Schneier on Security
A blog covering security and security technology.
« Another "Movie Plot" Threat |
| Supermarket Loyalty Program Used to Pinpoint Location »
October 24, 2005
ATM Fraud and British Banks
An absolutely great story about phantom ATM withdrawals and British banking from the early 90s. (The story is from the early 90s; it has just become public now.) Read how a very brittle security system, coupled with banks using the legal system to avoid fixing the problem, resulted in lots of innocent people losing money to phantom withdrawals. Read how lucky everyone was that the catastrophic security problem was never discovered by criminals. It's an amazing story.
See also Ross Anderson's page on phantom withdrawals.
Oh, and Alistair Kelman assures me that he did not charge 1,750 pounds per hour, only 450 pounds per hour.
Posted on October 24, 2005 at 7:16 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I find this report fascinating in many ways. I posted a more inflammatory bit earlier, when discussing the need for two-factor auth (TFA), but in restrospect I think this is a better all-around quote:
"What quickly became clear was that the law needed a system to provide proof that events had happened so that legal cases could be made. You might say that 'the computer debited the account', but to a barrister (and more importantly, a judge) that's not enough. Did the computer do it at random? In that case it's like a tree branch falling - an accident. Or did a person program it to do so? In which case the person must be able to testify about the precise circumstances when a debit could happen. Sounds daft, but the law rests on proving each step of an argument irrefutably."
I say better because it ties in nicely with the liability thread that has been going on here, as well as with the (same-day) announcement by the BBC that the Crown Prosecution Service (CPS) is creating a special group tasked with sorting out Internet law and liability.
I filed away the original BBC story/link somewhere, but here's a ready substitute from the CPS themselves:
This does seem kind of old. I knew of cloned cards and pilfered PIN numbers before. The methods have varied from stealing mail to making a very realistic ATM machine. How's this for an idea. To make sure there is only one card out there, everytime a card is used, the mag stripe is re-written with a random code. The ATM machines share this data with each other and if a dual code or a non syncronous chain of codes show up, then an "oops" flag is raised somewhere and perhaps a non random code is written to the card with tracking info added. If the "oops" was an accident and not theft, then the "oops" flag is removed and the card is re-randomized the next time it's used.
I wonder if this problem still exist in third world contries, that buy their technology from "trusted" third world companies.
Just an aside...the first thing most atm's I visit ask me after swiping the card is:
Do you want to continue in English -->
or Spanish -->
Do they monitor this selection? LIke, I've never selected to continue in Spanish. If my card is swiped, and that is chosen, will a flag be raised? If not, then why don't they record my choice the first time I make it so I don't have to any more, or have the selection made before the card is swiped?
I don't think anyone is using atm's to learn a second language!
This is an absolutely terrifying article. Two major issues that were entirely secret until now:
- The insecure data format used for the card magstripe, leaving the PIN and account details individually rewritable.
- One bank's computing department "going rogue", "cracking PINs and taking money from customers' accounts with abandon" as the story puts it. Yikes.
The latter in particular makes me wonder about the extent of insider fraud in banking computer systems elsewhere.
'And why is he telling this explosive story now? Because chip and PIN has been deployed across the UK ATM network. "The vulnerability in the UK ATM network was still there to be exploited -- if someone had chanced upon it."'
I wonder if other banking systems worldwide are still vulnerable, however? Did any other national banks license the UK systems?
"Because chip and PIN has been deployed across the UK ATM network"
except that I believe it hasn't - most ATMs still use the magstripe. Chip and PIN is in use at merchant checkouts. I hope then that the simple magstripe vulnerability (paste different account details onto a card with your own PIN) has been fixed.
I remember vaguely a case from around this time of a man who was in South Africa while his account in GB was debited for a large sum. When he complained and demanded restitution he was promptly charged with fraud: the bank insisted that he must have come back to GB and withdrawn the money because it was 'impossible' for someone to have otherwise accessed his account.
I never found out how the case ended up.
The story is not new. Anderson already mentioned this in R. Anderson and R. Needham, “Programming Satan’s Computer,��? Computer Science
Today, Lecture Notes in Computer Science, vol. 1000, pp. 426–441, 1995 in Section 2.1.
"Read how lucky everyone was that the catastrophic security problem was never discovered by criminals."
I'd say this is also true for security in general. It goes without saying there's countless number of security problems out there yet to be discovered by criminals, even in banking systems. I'm also sure that banking systems still have them and either no one knows about them or those who know keep them secret (perhaps because fixing them right away would cost more than waiting for next upgrade or something equivalent).
Also, the deterrent of criminal penalties compensate for bad security somewhat especially when money's involved and there's high risk of getting caught.
"I'm also sure that banking systems still have them and either no one knows about them or those who know keep them secret (perhaps because fixing them right away would cost more than waiting for next upgrade or something equivalent)."
I hope you're not suggesting that security through obscurity works. "Luck" is not usually a realistic solution to life's problems, and I do not see why security would be any different. The obscurity also works both ways since it can also mean that the system admins (banks in this case) have to be informed by victims that they are being attacked.
Oh, and don't expect banks to disclose any of their problems, be it security or otherwise, unless they absolutely have to.
>>I hope you're not suggesting that security through obscurity works.
Actually it does often work, it just should not be relied on exclusively. In the real world we keep valuables out of sight, don't tell people our lock combinations, keep our spare keys well hidden.
Of course "security by obscurity" works. It only works in specialized situations, but it works. I spent a lot of time on this in Beyond Fear.
I guess we have different definition of "working" security. You could say the same about luck -- sometimes it "works" in your favor. If that's a comparable use of the term, then I'll look for a new one. Perhaps, "reasonable"?
I mean, I would hardly say that risk mitigation *should be* left to luck as a rule. It would be one thing if you have no choice but to sit and wait to be exploited, or have no compelling need to be secure (no threat, no vulnerability, etc.) but when you consciously choose to tempt fate rather than use controls to reduce large vulnerabilitities, diffuse large assets or mitigate impending threats...then we're back to a question of liability.
I'm not anywhere near my copy of Beyond Fear, so I'll have to review later to respond. Any hints or page numbers to expedite? When's the podcast version coming out?
I agree with that, not because obscurity works, but because the risk is so incredibly low. And I try to differentiate reliance on an inherent level of natural obscurity from pro-active camouflage or other obfuscation measures.
If there is no risk, or incredibly marginal amounts, then you might be able to say just about anything "works" for security because there's no work to be done.
most of your net worth is just a domain on a spinning disk in a server somewhere, maybe not even in your own country. greater complexity in a system makes it more prone to catastrophic failure, even with no criminals on the scene. sleep well knowing that your bank loves you and stands behind your account.
I'm still looking, but so far I've only come to page 279 of Beyond Fear where you wrote that secrecy is bad for security for three reasons:
1. It tends to be brittle (once it's discovered it's lost).
2. It conceals abuse and therefore causes even more security problems (like false negatives).
3. It obscures data required in order to make knowledgeable trade-offs.
Is there a particular section where you point to obscurity as a reasonable control?
Your comment is probably the most sensible one here, and not a bad idea provided it's accepted that it still enables multiple withdrawals using a cloned card if the clone gets in first - as the "oops" flag would then only be raised when the genuine card is used.
The article is so full of technical flaws, not least the assumption that chip and PIN is used in ATMs, that I doubt anyone would take it seriously - and let's face it, what have Kelman's fees got to do with anything?
Posters can rest assured that UK ATM systems don't use bank account numbers on cards and don't store PINs on cards (PINs only need to be stored in the customer's head). Card numbers are encoded on cards, PINs are predicated on the card number but can't be calculated from the card number, PINs are verified by the bank's host not the ATM, it's probably all on the net: look it up.
It's a shame that a rather breathless and IMHO badly-written article clouds the real issues: banks' evasiveness and whether there's a need for a review of the legal system.
No, I think your comment is the most sensible one here. :)
On page 127 of Beyond Fear you wrote:
"Hiding a copy of the house key under the mat...is not really a secret at all. It's a believe in secrecy, and a misplaced belief at that."
Ok, I can get behind that. Beliefs in security can and probably should be distinguished from actual security.
"As much as you should avoid secrecy as a critical component in a security system, it may be your only option if the security system is badly designed. It's little more than a cover-up..."
Yup, that sounds good too. And I really like the quote you used from Ben Franklin.
But so far I haven't found examples in the book where obscurity "works", in the sense that it provides security. The opposite, in fact, it seems that Chapter 9 might classify the system we're discussing here as "brittle", or just a belief, and therefore "bad security", no?
"most ATMs still use the magstripe."
Ever wondered how your EMV PIN change or card unblock works if the ATM only accesses the mag stripe? The ATM is required in the "Chip and PIN" scheme as the trusted device for delivering EMV scripts to the card. It's truseted because it's always online, therefore allowing the card issuer to run whatever checks they like before generating a new script. The major banks' ATMs had EMV card readers up and running before the public launch of "Chip and PIN".
jammit's comments were spot on. The industry is not quite as stupid as portrayed in the article.
"most ATMs still use the magstripe."
"But Apacs has told Cash that the majority of ATMs will continue to read the magnetic stripe on the back of a card instead of the chip"
Apacs being the Association of Payment Clearing Services (Apacs), so I would expect them to be speaking with some authority. Of course, the population alluded to by "the majority" may be worldwide rather than just the UK/Eire.
Chip & PIN won't stop the ATM card skimming problem, but then it isn't meant to.
It's mainly aimed at providing security in a POS environment which was hitherto offline and signature-verified, ie an environment providing next-to-no security at all.
Magstripes will be around for a while as there is a requirement for verification to fall back to magstripe should the card's chip (or the chip reader) be damaged. And as long as the magstripe is around, the skim scam will be around.
Although some ATMs do half-spit the card out when inserted, in the hope of confusing the second reader.
Do what I do - place your free hand (the one holding the empty wallet) over the PIN pad when entering the PIN, feel the Force and enter the PIN "blind" - blind to both you and those nasty cameras.
This story gets more distorted every time it's told..
I was convicted in the 90's for this ATM fraud, though the method described in this article is one that I had not used since the late 80's. I had been "playing around" with ATMs for ages.
I found lots of different ways to take money from ATM's, some were no more complex than a bit of cardboard and some chewing gum.
My main conviction was for simply cloning cards by taking long range video of the card and another video of the pin, making the cards was easy when armed with card number, issue number and expiry, the rest is history.
Following my release from prison in 1999 after doing five and a half years I have stayed straight and now build ecommerce websites for many customers around the world, I dont get involved in ATM stuff at all, I dont even live in the UK anymore.
Chip and pin would have made things a lot easier for me if it had been around in the 90's, you see all the chip and pin cards are backwards compatible with magneticstripe around the world.
I was just a hacker that got carried away a bit, the challenge first and then the corrupting influence of all that money, but it was always easy. The best method was always the least technical, all the encryption in the world could not match my pair of canon ex1 videocameras with 1200mm each of zoom lens! I have a photo of the cameras in action which I will post if anyone is interested.
Hey I'm interested in that photo - post away.
BTW (Chip & PIN aside) the recommended method of PIN verification now requires additional information found only on the magstripe, ie it can't be captured by cameras. That is why today's crim has to work slightly harder - needing to either steal the physical card or attach a skimming device to the ATM as well as watching the entry of the PIN.
I poted the URL of the picture here yesterday, the message had been blocked! The reason given was due to anti-spam measures.
Perhaps the message and the URL will appear after a review.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.