Schneier on Security
A blog covering security and security technology.
« Danish ATM-Card Skimming |
| Flying Without ID »
March 9, 2006
More on the ATM-Card Class Break
A few days ago, I wrote about the class break of Citibank ATM cards in Canada, the UK, and Russia. This is new news:
With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines.
Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.
The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.
Read the whole article. Details are emerging slowly, but there's still a lot we don't know.
EDITED TO ADD (3/11): More info in these four articles.
Posted on March 9, 2006 at 3:51 PM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Have I understood your books correctly, that the best way to protect a secret is not to keep it in the first place?
Does this mean that stores *record* your PIN when handling ATM transactions? Very troubling, indeed.
I had wondered about this when I had some charges show up on my checking account from a restaurant I had not attended in months. After further review, I discovered that it was also using a debit card that had already expired. I have received no satisfactory response from Washington Mutual when I asked them why their system allowed an expired debit card to be used on my account. Needless to say, I have not requested a new debit card since they just recently axed my current one without giving me a call or anything after I had "contested" the charges. I'm not happy at all and may go back to just using a checkbook.
Your PIN code should not leave the PIN terminal (the box with the numeric keypad) and be cleared there when your transaction is completed. Your PIN code is used in a hash for the transaction which is sent to your bank as a confirmation. I don't believe that stores will get access to your raw PIN, but a 4 digit code is easy to brute-force.
It isn't extremely difficult to rig a PIN terminal so you can collect the magnetic stripe data and PIN code, the hardware is in your store and some small modifications are easily made. Banks are aware if this issue and you'll be nailed for fraud before your hard work has become profitable (data mining for fraud patterns).
Here something else seems to have taken place, I can only speculate but it seems like a large scale hack. It is possible to upload new firmware to a PIN terminal; would that have happened?
I not City customer, but as far I know - City uses PIN's for web access authorization. This is greatly expand attack posibilities.
from the article:
'“But in defense of (the retailer), it’s just using payment software and probably doesn't even know what's in there,��? she said. “The software is storing PINS just because it can. No one is paying attention to this stuff, it's deep in the software.��?'
Ruh? You don't 'just use' EFT software. If that's a software *feature* then the retailer has no excuse for what's going on in there.
"Account holders are liable for only up to $50 of credit card fraud — but consumers can be liable for the entire balance of their bank account after debit card fraud, according to federal banking regulations."
Getting an unlimited supply of PINs probably just requires cracking one DES key. In this day and age cracking a DES key is not a great achievement. See here - http://www.cl.cam.ac.uk/users/rja14/wcf.html - for details of the PIN systems used by various banks. Most use the IBM method listed about a third the way down.
"Does this mean that stores *record* your PIN when handling ATM transactions? Very troubling, indeed."
Well, the article mentioned that they may not be doing this intentionally. Possibly as simple as a case of the software not clearing the PIN when it is done with it, leaving it kicking around in memory. This is probably not going to be a problem with something like the pin-pad terminals that seem to be everywhere lately. But think of something like a real ATM, or a self-checkout machine. Then you've got something a lot more complex that runs long enough it might inadvertantly keep hundreds of PINs around. There might even be a hard drive full of swap space in one of those things.
a retailer who stores PINs which fall into the hands of a criminal should be sued out of business.
I am once again glad that I've turned down repeated attempts by my bank to give me a debit card (rather than simply an ATM card). I've explained to them, each time, that it's a risk I don't want to take.
It's very difficult for me to have sympathy for banks. They deserve whatever they get. Look at the arch theif who runs citibank, Sandy Weil. He is the most clever theif.
Pins are encrypted and sent in the pin block of the message. Each step has a unique and sometimes dynamic DES encryption key. eg pin pad to acquirer is one key and acquirer to issuers is another.
While DES is now reasonable easy to brute force, with dynamic key exchange that is now in place you will not get enough samples to matter.
I doubt that someone has broken the DES encryption to enable such a large exposure.
I would be leaning toward an employee who has access to the authorisation system knew part or all of the complete local key and dumped the network traffic for later processing.
"I not City customer, but as far I know - City uses PIN's for web access authorization. This is greatly expand attack posibilities."
City now uses a 6 digit "ePin" for web access, so stoping someone from using the same number as there card pin. This put this change in the last time they were hit.
My eye falls on a receit of a PIN transaction that I made a month ago. It contains full account and card numbers. If the shop kept electronic records of the transaction, they would be able to clone my card (at least the public information on it). It's so easy to clone cards that the bank wants proof that the correct PIN was entered so it can investigate contested transactions.
The most obvious way to get this proof is with a digital signature scheme, where some PIN-dependent signed hash of the transaction is sent with the transaction data; if the signature matches, the transaction is cleared. (If you include the monetary amount in the hash, certain forms of merchant fraud will become hard.)
What is effectively sent over the wire is the transaction data plus a signature. In maths:
sig = f(trx-data, PIN, pad-secret, card-secret)
The hash function f that is used might be a trade secret, but it should be known to developers of pinpads and banking software; let's assume it is known to attackers of the system. If the attacker knows the pad-secret (or can manipulate it) and the combined entropy of PIN and card-secret is low enough it is possible to brute-force PIN and card-secret. When the attacker can manipulate the communication between bank and PINpad, it's trivial to resign the transaction with the brute-forced PIN.
Feasability of the attack: If there is zero bits of entropy in the card secret, brute-forcing can be done by trying all 10.000 PIN combinations, which should take a fraction of a second on a modern CPU. Interception of communication can take place from the POS terminal all along the network into the bank.
The only solution I would REALY trust, was if I had to type my PIN into a keypad that was part of my card, and the card NEVER gave out the PIN, Chip+Pin helps a lot, as it is match harder to clone a card due to the “Chip��? and what it contains. (You may get Chip+Pin in the USA within the next 50 years)
Citibank seems to be a focus of this attack. Citibank was mentioned frequently in Fahrenheit 911 as a major Saudi-controlled financial interest in the US. The UAE has just decided to give up it's controlling interest in 6 US ports because Congress and the US are screaming their heads off.
There seem to be a lot of related dots here.
I used to write software for payment terminals on gas pumps.
Many people have commented about the encryption of the PIN and the PIN block. These statemens are true, but keep in mind, most of these encryption requirments only apply when the data leaves the internal network and gets sent outside for verification. Internally, things are pretty much left to the discretion and good sense of the implementor. Don't think for a minute that these little pinpad terminals don't spray the typed-in PINs around the retailer's internal network like a hose. If someone ever manages to tap the 0-20 mA current loop or RS485 lines under the forecourt concrete at a large number of gas stations, well, hey, wait a minute...
" Investigators are considering the possibility that criminals have stolen PIN codes from a retailer"
When I mentioned in several banks the fact that chip'n'pin is not safe enough unless the ATM and the retailer PINs are different, they insisted that chip'n'pin is safe.
When I told them that it is very easy to overlook somebody typing in their PIN into the terminal in the supermarket, I was told, that I should look away when people are typing their PIN, and anyway it is useless without the chip on the card.
When I told that it would be easy to nick peoples purses with their card (of which I know the PIN already) while they are busy unloading their shoping troley into their car, I was told that this would be stealing :-o.
@Ian Ringrose at March 10, 2006 04:47 AM
"Chip+Pin helps a lot, as it is match harder to clone a card due to the “Chip��? and what it contains."
You don't need to clone the chip, just copy the magnetic strip onto a clean card and use it with the pin in the ATM. No questions asked, no "hot stuff" to get rid off, you get instant cash!
Well, using fingerprints instead of a PIN is a REALLY BAD IDEA:
Let's think these things through first. If the merchant stores the PIN today, someone can just as easily store the digital product of a fingerprint scan. Once it’s on-the-wire, what’s the difference?
Plus, let's not forget the "unintended consequences" of short sighted "increased" security measures.
Wasn't it you, Bruce, who used the example of a dramatic increase in armed violent carjackings that occurred as car makers implemented better key security.
Why hack the lock when you can put a gun to the head of the hapless driver?
In this case, criminals will either steal the digitized finger scan, or worse:
cut off the finger of the victim.
(or is that a "movie-plot" analysis?)
Depending on the bank's procedure, you don't need to steal any PIN database. When a bank card is made, there is a "default" PIN that can be derived from the information written on the card and "secret" data held by the bank. This applies to every card, even "non-pinned" credit cards -- just because you don't use the PIN, doesn't mean it doesn't exist.
Now lots of banks mail you this default PIN and say "this is your pin". Other banks say "come in and choose a pin". There is nothing about the PIN standard to prevent this, and the PIN you choose can be 4-10 digits in length. Choosing your own 6-8 digit PIN will prevent most thefts, largely because thieves expect your PIN to be 4 digits. You also can't brute force a PIN, because if you get it wrong three times the card is supposed to be deactivated.
Now, a given institution can have flaws, though these are usually well intentioned. Say you are a customer and you forgot your PIN. If you bank at the first kind of institution, you are fine. Call them and they can re-send you the PIN -- customer service! If you at the second bank, you are out of luck. Go to the branch and get a new card. (Or at least they rewrite the stripe, which is the same thing) Angry customer! Still -- I bank at the second type, for obvious reasons. I don't bank with City, but from the concerns I expect they are the first type.
Also, in response to the worries about stores keeping your PIN. Those Point-Os-Sale terminals you see in stores don't actually send the PIN anywhere. They encrypt the PIN using a frequently changed key (daily at a minimum, often with every connection) and transmit that. The encryption is done internally, using hardware, and is hard enough to break, especially for the limited return of only a few PIN numbers. Stealing PINs this way is a "movie-plot" threat. It's far easier just to install a mini-camera and watch the key presses.
Justin Bowler says: "Those Point-Os-Sale terminals you see in stores don't actually send the PIN anywhere. They encrypt the PIN using a frequently changed key (daily at a minimum, often with every connection) and transmit that."
How hard would it be to perform a "man in the middle" attack and set a key of your choice in the POS terminal? It shouldn't be too difficult to steal a dozen POS terminals for reverse engineering and key extraction.
A last point, while lots of people feel paranoid about it, and can point to varying levels of weakness, at it's heart the debit card system is EXACTLY the kind of security that we would like to see in almost everything else:
access = something you have (CARD) + something you know (PIN)
Making the card harder to replicate (by using some sort of chip for example) does nothing at a fundamental level, and is purely a stop-gap measure. Similarly, the networks already use changeable keys. Upgrading the encryption method, changing the keys more frequently, etc. are all just variations on a theme.
Another strength of the system is that it is relatively easy to use. If a security system is too complicated, then honest people will either not use it, or try and get around it, which defeats the whole purpose. As Bruce often points out, if security isn't cost effective (cost=money+time+hassle) then it won't be effective at all.
Adding another level of "something you have", like a fingerprint, will only make the system more expensive, failure-prone, and cumbersome to the end user -- an almost guaranteed failure!
No, the only real problem with the debit card system is institutions with poor procedures (don't let the customer change their PIN) or with ones which break the rules. (storing in flight transaction data) The best solution is one targeted at them. Stronger policing of the rules, and bigger penalties for breaking them, plus put more financial onus on them for fraud. In Canada, all fraudulent transactions over $500 are the bank's problem.
A man in the middle attack is a "movie-threat" plot. If you had a dozen terminals, just go sell t-shirts in a mall. For the price of a few cheap t-shirts, you can get people to swipe their card and enter their PIN right into your database!
You can even print off a receipt to make them feel all warm-and fuzzy inside!
Justin: "the only real problem with the debit card system is institutions ... which break the rules. (storing in flight transaction data)"
As I said in an earlier post, the fraudulent (t-shirt) merchant with just a few PIN terminals can be quickly singled out with some data mining, such an action would give you a dozen or so cards per day.
It's more fun to grab a few hours of transaction data at a transaction processor doing one transaction per second. Yes, it might be a "movie-threat" plot, but it is a possibility. One thing that is becoming clear is that criminals have become more apt at attacking the electronic banking system.
You also say that PIN terminals get a key from (someone) to authenticate transactions. What precautions are there to prevent a third party from interposing and equipping those terminals with their own key? One would assume that a terminal has a "bank certificate" to authenticate the bank in the key exchange... Can this certificate be replaced? Can terminal certificates be extracted?
@ Charles Martin
"...and may go back to just using a checkbook"
I think I would go back to just using a different bank.
Or, stop using debit cards at retail POS.
(Maybe an ATM for cash at a local branch, otherwise use a live teller.)
The dirty little secret is that the Banks have transferred the risk to the consumers.
Think about it:
If your debit card (tied to your PRIMARY checking account) gets compromised, you find out when you start bouncing checks - like the mortgage payment.
(Truth is stranger than fiction - happened to me!)
The sap^H^H^Hconsumer is out the money, and has to wait for the bank to reverse the charges (if lucky) and go without an ATM card for two weeks.
If, on the other hand, your credit card is compromised, you find out when the bill comes, and it's the bank's money. You can dispute the charges, and refuse to pay.
I (like many people?) find it convenient to not carry cash, and purchase gas & groceries with a debit card. The money stays in the bank until the moment I spend it. And it's two-factor auth, unlike a credit card. Sounds great, until it gets compromised.
I still don’t know how my card was compromised. I do know, looking at the transactions, someone had to program a physical card to make it work. Dunno if they snagged the PIN; didn’t matter . . .
@Justin Bowler at March 10, 2006 12:22 PM
"the debit card system is EXACTLY the kind of security that we would like to see in almost everything else:
access = something you have (CARD) + something you know (PIN)"
Yes, but it was changed from something you have (card) + something you are (signature).
The difference is that the "something you are" was checked only occasionally, while the "something you know" is forced to be checked by the hardware.
"Adding another level of "something you have", like a fingerprint, will only make the system more expensive, failure-prone, and cumbersome to the end user -- an almost guaranteed failure!"
If they went from checking the signature to checking the fingerprint (something you are to something you are) in the first place instead of checking the PIN (to something you know), the initial cost would have been higher, but it would be more secure.
"Mathfox: As I said in an earlier post, the fraudulent (t-shirt) merchant with just a few PIN terminals can be quickly singled out with some data mining, such an action would give you a dozen or so cards per day."
Not if you don't submit the transaction. How much does a t-shirt cost?
Simple phone tapping could work - on the Wells Fargo 800 number, before they ask for anything else they ask the user to punch-in the account number, then punch-in the PIN.
A simple device could parse the dial-tones and save those to disk or something. Tapping into the phone lines going into the call center could be effective.
"Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data."
That's bad... but it would perfectly explain the "class-break". Some questions remain:
- Why was this data kept on this machine?
- How did they get the encryption key?
- Was it an insider job?
Man-in-the-middle attacks DO exist in the wild.
I recall that a swipe terminal was bugged by an under-the-counter laptop in an English filling station a few years ago. It was reckoned the perpetrators gained 1-400 card details and associated PINs per day.
But chipcards are not really more resistant ... http://www.cl.cam.ac.uk/~mkb23/interceptor/
Yes William, the keyboard really should be integrated in the chipcard... I'ld go for a card with integrated thumbprint scanner though!
Remember, ABMs and the PIN system originated in the 1960's and by the mid 1970s had already become widely adopted. Fingerprint scanning and image recognition were not even in Sci-Fi novels yet. One of the advantages to the PIN and Card system was that it did not require additional storage on the main computer.
Neither the PIN nor the PIN-Block (the piece on the card) was to be stored anywhere. These two pieces of data are hashed with separate bank keys and the result should be a fixed value.
Whichever merchant(s) were breached in this incident are likely out of compliance on multiple issues, including violations of:
- Unique key per device (i.e. PIN pad)
- Logging magstripe and encrypted PIN block data
The statement from the Gartner spokeswoman is either misleading or misstated. Although keys may be stored in software for certain PIN pad algorithms, the key is stored encrypted and is only decrypted within the PIN pad for use. (Most US retailers use the DUKPT scheme where the key is ONLY in the PIN pad at the point of sale and changes for each transaction.) However, 8 years after the DES cracker release, it can't take too long to break a key. If that key is shared for multiple devices, it's pay day for the bad guys!
My big question is whether the breach happened on site (bad employee) or remotely over the internet, wireless network, etc. Somebody screwed up big time in any case. A perfect storm, and perfectly preventable.
Looks like 14 people have been arrested in the past two weeks in connection with a ring of debit card information stolen from retail chains.
CNET news story at: http://news.com.com/...
Wonder if this is related to the ATM card class break in the original post?
Law enforcement officials in New Jersey have arrested 14 people in connection with a crime spree that has forced banks across the nation to replace hundreds of thousands of debit cards.
The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from card-holder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks.
Some of the stolen credit card information came from the office-supply chain OfficeMax and other businesses, DeFazio told CNET News.com on Monday. "We had cooperation from the security people from many victimized businesses," he said.
Credit-card issuers Visa and MasterCard have blamed a growing number of thefts from debit-card holder accounts--in areas ranging from San Francisco to Boston--on a security breach suffered by a merchant, but they've refused to identify the company.
nprfreak had some good comments that actually addressed some of these issues, but they might have been obscure to people unfamiliar with POS security techniques.
Mathfox asked a few elementary questions about the schemes (man-in-the-middle etc.). POS terminals typically use one of two symmetric-key management schemes: master-session or DUKPT.
Master-Session is simply loading a unique KEK (the master key) into a terminal, and downloading encrypted session keys to the terminal on a regular basis (potentially for every transaction). Although commonly used, there are a number of threats (biggest one to mind is that breaking into the POS PINpad will give you valuable information).
The DUKPT scheme (defined in ANSI X9.24 part1) is more interesting, as it has perfect-forward-security (PFS). If you obtain the current DUKPT key from a PINpad, that information won't allow you to decrypt the previous transactions (threat: someone records transactions, and than breaks into the PINpad used).
In order to do a MITM attack for Master-Session, you would have to have the Master key (at which point, you don't need to do a MITM). The DUKPT scheme generates new session keys off-line, so it is not venerable to a MITM attack either.
Just to be clear, these kinds of cryptographic attacks are extremely rare. As mentioned above, the more typical way is to photograph/bug someone who is using a valid device, or to trick the user into using a bogus device. That is why this story is so interesting. The merchant recording encrypted PINs is bad practice, but that alone won’t jeopardize the system. The real break occurred when they discovered some method of decrypting the PINs!
trsm.mckay is correct in his breif explaination of debit processing. However, one important note, although unique keys per PIN pad has been in the standards for at least 10 years, those that use Master/Session do not follow this requirement, for a number of reasons. As implemented today, every device to a processor that uses Master/Session has the same single DES master key injected in it and in most cases uses the same single DES PIN encryption key as well. The news stories of PINs stored in the clear in a database is not accurate. What would be stored is cryptograms of PINs as encrypted by the PIN pad. And if using Master/Session all the PINs are encrypted with the same key. One key opens them all.
PIN_Head writes: As implemented today, every device to a processor that uses Master/Session has the same single DES master key injected in it...
This used to be almost universally true, but has been changing. Visa and MasterCard started requiring unique key per device a while back (in the US ATM needed it by 2003, POS terminals needed it by 2005). 3DES was supposedly required by 2005 for all devices.
I'll save the rant about the slowness of 3DES migration, and the slovenly POS security practices (as opposed to security standards) for a later time. Suffice to say that the financial incentives don't match the real world.
Good point trsm.mckay, it is true that Visa and MC have these mandates and the migration is true. Also, the majority of debit processing in the US is derived unique key per transaction (DUKPT). However, the major retailer that has been identified in the news articles uses single DES master/session.
The problem is that one certain bank will use 1 DES algorithm for their credit cards. If this one algorithm is broken, a criminal will have the ability to get a pin for any card through that company.
Most banks are switching to triple DES 56bit algorithms, which are harder to crack, but if someone got ahold of an ATM's hard drive and the software in it, then they would have complete access to the DES code/algorithms for that specific bank.
Although it is alot harder then it sounds, it can be done.
The DES algorithm is public domain. The security of DES is the secrecy of the cryptographic keys. In the payment industry standards exist that state every device must have a unique key. The reason for this requirement is so that if a key is compromised in one PIN entry device then the other PIN entry devices are not compromised. Also, ATMs do not have the keys stroed on the hard drive inside the machine. Again, a compliant ATM must stroe the keys in a secure region that uses tamper detection to erase the keys when tampering is detected. Most ATMs will use a secure chip that stores and uses the keys. They do not expose the keys once stored.
Do the use of DUKPT in a POS terminal negate the use for an ecrypted pin block?
ok what i would like to know, is it true that pos terminals have hard drives that store all the transaction that were made in its life time with all tracks and pins of credit and debit cards
Bank of America tells you that you are protected using their Debit Card. They say they will replace the money taken from your account if it was not an authorized transaction. It happened to me and they replaced my money taken out of an atm by someone other than me. I made a police report and completed all the paperwork required by them. One month later they reversed my temporary credit. They determined "no posting error occurred on your account". I requested the documents they referenced to come to their decision and they sent me 3 months of my checking statements. They didn't use any of my fraud paperwork, didn't look at my police report, didn't investigate anything. I'm just out the money and got the run around. I feel totally ripped off and feel the bank has accused me of filing a false police report, atm fraud, and attempted theft by their decision to not consider this as a fraud that was committed against me. Don't feel safe because a bank tells you your protected, it's a lie!
anybody kno the 6 digit emergency code 4 atm's you can get instant emergency cash
anybody kno the 6 digit emergency code 4 atm's you can get instant emergency cash
anybody kno the 6 digit emergency code 4 atm's you can get instant emergency cash
Okay. I don't care if people believe me or not, but I am telling the truth for the following:
A few months ago I went to deposit a cheque into a regular ATM machine. The guy in front of me as soon as I stood behind him started looking back and forth, a bit paranoid is exactly what he was doing. In fact he took an empty deposit envelope and walked away.
I found this odd and walked up to the ATM. The screen asked if I wanted another transaction. So I first thought to myself that he forgot his atm card in the machine.
More out of curiousity, and a little greed, (hey, at least I'm honest) I decided to pull out $400.00 cash. a huge line was forming and I started to get a bit paranoid myself that the guy might come back.
So after it asking if I wanted another transaction, I selected 'no'. to my surprise the card did not come out. nothing came out, except the cash I got earlier from however this guy hacked the machine.
Being even more paranoid, I decided to just casually take off and deposit my cheque at a different ATM.
The point I'm trying to make is ATM hacking is still out there. What I'm really curious about is how the guy did it. Not so I can go out and do it, but more how the heck the guy figured it out.
I even double checked my account balance to make sure I didn't accidently take out my own money.
All I'm saying is really try and change your pin every couple of months or so, and mask your pin every time you make a purchase.
I also check every time when paying by debit or credit card if my numbers are blocked out or not on the recepit. Most business's do it, but some major department stores don't.
This is what happend to me on April 19, 2008. It was a warm Saturday afternoon in Athens city center (Greece). I did lose my wallet one way or another. I took a train ticket out of it and punched it on the ticket machine on the Athens undergraound. The time was 1:32pm. I got inside my house at 2:15pm and realized that my wallet had gone AWOL. I called the banks and cancelled all of my 4 Credit Cards.
But now Bank of Pireaus (representing my Master Card) is charging me the amount of 2,940 euros because some prick used an ATM from 1:35:45 to 1:44:51pm to make eight (8) withdrawals of various sums totalling 2,940.
How in the world without a the PIN available can someone do this? Any help will be appreciated since I'm flat broke and desperate to find out what is going on. Please help people! Thank you. JohnM
needing a little help from the proud goup,jst need to know how i can penatret an atm machine access code.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.