatory intervention) or whether they should be permitted to cover up the flaws.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o summarised
o new vulnerability (PDF)
o Ross Anderson
o Mike Bond
o "Phantom Withdrawal"
o Citibank
o applied for a court order (PDF)
o response (PDF)
o to have vulnerabilities
o Also by sjmurdoch


Display: Sort:
Banks attempt to cover up worst PIN vulnerability yet | 100 comments (80 topical, 20 editorial, 0 hidden)
Are you a US citizen? (2.60 / 10) (#1)
by mirleid on Thu Feb 20, 2003 at 06:47:02 AM EST

Because if you are, you might be guilty (under the DMCA) of spreading information on how to circumvent protection systems/safeguards :-)...



Chickens don't give milk
Re: Are you a US citizen? (5.00 / 3) (#4)
by sjmurdoch on Thu Feb 20, 2003 at 06:55:14 AM EST

No I'm not - but that doesn't matter. The DMCA only protects copyright protection mechanisms, and this has nothing to do with copyright.
--
Steven Murdoch.
web: My Home Page
[ Parent ]
And what of it? (none / 0) (#92)
by Dyolf Knip on Sun Feb 23, 2003 at 05:34:47 AM EST

Just how many times has the DMCA been used (and threats made to use it) when it had no bearing or the case was exempt? Let's see, Blizzard vs bnetd (ability to copy was unaffected), RIAA vs Felton (encryption research is supposed to be exempt), MPAA vs 2600 (source code is no more a device than a blueprint), HP vs SnoSoft (no copy controls to be circumvented), Adobe vs ElcomSoft (ROT13 cannot reasonably be called 'effective'), DirecTV vs hackers (nothing's being copied; the signals are already there) all come to mind.

It is interesting to note that the strength of the DMCA is not the law itself but the ease with which the lawyers say they'll use it against you. When actually taken to court, (all of what, two times?) it stands absolutely no chance against a judge or jury not totally bought and paid for. But most of the targets cannot afford to go to court just to prove a point, so they get to continue doing it.

---
If you can't learn to do something well, learn to enjoy doing it poorly.

Dyolf Knip
[ Parent ]

Sometimes it had bearing (none / 0) (#95)
by squigly on Sun Feb 23, 2003 at 10:01:22 AM EST

MPAA vs 2600 (source code is no more a device than a blueprint),

Not so sure I agree.  I can't automate the production of a device from a blueprint.  I can from source code.  Sure, there are more arguments to support the view that it is different, but the legal system exists to resolve these disputes.

DirecTV vs hackers (nothing's being copied; the signals are already there) all come to mind.

Copyright covers broadcast.  Perhaps it shouldn't, but that's more of a complaint about copyright than the DMCA.  If we assume that satellite signals should be resricted to those who have permission to receive them, then applying a law to prevent tampering with equipment to enforce this law is reasonable.  

Aside from these points, I agree.  If HP can threaten Snosoft, then the bank can threaten a researcher, whether or not they have any intention of carrying out the threat.

[ Parent ]

Au contraire (none / 0) (#96)
by Dyolf Knip on Sun Feb 23, 2003 at 02:08:53 PM EST

I can't automate the production of a device from a blueprint

You can certainly automate the production of a physical device from a blueprint. The first example that came to mind was this sort of widget. I also recall touring a high-tech metal working plant where they had machines that you fed a blueprint and got a finished component. The operator did not need to know anything at all about what it was that it was making. Aside from the expense involved and the fact that it's a good, moral, upstanding corporation instead of dirty little criminal-citizens like you and I, how is this fundamentally different from a compiler?

If we assume that satellite signals should be resricted to those who have permission to receive them

Except that's so stupid! The signals are already here in my house, in my very body! When you use a wireless medium, you simply can't expect or demand that _only_ authorized receivers will receive it. Everyone in range who isn't in a Faraday cage is going to receive it, whether you like it or not. That we need special equipment to 'see' it is irrelevant. Many people lack highly developed equipment for receiving visible light signals (i.e., they're blind) which is often used to transmit copyrighted material, yet people working on artifical eyes are not prosecuted for making devices for interception of such signals. It's like trying to tell people, "You are not allowed to see the world around you".

then applying a law to prevent tampering with equipment to enforce this law is reasonable

Even if I _own_ the receiving equipment? How is that ever reasonable?

---
If you can't learn to do something well, learn to enjoy doing it poorly.

Dyolf Knip
[ Parent ]

DMCA (5.00 / 2) (#19)
by Merk00 on Thu Feb 20, 2003 at 11:14:19 AM EST

Contrary to what some people would have you believe, the DMCA does not prevent the spreading of information on how to circumvent copyright protection systems. It does prevent the producing, distributing, or trafficing in products or services that circumvent copyright protection systems. It doesn't prevent the spread of information. That would likely run a foul of first amendment protections.

------
"At FIRST we see a world where science and technology are celebrated, where kids think science is cool and dream of becoming science and technology heroes."
- FIRST Mission
[ Parent ]

Re: DMCA (5.00 / 1) (#23)
by sjmurdoch on Thu Feb 20, 2003 at 12:32:05 PM EST

I am not a lawyer, but the DMCA did seem to be effective in preventing Professor Felten from giving his talk on SDMI, not that it made much difference in the long run.
--
Steven Murdoch.
web: My Home Page
[ Parent ]
Felton (none / 0) (#26)
by Merk00 on Thu Feb 20, 2003 at 12:55:16 PM EST

Did you notice that the case with Professor Felton never went before a Judge? That's right. It was simply the RIAA issuing a threatening letter to Professor Felton. The RIAA misconstrued the DMCA to prevent the spread of information but it specifically provides exceptions for academic research.

------
"At FIRST we see a world where science and technology are celebrated, where kids think science is cool and dream of becoming science and technology heroes."
- FIRST Mission
[ Parent ]

Re: Felton (5.00 / 1) (#31)
by sjmurdoch on Thu Feb 20, 2003 at 01:24:49 PM EST

Did you notice that the case with Professor Felton never went before a Judge?
I realise that, but regardless what the law says it was still was effective against preventing him from speaking.
--
Steven Murdoch.
web: My Home Page
[ Parent ]
Rather, (none / 0) (#24)
by it certainly is on Thu Feb 20, 2003 at 12:36:19 PM EST

it only prevents the spread of information if a corrupt judge deliberately misinterprets the DMCA to please his paymasters.

kur0shin.org -- it certainly is

Godwin's law [...] is impossible to violate except with an infinitely long thread that doesn't mention nazis.
[ Parent ]

Device (none / 0) (#27)
by Merk00 on Thu Feb 20, 2003 at 12:56:05 PM EST

A piece of software is coventionally and legally considered a device. Hence, it fits the description of a banned device under the law. It would've required a somewhat novel application of the first amendment to computer source code to have made DeCSS legal.

------
"At FIRST we see a world where science and technology are celebrated, where kids think science is cool and dream of becoming science and technology heroes."
- FIRST Mission
[ Parent ]

Not software, but _source code_. (none / 0) (#35)
by it certainly is on Thu Feb 20, 2003 at 02:08:18 PM EST

If I distributed the plans for a nuclear bomb, that would be OK, but if the nuclear bomb included software control and I gave out the source code, that would legally be a "device"? Surely not - a third party would actually have to COMPILE or ASSEMBLE that source code as part of building the bomb.

What is the difference between giving information in formally specified plain English in a text file as to how the CSS algorithm works, and giving information in standard C format in a text file as to how the CSS algorithm works? Neither are in the computer's machine language. Neither can be directly used as computer software. If I expressed it purely as a mathematical function, is that a device?

I blame the patent office for corrupting the idea of a "device" to allow software and algorithms to be patented, which was explicitly not permitted, as they were obviously not devices.

If I developed a compiler for plain English, does that suddenly make all the free-speech protected plain English descriptions of the CSS algorithm into evil illegal DMCA-restricted devices?

I'm sorry, but I get angry when a bought judge applies bought law to help moneyed interests maintain their monopolies and attack programming freedom.

kur0shin.org -- it certainly is

Godwin's law [...] is impossible to violate except with an infinitely long thread that doesn't mention nazis.
[ Parent ]

please read the DMCA (2.71 / 7) (#21)
by Work on Thu Feb 20, 2003 at 12:28:08 PM EST

before making stupid comments like this.

kthx.

[ Parent ]

that helps (none / 0) (#37)
by coderlemming on Thu Feb 20, 2003 at 03:11:35 PM EST

I'm sure the DMCA is huge.  I haven't read it.  Your comment does nothing to stimulate conversation except try to tell people you know more than them... could you, perhaps, highlight why you feel the DMCA wouldn't apply in this case?


--
Go be impersonally used as an organic semen collector!  (porkchop_d_clown)
[ Parent ]
Its not huge. (2.33 / 3) (#40)
by Work on Thu Feb 20, 2003 at 03:25:54 PM EST

A few pages. Pretty easy read. Go look it up.

Someone else already pointed out why it doesnt apply.

[ Parent ]

I was justifying my 1.00 rating out loud (n/t) (none / 0) (#42)
by coderlemming on Thu Feb 20, 2003 at 03:33:35 PM EST




--
Go be impersonally used as an organic semen collector!  (porkchop_d_clown)
[ Parent ]
Did you read his website? (none / 0) (#33)
by gordonjcp on Thu Feb 20, 2003 at 01:46:10 PM EST

Because if you did, you'd see he's in the UK. Where we don't have your stupid USian laws. We do have a government that's more-or-less accountable to the people though (the proposed terrorist attacks on Iraq notwithstanding), and if that fails we have guns.

Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


[ Parent ]
We have guns? (none / 0) (#38)
by oldmanshands on Thu Feb 20, 2003 at 03:22:39 PM EST

Not very many people I know here have guns...short of farmers with shotguns I'm not sure of anyone in fact.

[ Parent ]
So does that make him (none / 0) (#45)
by FieryTaco on Thu Feb 20, 2003 at 03:45:37 PM EST

Being from the UK, does that make him an UKian? And subject to all their stupid laws?

[ Parent ]
Yup... (none / 0) (#54)
by gordonjcp on Thu Feb 20, 2003 at 06:23:50 PM EST

... a UKian subject to all the stupid UKian laws. However, at least we have free speech, and despite what President Blair would have you believe, we don't shit ourselves over terrorism.

Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


[ Parent ]
Oh yeah? (none / 0) (#59)
by FieryTaco on Thu Feb 20, 2003 at 07:20:42 PM EST

Go talk bad things about the christian church in front of your local prosecutor, or whatever they call them on your side of the water. ICYDNK, Britain has a defamation law against that particular thing. Kind of stupid to say you got "free-er" speech than some other country, when you've got your own stupid things you aren't supposed to talk about. Thank you.

But I was mainly trying to point out the wrongness of calling anything "USian". While there are more parts to the Americas than just the USofA, it is standard practice world-wide that things of and relating to the USofA are called "American." Other parts of the American continents have their own words to show relation, Canadian, Mexican, Nicaraguan, Venezualan, Brazilian, etc. Yes, I know it's a lost cause to explain to a K5ian that USian isn't a word/phrase. But I'm just trying to think of the children and help them avoid looking ignorant when writing.

[ Parent ]

Actually... (offtopic and a bit meta) (none / 0) (#65)
by gordonjcp on Thu Feb 20, 2003 at 07:58:48 PM EST

I think the whole USian/UKian thing is more like a term of lighthearted abuse. I suppose, it would take someone from the birthplace of the whole "political correctness" thing to be offended by it. Be thankful you're not German, DEian sounds like a wierd cult.
Incidentally, I'm not sure what you mean when you say "Go talk bad things about the christian church in front of your local prosecutor..." here. Yes, there are anti-defamation laws, but that wouldn't apply here. I think you're getting confused on the issues with libel laws - in the UK you have to be pretty damn sure of yourself before you say anything libellous, because the law is very firmly stacked in the plaintiff's case. For example, I could say "trhurler is a flaming moronic goatfucker", but unless I can prove in court that he is both flaming and moronic, and fucks goats, I could be done for libel. And rightly so.
You may be confusing it with the "blasphemy" laws that people like to trot out to give an example of how screwed up British Law is. For one, I believe it only applies in England now (though I could be wrong) - remember that Scotland and England are very seperate countries - and it attempting to try somebody under the blasphemy laws now would be a bit like attempting to try them for witchcraft.

Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


[ Parent ]
"Free Speech" (none / 0) (#81)
by FieryTaco on Fri Feb 21, 2003 at 02:00:08 PM EST

Actually, I'm referring to the fact that the UK has some rather interesting laws restricting free speech. One of them is that you cannot write/say bad things about the Christian church. It's in the laws. So I always find it funny when people criticize the US's idea of free speech, when their own country has some rather strange stuff. Anyway, take care. Enjoy your weekend, etc.

[ Parent ]
Nonsense. (none / 0) (#86)
by gordonjcp on Fri Feb 21, 2003 at 07:03:07 PM EST

That's what I was referring to - the laws are something like 200 years old. Attempting to use them would be rather like trying to burn witches. Tell me, does the US not have any obsolete laws?

Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


[ Parent ]
No.. (5.00 / 1) (#89)
by dublet on Sat Feb 22, 2003 at 02:16:53 PM EST

because they haven't had law for that long.

Badger. Badger. ←
[ Parent ]
US obsolete laws (none / 0) (#97)
by lunatic on Mon Feb 24, 2003 at 04:28:22 PM EST

Amendment I

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Amendment VI

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the assistance of counsel for his defense.

[ Parent ]

Then what copyright exactly... (none / 0) (#75)
by Mysidia on Fri Feb 21, 2003 at 01:29:51 AM EST

Does this system he might have been distributing information on how to circumvent protect?

Some how... I doubt that a 4-digit numerical value is subject to copyright, or for that matter, what it controls access to.



-Mysidia the insane @k5
[ Parent ]
Interesting attack (4.33 / 3) (#28)
by epepke on Thu Feb 20, 2003 at 12:59:41 PM EST

However, it only appears to affect PINs that are the product of the bank's applying a hash function to the account number printed on the card, which any fool could predict is a dangerous practice.

It does, however, explain one thing that has puzzled me for years. When I get a bank account in England, they have traditionally given me the PINs for the accounts (I gave up using the cards many years ago for that reason--besides, it's a lot easier to cash cheques in the U.K. with a Cheque Card). My U.S. accounts have always involved my choosing my own PIN. Of course, this has potential security problems of its own, but they're different. So now this report comes out of the U.K. Presumably, then, hashed PINs are more common a practice in the U.K.


The truth may be out there, but lies are inside your head.--Terry Pratchett


Re: Interesting attack (5.00 / 2) (#30)
by sjmurdoch on Thu Feb 20, 2003 at 01:21:35 PM EST

So now this report comes out of the U.K. Presumably, then, hashed PINs are more common a practice in the U.K.
No. Most banks in the UK allow you to pick a PIN number, and just like in the US the way this works is your "natural" PIN number is calculated from your account number, by DES encryption, not by a hash function. Then an offset is stored on your card which is the difference (mod 10) between your chosen PIN and your natural PIN. See the linked article on Cryptome for details. This problem affects all the major crypto co-processor vendors and so the vast majority of banks, since even if they do not use this function of the cryptoprocessor it still exists in it.

If anything banks in the US will be more vulnerable than the UK since I believe more of their cash machines work offline, which was original motivation for using such a scheme. However interestingly this affects US customers less directly since I believe that US banks are responsible for absorbing more of the costs of fraud than UK banks.
--
Steven Murdoch.
web: My Home Page
[ Parent ]

Oh (none / 0) (#32)
by epepke on Thu Feb 20, 2003 at 01:25:51 PM EST

This sucks, then.


The truth may be out there, but lies are inside your head.--Terry Pratchett


[ Parent ]
Use Microsoft's mSQL! (1.00 / 13) (#29)
by MickLinux on Thu Feb 20, 2003 at 01:17:51 PM EST

I would like to propose that the office of Homeland Security should also stimulate the economy by using mSQL as opposed to other [sometimes free] solutions for their database.

In fact, this will have additional benefits as they further stimulate the economy each time a new mSQL worm comes out!

And then, when taxes have eaten up all of private industry, because the economy was so stimulated, and the government owns everything, we can all have a nice Soviet-style rot around the campfire, watch are nuclear reactors implode, and advance our technology to the latest horse and plow.

I like this idea of stimulating the economy.  Please!  More taxes!  I like it!  Ow! Ow!

Learn from the Egyptians: they saw every one of their gods killing them. When you make a false god your idol, it starts to kill you. Doesn't matter i

So, 4 digit keys are easy to break... (4.66 / 6) (#34)
by porkchop_d_clown on Thu Feb 20, 2003 at 01:55:41 PM EST

No surprise. The real issue is that there isn't that pins are short (humans can't remember more) but that there isn't a second "secret" on the card itself. The fact that you can create a bogus card knowing only the account # and the pin # is the real weakness.


--
You can lead a horse to water, but you can't make him go off the high dive.


This has always been true. (4.00 / 1) (#36)
by wumpus on Thu Feb 20, 2003 at 02:15:56 PM EST

An Apple II (available when ATMs were introduced) could break a 4 digit key using brute force methods. Why would anyone look for a backdoor when the front door is wide open?

Wumpus
Sorry for commenting on a comment I rated, but this whole article is silly.

[ Parent ]

Read the report. (none / 0) (#39)
by mdpg on Thu Feb 20, 2003 at 03:23:45 PM EST

If you had read the report, you would have known the reasoning: using brute force, a criminal could break about 24 accounts during a 30 minute period; using the new method, a criminal could break about 7000 accounts in the same time.

[ Parent ]
Still doesn't matter. (none / 0) (#68)
by wumpus on Thu Feb 20, 2003 at 10:01:15 PM EST

OK, I read it.

This is the type of mathematical silliness that pervades the cryptographic community. The question comes down to: does it take 2 hours or 2 weeks to break the PINs of the bank's complete customer list? Note that the "2 weeks" is likely a background task similar to the SETI screensaver.

The bank has your PIN in an encrypted form. There are only 9999 possible combinations. The PIN had to be quickly decryptable using electronics available in the 1980s. There is absolutely no way this system could possibly be secure. The fact that a completely insecure system has a slightly quicker attack may be intellectually interesting, but the actual change of security is zero.

Wumpus

PS. This actually got front page on K5 (which should be at least barely numerate). I now begin to understand the post 9/11 security idiocy I keep hearing about.

[ Parent ]

Just maybe. (none / 0) (#74)
by mdpg on Fri Feb 21, 2003 at 12:15:27 AM EST

Maybe you should try to read the report. It was published by a famous university, and written by people smarter than you.

[ Parent ]
They're smart (none / 0) (#77)
by squigly on Fri Feb 21, 2003 at 08:59:44 AM EST

But highly theoretical.

They could break all those codes in that time. But then we come to other logistical issues - the time it takes to do anything with those figures.  

With a 4 digit code, the only real security is preventing physical access to the encrypted data.  If a number can be guessed in a minute, then the bottleneck is probably in creatiung and using the card.

I have to wonder how easy it would be to break the DES key using a known plaintext attack, assuming I want to invest in a dozen 3GHz Pentiums to brute force it.

[ Parent ]

Perhaps... (none / 0) (#83)
by mdpg on Fri Feb 21, 2003 at 03:49:10 PM EST

... if you had read the article mentioned, you would know the answer.

[ Parent ]
Does it say so within then? (none / 0) (#85)
by squigly on Fri Feb 21, 2003 at 05:48:34 PM EST

Presumably then, you have read the article, and you know the answer.  

I mean it looked to me like it described a mechanism to guess a key based on a compared with a related potential method to brute force using the same equipment.  

[ Parent ]

Humans can remember more when clumping (5.00 / 1) (#51)
by parliboy on Thu Feb 20, 2003 at 05:48:33 PM EST

Humans generally can't put strings of more than 6 or 7 things into memory together.  That's why you "clump" the things into subgroups, which the brain can then remember as one item each.

This is why 4869586723 would be a horrible thing to try to recall, but (486)958-6723 is relatively easy.

----------
Eat at the Dissonance Diner.
[ Parent ]

555! 555! 555! (none / 0) (#57)
by FieryTaco on Thu Feb 20, 2003 at 07:08:39 PM EST

You just know that whoever owns that particular phone number is going to get a phone call...



[ Parent ]

555? (none / 0) (#73)
by sludge on Thu Feb 20, 2003 at 11:45:35 PM EST

Well, they will now.
SLUDGE
Hiring in the Vancouver, British Columbia area
[ Parent ]
Actually, I understand that (none / 0) (#69)
by porkchop_d_clown on Thu Feb 20, 2003 at 10:14:52 PM EST

That's why I suggested a second secret embedded in the card. That guarantees that the card can't be duplicated by someone who only has the account number and the pin.


--
You can lead a horse to water, but you can't make him go off the high dive.


[ Parent ]
Who's going to pay for it? (none / 0) (#79)
by dipierro on Fri Feb 21, 2003 at 11:37:05 AM EST

For the relatively small number of theives you'd actually stop, is it cost effective?

[ Parent ]
Unnecessary complexity (none / 0) (#41)
by coderlemming on Thu Feb 20, 2003 at 03:28:16 PM EST

It's kind of interesting that this system wouldn't have this vulnerability without the "decimalization string" concept.  It seems that a lot of security holes come from situations with unnecessary complexity.  Why not just take those first 4 digits in hex, convert to decimal, and modulo by 10000?

Well, since FFFF (65535 decimal) is not an even multiple of 10000, this will weight the numbers under 5536 slightly.  Decimalization, of course, also weights some numbers, but since the decimalization string is unknown, this can't be used in an attack (except by a knowledgeable insider!).  

So, the cryptographic function could have been modified to undo the weighting introduced by taking the first four digits modulo 10000.  Or, we could just assume that if people can memorize their phone number, which is 7 digits, they can remember a 5-digit pin, and then just give them the decimal equivalent of those first 4 hexadecimal numbers.  Alternatively, we could see just how many guesses are necessary, on average,  to guess the 4-digit pin if it's calculated using hex->decimal modulo 10000 (anyone with more statistics background than me wanna step in?).  

The point I want to make is that the security risk happens because someone takes advantage of a "weird" construction, the decimalization string, which is subverted and used against the system to subvert it.


--
Go be impersonally used as an organic semen collector!  (porkchop_d_clown)

An Insiders view (5.00 / 17) (#43)
by creo on Thu Feb 20, 2003 at 03:36:36 PM EST

I have been working on bank transaction processing systems for the last 10 years, and have written API interfaces to Racal HSM boxes and interfacing programs to these devices - so I have a pretty good idea about what these guys are talking about.

This attack, though real, is unlikely to be carried out by your average bear. It relys on quite a few things, the most important of which is that the PIN offset method being used is IBM3624 or one of its derivatives. If the Bank was to use something like the Visa PVV method then this is a non issue, as there is no decimalisation table - in fact the decimalisation table is an artifact of the IBM method.

As an aside, so people are aware, the way a PIN is verified is basically as follows. The customer enters their PIN into a secure device (such as an ATM or POS pinpad). This PIN is then, dependent on the PIN method used, transformed into a pinblock encrypted unser the terminal master key and forwarded to the Host - this assumes online verification. If the terminal is verifying offline then the Bank deserves to be defrauded. Also read from the customers mag stripe is the PIN offset. The Host sends this data into the HSM, which then decrypts the PIN block and computes an offset using the entered PIN and PIN key. If the computed offset matches the offset from the mag stripe, then the entered PIN is correct and then the transaction continues. I should point out all computation involving clear keys is done within the HSM - at no time can the key be comprimised.

Naturally this is at a high level and I have kind of lumped several operations into one - but it should give the idea. As the authors point out, Banks are in the risk minimisation game. Most places where you enter your PIN, it's 3 strikes and your card is gone - they try to make up for the limitation on the 4 number PIN by restricting bad guys attempts.

Nearly all the Banks I have worked at use the Visa PVV method, as Visa is not happy with the IBM3624 method - and will almost certainly be less happy now. However, many mainframe shops, where the mainframe itself does the transaction processing, probably use this method, and may not even use HSM devices - they are the ones who are most at risk. The phantom withdrawls that the authors mention could quite possibly be caused by an attack such as this - but it would take someone with good understanding and access to audited data streams to accomplish this. So I don't think it is quite as serious as the authors make out.

As far as the Bank calling out the legal attack dogs, well that's another story...

PIN creation, encryption and protection is quite an interesting subject - maybe I should do an article on it...

Article (5.00 / 7) (#49)
by jabber on Thu Feb 20, 2003 at 03:52:17 PM EST

I would be very interested in reading it.

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"
[ Parent ]

I second the motion. (nt) (none / 0) (#56)
by DarkZero on Thu Feb 20, 2003 at 06:59:34 PM EST



[ Parent ]
I third (nt) (none / 0) (#58)
by mrondello on Thu Feb 20, 2003 at 07:11:10 PM EST



[ Parent ]
And I fourth (none / 0) (#62)
by thenerd on Thu Feb 20, 2003 at 07:24:24 PM EST

It would be very interesting if you can explain this (hopefully without breaching your contractual obligations)

[ Parent ]
wow (none / 0) (#60)
by wbajzek on Thu Feb 20, 2003 at 07:22:18 PM EST

So, they go through all that effort to protect your PIN number at the ATM, but then they send it to you in plain text through snail mail, always in one of those highly recognizable envelopes that seem to only ever be used for PIN numbers...

[ Parent ]
And worse... (none / 0) (#63)
by hollo on Thu Feb 20, 2003 at 07:31:50 PM EST

if what I've read in the other comments is true then your pin stays the same for ever more. Not literally, but if you find someone's card you can read the pin offset off it, and if you know their initial pin you can work out their new one.

I normally change my pin and then bin the piece of paper - didn't occur to me that it might still have useful information on it after the pin had been changed.

[ Parent ]

Comment (none / 0) (#67)
by Sepper on Thu Feb 20, 2003 at 09:34:04 PM EST

I would also find it interessting to read an article about those Atm, considering, i once had keyboard access (because the maintenance staff didn't do their job right) to one ATM machine and i was wondering what kind of damage could have been done, considering that the machine was in ours engineering school... (and that was suppose to be a big party several hours later)

[ Parent ]
You'll note... (none / 0) (#90)
by rodgerd on Sat Feb 22, 2003 at 04:02:03 PM EST

...that after exhaustively documenting the flaw in the old (and mostly obsolete) black boxes, they mention in section 5 that they've adapted it for the Visa scheme. So it would appear that there aren't systems that are safe from some variant on this.

[ Parent ]
You are confusing device with PIN method (none / 0) (#93)
by creo on Sun Feb 23, 2003 at 06:26:23 AM EST

Section 5 refers to the VSM -Visa Security Module. I believe the VSM is the Visa implementation of HSM devices used by Visa for their interchanges - Europay runs a similar service. If the VSM is using the IBM3624 offest method then yes, it will suffer the same vulnerability.

I was talking about a different PIN calculation method. The Visa PVV method does not use a decimilasation table, and thus is not vulnerable.

Cheers
Creo

[ Parent ]

They claim they have used the technique... (none / 0) (#99)
by rodgerd on Sun Mar 02, 2003 at 07:21:36 PM EST

...on the VSM. While VISA have essentially deprecated the IBM3624 by refusing to process transactions from ATMs and similar devices unless they implement the algorithm embedded in the VSM, the point in section 5 alludes to the idea they've applied a variant of the technique to VSMs.

[ Parent ]
Cover it up? Yeah right... (4.33 / 3) (#44)
by Gooba42 on Thu Feb 20, 2003 at 03:36:43 PM EST

How the hell would covering it up help anything? If they suspect insiders of being the ones to be exploiting this, then they're not saving themselves anything by keeping outsiders from being aware of threats to their finances. The only effect that would have is to protect those who would exploit these holes.

The problem wasn't discovered because it was published, it was discovered because it existed.

Well (3.33 / 3) (#46)
by jabber on Thu Feb 20, 2003 at 03:47:20 PM EST

Keeping the public in the dark would let the banks avoid responsibility. If customers don't know about this problem, then a) if they lose money, they're more likely to play along with what the bank says, and b) even if they don't lose money, they're less likely to demand that the bank spend money to fix the problem.

It's not security through obscurity at all. It's more liability avoidance that's going on here.

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"
[ Parent ]

liability (5.00 / 1) (#47)
by coderlemming on Thu Feb 20, 2003 at 03:48:45 PM EST

It's not just a bank full of corrupt insiders that's trying to prevent disclosure. The bank as a whole wants to prevent information leaked that would give people the idea that the ATM network is anything but a fortress of security. Two reasons:
  1. Customers feel better about the business if they have an illusion of higher security
  2. The bank is less liable if, as mentioned in one of the links, they can just say that the customer must have made the "phantom transaction" because the ATM network is secure. If they lower the amount of people that hear about this recent vulnerability, they have more of a chance of blaming customers for phantom transactions in the future.

And, of course, as you pointd out, the corrupt insiders want less disclosure so they're not found out.


--
Go be impersonally used as an organic semen collector!  (porkchop_d_clown)
[ Parent ]
Wider View (4.00 / 1) (#55)
by DarkZero on Thu Feb 20, 2003 at 06:56:24 PM EST

How the hell would covering it up help anything? If they suspect insiders of being the ones to be exploiting this, then they're not saving themselves anything by keeping outsiders from being aware of threats to their finances. The only effect that would have is to protect those who would exploit these holes.

Most security vulnerabilities do not spread far beyond security professionals and computer geeks, but every once and awhile a news reporter will decide, "Hey, this is kind of interesting. I bet I can make this tonight's Is <Innocuous Thing> going to kill you and/or ruin your life and/or have its way with your wife and daughter? News at eleven! story." If this becomes a national news story, the bank might as well just kiss its profit margin goodbye. Bank accounts will be switched, new accounts will not be opened, and people may still remember the news story two or three years from now.

It's a slim chance, but it's one that every corporation would rather avoid.

[ Parent ]

Do they have the right? (none / 0) (#98)
by Gooba42 on Wed Feb 26, 2003 at 05:51:43 PM EST

Given that we're in a supposedly, mostly, Capitalist economy here, but do they have the right to protect their business at the expense of the public good? Understandably, they want to protect their assests but is this a good way to go about it?

Particularly now that the leak has already been made, I'd think it's in their best interest to tell the public "we know about the problem and we're working to fix it" rather than "we know about the problem and we'd really rather you didn't know about it".

As far as security goes, if you claim to be 100% secure, I'll laugh at you. If you tell me you've had some problems and you fixed them, then I'll lend you some creedence. If you tell me you've never had a problem then you can kiss my business goodbye.

[ Parent ]
Physical Security (4.00 / 1) (#48)
by wpidalamar on Thu Feb 20, 2003 at 03:50:30 PM EST

Isn't the first task in securing *ANY* computer system physical security? If we can't trust the people working on ATM's, they shouldn't be working on them. I'm sure there's more than one way to steal money from an ATM if you have access to it's iternals. This just sounds like one that would go unnoticed until customers report it.
Geek4.com... news by anyone.
Re: Physical Security (5.00 / 1) (#52)
by sjmurdoch on Thu Feb 20, 2003 at 06:09:44 PM EST

Isn't the first task in securing *ANY* computer system physical security?
In many situations yes, but in some cases this is not feasible. A bank with thousands of ATMs cannot ensure the physical security of every one. Every so often someone will steal an ATM and blow the door with high explosives. Hopefully the protection will kick in and cover most of the money with dye but sometimes so thief will get away with it and steal the money in an ATM. Also there are many people with physical access to an ATM, occasionaly one of these will go crooked and steal money out of them - they probably will be caught and will be fired. In both cases the bank recognises a fraud has taken place and absorbs the cost.

However banks recognise that sometimes people with physical access to an ATM will go bad (there are thousands in every bank), so for this reason they have a crypto co-processor inside which processes all confidential details. These are well protected and tamper resistant and I know of no physical attack which will allow confidential details to be extracted for one such device - the IBM 4758.

Banks rely on these being tamper proof. And were the implementation correct an employee with physical access to an ATM would only be able to steal the contents of that ATM and would probably be caught. With this new attack an employee could make many withdrawals which that bank has not way of knowing are fraudulent (they use the correct mag stripe and the correct PIN).

Perhaps this already goes on, and perhaps the customers have noticed it in the many "phantom withdrawal" cases. However because the banks rely on the security of the cryptoprocessors they deny that such withdrawals can take place. The gagging order would seek to keep this fact hidden.
--
Steven Murdoch.
web: My Home Page
[ Parent ]

Just in case (4.90 / 11) (#50)
by Taral on Thu Feb 20, 2003 at 04:00:25 PM EST

In case it disappears:

freenet:SSK@DTcxvy9Qm3uVTTt3Nv4oVTG6~0oPAgM/UCAM-CL-TR-560.pdf

Holy Crap (4.00 / 1) (#61)
by BCoates on Thu Feb 20, 2003 at 07:24:06 PM EST

That actually worked for me.  I've never seen a "just in case, here's a link to freenet" link in an article comment actually function before.

Good job, sir.

--
Benjamin Coates

[ Parent ]

Prevent public disclosure? (4.00 / 1) (#64)
by khym on Thu Feb 20, 2003 at 07:41:14 PM EST

So, are the banks asking a gag order on how the vulnerability works (security through obscurity), or are they asking that the existence of the vulnerability itself not be disclosed?

--
Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life.
How an attack would work (5.00 / 3) (#66)
by bsimon on Thu Feb 20, 2003 at 09:23:13 PM EST

How an attack would work (please correct where wrong...)

To carry out this attack, you need repeated, unobserved access to a vulnerable HSM (Hardware Security Module - the electronics that verifies a PIN number is correct for a particular account number). If a bank is using offline verification, maybe an outsider could steal an ATM machine, or at least an HSM, and use it to generate PINs from account numbers? Are some banks really using offline verification of ATM PINs? Sounds like total madness...

Otherwise, only an insider, or someone who gets the same access as an insider, could exploit this vulnerability. As follows...

  1. The attacker makes a list of valid account numbers (at a bank which uses the vulnerable HSM for PIN verification, of course).

  2. The attacker somehow connects to a bank HSM, using
a. A built-in test or PIN verification function, or
b. A new, hidden program inserted into the bank's computers, or
c. Hardware which connects directly to the network, perhaps masquerading as an ATM (or better, multiple ATMs)

  1. The attacker, or his software, begins feeding sets of a/c numbers, PINs, and decimalisation tables to the HSM. By varying the decimalisation table each time using the algorithm described, it's possible to discover the correct PIN number for any account in an average of 15 guesses.

a. In general, to avoid raising suspicion, the attacker might stop trying to guess the PIN for an account if the first two attempts fail. If there are hundreds of thousands of accounts to try, discarding 90% of them isn't a problem.

b. The bank will probably have security systems which sound an alarm when repeated failed attempts are made to verify the PIN for a single account. They certainly will if the attempts appear to be coming from an ATM.

It's suggested in the paper that the attacker's software could actually monitor the ATM network, wait for the real customer to start using an ATM, and insert a couple of PIN verification attempts into the data stream ahead of the customer's.

The attacker could also evade this security check by spreading the PIN-guessing attempts for any one account over days or weeks, so that the real owner of the card would have time to use the card in between. One possible problem here is that ATMs in some countries won't release the card until a correct PIN is entered. In that case, a gap of hours or days between PIN attempts should, in theory, alert the bank.

c. If the bank is monitoring for repeated incorrect PINs from a single source (whether they are PINs for a single bank a/c or many), the attacker would need to be able to impersonate multiple sources, most likely ATMs.

  1. Having discovered the PIN numbers, the attacker makes his own ATM cards later and he, or accomplices, uses them, along with the PINs, to withdraw cash as frequently as he thinks is safe.

  2. Profit! (sorry...)
If this vulnerability is actually being exploited in the real world, I would expect that, sooner or later, someone will use it to steal a large sum of money from many accounts in a short time. The reason being that they expect to get caught eventually, so they just grab as much money as possible and flee. Have there been news reports of hundreds of accounts being drained over a period of a few days through ATMs? I don't recall any.

you have read my sig

3a wouldn't work (none / 0) (#70)
by bsimon on Thu Feb 20, 2003 at 10:20:46 PM EST

Occurs to me that 3a, only making a couple of guesses at each PIN, wouldn't work. That's because the chances of guessing the PIN are very low for the first few attempts - the feedback from failed attempts is a necessary part of the process.

you have read my sig

Who is more clueless? (RANT) (3.00 / 2) (#71)
by wumpus on Thu Feb 20, 2003 at 10:28:15 PM EST

<RANT>
1. The banks lawyers for playing the "security through obscurity card". Or
2. K5, who thought that a security hole in an encryption scheme with a whopping whole 14-bit secret key is worthy of front page.

I would have thought that a requirement for key length would be fairly well known. Limiting keys has always been usefull for getting spooks to allow you to export product, since they can break a 40-bit key without breaking a sweat. A 40-bit key is 67 million times more secure than a 14-bit (4 digit) key (the difficulty in brute force attacks doubles for each bit).

The idiocy involved in post 9/11 "security" systems makes more sense if the supposedly numerate K5 members voted this up.
</RANT>

Wumpus

PS. I admit this is rather late. porkchop_d_clown pointed out the security, I just had to rant about what this implied on the community for getting FP.

Drudgery in reporting.. (none / 0) (#72)
by hidflect on Thu Feb 20, 2003 at 10:46:14 PM EST

THere was a report [02/20] briefly on DrudgeReport about a million "credit card numbers stolen" vanishing shortly before I could even read it. This debate eases my self-suspicions of paranoia while noting other stories touching US Special Interests have taken to hastily disappearing in similar "blip" fashion over recent years.It seems the media will claim due diligence in reporting ALL legit news since no clause says for how long. FBI probing theft of 8 million credit card numbers... ^ Rank: 176 First Appeared: GMT http://www.drudgereportarchives.com/data/2003/02/20/20030220_023822.htm ^

Launching points (5.00 / 1) (#76)
by faets on Fri Feb 21, 2003 at 01:42:35 AM EST

I think people are concentrating too much on gaining access to the online verification from where ATM's are located.

It is much easier than this. Most shops (at least here in Australia but I'm sure it's global) have Point of Sale systems that would allow remote exploitation of this flaw. At least from my understanding of the paper.

As a side note here in Australia the EFTPOS (Electronic Funds Transfer - Point of Sale) system uses an X.25 network (called 'Tran$end' - seriously) and operates over a normal phone line.

So "malicious insiders" could be considered to include basically any shop employee and even worse anyone that can gain access to a phone line that an EFTPOS machine is hanging off.

It's their problem (none / 0) (#78)
by dipierro on Fri Feb 21, 2003 at 11:31:55 AM EST

This case raises the question of vulnerability disclosure policy: Whether the banks should be forced to improve the security of their systems (through market pressure or regulatory intervention) or whether they should be permitted to cover up the flaws.

If someone gets money out of my bank account illegally, it's the bank's problem (and possibly the FDIC's), not mine. They can cover up whatever they want about it, as long as they put the money back in my account as they are required to by law.



Re: It's their problem (none / 0) (#80)
by sjmurdoch on Fri Feb 21, 2003 at 01:33:35 PM EST

If someone gets money out of my bank account illegally, it's the bank's problem
It should be - but say the bank accuses you of fraud (remember the fraudulent transaction uses your PIN and a card with the same magstripe as yours). Then you end up in court.

In previous cases in the UK the banks have stated that their systems are not vulnerable so any transaction must have been authorised by the account holder - this seems not to be true.
--
Steven Murdoch.
web: My Home Page
[ Parent ]

OK, well, *that* would be bad (none / 0) (#82)
by dipierro on Fri Feb 21, 2003 at 03:09:58 PM EST

It should be - but say the bank accuses you of fraud (remember the fraudulent transaction uses your PIN and a card with the same magstripe as yours). Then you end up in court.

Well, I certainly don't think they have the right to coverup any exculpatory evidence they have if they take you to court. But that's not really what is happening here, is it?

I think they'd have a damn hard time proving a court case against me, even in civil court where "beyond a reasonable doubt" isn't necessary.



[ Parent ]
I think most people object (none / 0) (#91)
by levesque on Sat Feb 22, 2003 at 08:20:05 PM EST

because the banks first responce is "it can't happen here" and at this stage the average senior, busy or challenged person gives up, the banks save a lot of money this way and a lot of people think this is a form of abuse and should be illegal or whatever.

[ Parent ]
Depends on the Country (none / 0) (#100)
by philwise on Sat Mar 08, 2003 at 06:46:06 AM EST

Banks in the US are in a much weaker position legally than in the UK. In the US the first case was lost by the bank, with the judge basically ruling that 'The ATM said so' was not legally strong enough. In the UK this was the other way round, and the burden of proof over here is on the customer.

Interestingly this results in less phantom withdrawals in the US to the UK, because the banks loose out in a big way in the US, so they are under economic pressure to keep their systems secure. In the UK the pressure is regulatory, and thus not as powerful.


--
(presenter) "So, altogether now, what are we?"
(audience) "We are all Free Thinkers."
[ Parent ]
Another theory to rip off ATMs: Could this work? (none / 0) (#84)
by knave on Fri Feb 21, 2003 at 04:13:37 PM EST

I only breifly read the PDF and i'm definatly not an expert in encryption or the process of how an ATM authenticates transactions. I have a theory however...

When you use an ATM, your PIN number and your requests are sent remotley through a dial-up connection.

If one placed a gateway device between the ATM and the phone jack, it should be possible to intercept/log the conversation between the ATM and the Bank computer authenticating your request.

Using the information of how the ATM and the bank communicate, would it then be possible to have your gateway device mimmick the Bank? When the ATM goes to dial-up the bank it's really just connecting to your device, which in turns sends the "Verified" signal back to the ATM, thus positivley verifing any transaction you make.

An ATM at one our local gas station has a modem that you can hear dial-out. I recorded it and found out the number, but i'm hesitant to establish a connection to it.

Could this ever work?

...but I could be wrong

Hmm - not likely (4.50 / 2) (#88)
by wayreth on Fri Feb 21, 2003 at 08:21:31 PM EST

I doubt it would work the way you'd want it to anyway. I can't imagine that the data between the ATM and the bank is not encrypted, and you'd need the keys - at least once the ATM was at a point to send any transaction information along.

That's not what this vulnerability is about.

The bank has an HSM somewhere, a box that has physical countermeasures and a bunch of other software countermeasures for auditing and what not and is used to store the very secret data like pin numbers and the like. This box exists to prevent the programmers and engineers for the system from typing 'select * from tbl_pin_numbers' or whatever.

The HSM has an API for which to access pin numbers, and in the general non-trusted mode it is just a SUCCESS/FAILURE mode thing - you ask it whether the pin passed is correct, and it replies yes or no. Generally it would be ineffectual for a bank insider to try to ask the HSM about all 9999 (or whatever) possible pins because there are probably auditing procedures running to alert security about such an attempt, and that it is not a fast enough operation that it could be done quick enough to thwart such notice.

To understand the exploit you need to know a bit how pins work, and I'll totally simplify it from the article. Basically they take your account number, pretend it is a big hexidecimal number, and encrypt it with one of their keys. They take the resultant cypher-text and extract the pin from the first four digits.

That number is HEX though, so it could have A-F in it like 123A or 4B2F. So the system uses a table to map the digits in the pin into base ten digits. The table allows you to explicitly map every digit, you can say 1=2, 2=3, 4=1, a=2, b=4, c=5, d=9, etc... so 123A becomes 2312, etc..

The problem is that the HSM allows you to pass in this table as part of the verification routine ! So, using clever methods you can determine the correct pin by trying different tables.

There best method reduced the number of tries to get a pin from ~5000 to 15.

SO - this isn't a vulnerability that someone can exploit at an ATM, it is a vulnerability that a bank insider can exploit because they have access to their HSM.

That is my understanding of how it works anyway.

oh - and I would recommend not dialing that number, and keeping your mind off of it as much as possible since I understand how tempting such things can be.. :)

Quite honestly the reason to be upset about this is not that there is a flaw with HSM's and ATM PINs, it is because citibank wants to try to get a gag order silencing the researcher who found it. At least, IMHO.

[ Parent ]

Bank bags from the '70's (none / 0) (#94)
by A Trickster Imp on Sun Feb 23, 2003 at 07:32:45 AM EST

This reminds me of the problem of lockable bank bags for receipts and cash and whatnot.  People could open them without them being locked.

One day I tied the end of a duffel bag's zipper pull, zipped up, to one end of the zipper track and figured out what was going on.  The bags were floppy, so instead of zipping the zipper pull along the zip track, you pulled the zip track thru the zip pull between the pull and where the pull was tied to the bag. In this way you could get the zip pull all the way to the end while it was stil simultaneously tied to the beginning.

Does the zip pull have a name?  I know it's not something easy like "finial", the screw cap on the tops of lamps or the ends of shoelaces.

I remember Games magazine having an article about this when I was a child in the '70s.  Snootily, they wouldn't give out the answer as it was only recently a discovered problem, and the banks needed a year or more to replace their bags with even a temporary solution.

[ Parent ]

Webserver seems to be down - new links (none / 0) (#87)
by sjmurdoch on Fri Feb 21, 2003 at 07:50:52 PM EST

The Computer Laboratory webserver (www.cl.cam.ac.uk) seems to be down for unknown reasons.

Mike Bond has made a temporary webpage The paper on the attack (UCAM-CL-TR-560) is also duplicated.

These URLs are just temporary until the webserver is back up so could disappear at any time.
--
Steven Murdoch.
web: My Home Page

Banks attempt to cover up worst PIN vulnerability yet | 100 comments (80 topical, 20 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!