Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid-Shaped Parsnip Wins Ugly Vegetable Competition |
| RFID Passports Less Reliable than Traditional Passports »
November 20, 2006
ATM Eavesdropping Attack
I'm amazed that ATMs still don't have basic communications security measures. One fraudster inserted a recording device into the ATM's phone line and recorded customer card numbers and PINs.
Posted on November 20, 2006 at 6:19 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Making a free-standing ATM that conforms to the design of a built-into-the-wall ATM at the bank, where access to the back panel can be tightly controlled, is utter idiocy.
For an analogy, think of a free-standing safe deposit box installed at a bus stop.
There would seem to be a lot more to this than the article suggests.
-- Mp3 to Phone Line, all the MP3 plyers I have ever seen have only a single USB connecter. They could't really have left a USB port exposed at the back of the ATM ??
-- Older hole in the wall ATMs are generally still running on private X.25 networks ( its there, its cheap and its secure). I cannot believe any one would hook up an ATM to a stanard BT phone line. You could intercept the signal anywhere on its 10 mile plus journey to the bank.
-- The communication between ATM and the bank isn't actually coverred by a standardised protocol, but most manufactures do the lazy (and in this case right) thing by re-implementing the bank to swith protocols which includes encypted PIN blocks -- maybe someone turned this off as its a pain to administer.
Either the bank was dummer than seems feasable or the scammer was a lot cleverer than the article suggests.
Astounding. Was it a budget issue in the end? Time is money, yes.
Great interview on CBC radio today Bruce! Quite surprising how much you know about Canada's privacy laws...impressive, actually.
Kudos, and best wishes.
supersnail wrote: "I cannot believe any one would hook up an ATM to a stanard BT phone line."
In the last couple of years in the UK there has been a big increase in the number of non-bank-owned ATMs. I've seen them in petrol stations, corner shops and casinos. And because they're designed to sit in the corner of a typical shop they do just plug into a BT phone socket.
From what I've seen, there's no authentication of either the ATM or the host. I've always wondered if you could call the ATM at the exact moment it tried to dial out, fake the dial tone, and send back a phony authorization.
Other articles elsewhere have said that he used a device to splice into the line. Nothing new or amazing, just something that let him tap in, record, and let the data carry on its merry way. And an mp3 player is just a glorified hard drive. If you write to it, it records it. Nothing terribly new there.
The most amazing part of the article is how these people are getting caught. The ATM hacker in Virginia left the machine configured to spit out $20 for $5s. This guy hands over a fank bank card after making an illegal Uturn. Wow.
"Mp3 to Phone Line, all the MP3 plyers I have ever seen have only a single USB connecter. They could't really have left a USB port exposed at the back of the ATM??"
I do think the scammer was cleverer than the article suggests, but I assumed he patched the phone line into the microphone jack. Modern voice recorders have a mode where they only record when there is noise present, so that part's easy.
This is an attack against an ATM that communicates with the bank network via a traditional telephone modem.
Most ATMs used to have a permanently off-hook "party-line" leased serial connection with "poll/select" interrogation (essentially a handmade token ring - atm #7 you have traffic for me? no. atm #8 you have traffic for me? yes, a withdrawal from joe's account for $75. Authenticated. atm#9 you have traffic,,, etc.)
The communications were very compact, only 200 bytes or so in the longest transaction. It was typically connected to a mainframe or mini at the bank (as opposed to a micro).
It was on the order of 1200 baud bell 212 std and nothing was encrypted except the password (typically DES).
Banks had a large amount of money invested in this infrastructure and they seemed to work fairly well, so I would not be surprised to see them still in use.
"Most ATMs used to have a permanently off-hook 'party-line' leased serial connection...."
I don't know about "most" ATM machines, but the free-standing ATM machines you find in stores, hotel lobbies, airports, shopping malls, and etc are connected by modem. I can often hear the modem dialing after I enter in my information.
I did a brief amount of work on an ATM network for a British bank, who used SNA network protocols connected back to the a Frame Relay network using VSAT (satellite), and encrypted the conversation at their application layer.
We looked at moving them onto an IP solution, using DSL as the access to a VPN (using DSL as cheap access to a private MPLS network, *not* running over the internet). On switching to IP, even though it didn't touch the Internet, and stayed entirely in their own VPN, that bank required us to do further encryption between the routers at each end, too.
I'm surprised that the ATM provider in this story didn't bother with any kind of encryption. Let me guess; they weren't the bank or the customer, so the costs of poor security in this configuration were external to them?
By the way, the reason we were proposing a switch from VSAT to DSL was that the client told us that the new "chip and pin" authentication sends about 3 times as much data as the old "mag stripe", and this was going to start impacting the congestion of the shared time slots used by the thousands of VSAT-connected ATMs they had in the UK. Yet another benefit for "chip and pin" - telcos get to sell more bandwidth!
A few years ago, an ATM was added to one of the buildings at Carnegie Mellon. At first, it didn't work very well. Then, an obvious cellular-style antenna was added on top. More reliable, but it still failed a lot.
Finally, they moved to a phone line of some kind. The ATM was free-standing, and you could literally just unplug its phone jack if you wanted to. You could hear it dialling out, and what sounded like modem tones. I wasn't sure how secure it was, but it always made me a bit uncomfortable.
One of the other ATMs on campus was running Windows. We discovered this when the ATM app on it died - and it dropped into a standard Windows dekstop. It was heavily locked down, and about the only thing you could do was play the default Windows Media Player sound - which, of course, was how it was left, looping, playing that sound over and over.
I'm not sure abt US,but one of my friends works for a banks in Japan.They store customer data on csv files on the local drive of the machine.These systems basically a home pc with restricted access.
I frequently see ATM machines in which you can hear the modem dial and handshake. I remember thinking this attack was possible many years ago. It is a wonder it has taken someone this long to do it. Perhaps people have done it in the past but were never caught.
I second that. You can hear many convenience store ATMs dialing. I know that "One would think..." doesn't work in the real world, however, One would think that the speaker would default to "off".
One of the interesting complexities in life came up with the advent of the original water-based casinos. Their contracts required them to sail every so often (these restrictions have since been removed). I saw a couple of RFPs dealing with the design and implementation of encrypted, wireless ATM transactions for them. Banks ARE concerned, so I'm not sure why the dial-up systems exist in unencrypted form.
"I'm amazed that ATMs still don't have basic communications security measures."
After more than a year performing vulnerability assessments and penetration tests in banks and credit unions across the USA, I am not amazed or surprised.
ATMs, which are bought and sold, will retain the data for previous financial institutions on their hard drives. Hack X County Bank, and you've got the information for 5 or 10 other banks.
Diebold doesn't update the version of Windows they run on their ATMs, and don't let most institutions update it either. This means I can use the Sasser vuln (MS03-026) to take over an ATM.
All ATMs in America are now supposed to use 3DES for communications -- but the PIN numbers for every transaction are stored unencrypted on the hard drive in Diebold ATMs for some unknown reason.
This is why I laugh when people say "Diebold makes ATMs secure, so they can make voting machines secure."
@Redwretch et al
If anyone is interested in hearing Bruce's interview on CBC, wander over to the website for "The Current" at www.cbc.ca/thecurrent --- click on the past shows menu, and then select the Nov. 20th show from the "calendars".
(Disclaimer - my sister is the host of The Current.)
" All ATMs in America are now supposed to use 3DES for communications -- but the PIN numbers for every transaction are stored unencrypted on the hard drive in Diebold ATMs for some unknown reason. "
You don't even need to pull the HD out. You just need to remember the thread from last month about ATM default passwords, download the manuals, enter the default password, go to the key entry menu, and you can see the 3DES key and make a note of it.
The *real* WTF is that they aren't using asymmetric crypto.
It looks like they were able to tap the credit card numbers + exp.dates only. And those were used to buy something, not get cash from another ATM.
The PIN supposed to be sent encrypted by triple DES or AES. The encryption supposed to take place in a tamperproof blackbox that has key pad (that's why PIN punched through the separate keyboard event in touch-screen ATMs).
So unless they cracked one of these tamperproof boxes (it should cost ~$20K - specs requirement) or were able to brute force 3DES/AES or encryption was somehow turned off, they had no chance to know PINs.
"... recorded customer cards numbers and PINs."
Note that the Times only mentions numbers and expiry dates. It is still typical in most countries for this information to be sent unencrypted, however it would be very poor practise (and non-compliant with banking/govt regs) for the PIN block to be sent in the clear.
Of course the PIN is not required for any card-not-present transactions (online, phone).
This was not an attack on the PIN, instead it is a credit card cloning attack!
The original standards did not call for encryption of the magnetic stripe, because that was "public" information. At least this was the reasoning explained to me in the late-80's when I started working on these things (and the HSM's of the day could only perform 5-10 TPS, each transaction consisting of about 2-4 single-DES operations).
Flash forward 20 years, and the invention of ATM cards that could also work as credit cards. Also many ATM's connect using dial-up or IP now (as opposed to the more traditional and safer leased line approach). You might think these changes would be sufficient that someone would mandate encryption of the magnetic strip data, but so far no one has been willing to do that. I've talked with Visa and MasterCard folks, and heard all sorts of excuses as to why not (mostly along the lines of too expensive).
Incidents like this will eventually result in encryption rules, which IMHO should have been required quite a bit ago. That brings up the question of who should "require" it, for the US as least. The sad story in the US is that there is almost no government regulation or oversight in this area.
Historically the switches that connect different banks (such as Star or Interlink) have provided most of the security regulations. Recently (10 years or so), Visa and MasterCard have started developing their own sets of rules and regulations (now mostly under the CISP banner). When it comes to the "encrypt transaction" requirements, our best bet is probably Visa and MasterCard. Practically speaking, if they don't require it (or charge extra for transactions that don't encrypt), than most banks won't make the change.
Other security enforcement problems are worse, since the rules enforced by the switches only cover "not-on-us" transactions that will go over the network. The "on-us" transactions have almost no regulations, and indeed I've seen some very substandard security in this area. The not-on-us transaction has very explicit auditing criteria (for example ANSI X9's TG-3), but I'm not aware of anything similar for on-us transactions.
Incidentally most modern HSM's can perform 1000 TPS or more, with each transaction able to contain many 3DES operations (communication overhead is usually the bottleneck). So while my former employer might sell a few more HSMs if these rules went into effect, that is not where the cost is. Most of the actual expense is with application changes, testing, and remote device management; not to mention the planning it takes to make these changes while continuously operating a mission-critical system.
I see some confusion about encrypted PINs on an ATM database. As part of the 3DES manadate, Visa and MasterCard also required the ATM vendors to start using an encrypting keyboard. The previous design had the keyboard attached to the TRSM with a cable, and inside attackers could tap the cable and get the PINs in the clear.
In practice, the ATM vendors only wanted one TRSM, so that is now combined with a keypad (kind of like a display less POS terminal) known as a PED (PIN Encrypting Device). If the ATM has a PED (a properly designed PED at least), forget about clear PINs on the hard-drive.
Actually even before the PED requirement, you should not have had clear PINs outside of the TRSM. I won't say it never happened, as I've heard some stories about pretty lame ATM designs. If Cliff's story about a Diebold doing that is true, it must be an old obsolete model (one that no longer meets standards, but some stingy bank still keeps using it). If you go back far enough, you could find a Diebold ATM that does not even ask for a PIN!
Finally, I'd mention that pretty much all of the major ATMs are based on off-the-shelf software (currently Windows), but they are (in theory) locked down and use additional hardware (like the PED) to protect sensitive areas.
Passed an ATM in a rest area in Indiana last weekend... I could have easily unplugged its 10Base-T cable and plugged it into my sniffer for a few hours....
What I've heard is that the original designs were based on the (then true) assumption that communication lines were private. Only the PINs were encrypted. Now, people have started using public communications links - the telephone network, the Internet, etc - but they did not change the protection applied to the data sent to and from the ATMs.
Lazy, lazy, fat lazy banks.
Only money fixes banking problems (or the threat of losing it).
It's a little bit off topic on the fraud side but this makes me worry:
"He was arrested by chance by police in the City of London when the driver of the car in which he was travelling was stopped for an illegal U-turn. Officers found a counterfeit bank card in his possession."
Does this mean, that if you make a trafic "crime" (like illegal u-turn, speeding, not using your indicators, etc.) the police can search you (and everybody sitting in the car)?
LonerVamp: "The most amazing part of the article is how these people are getting caught."
Not really. We just don't hear anything about the ones who *don't* get caught!
I agree that probably he used the microphone of the MP3 player to record the signal the modem produces.. I don't know much about ATMs but it sounds kind of Fourier knowledge.. The ATM is just an object that plays with money, from what else object can we try to get the signal? ... :)
I don't understand how it worked, arite i understand that he used a mp3 player to record the information, but then how did he manage to convert that onto the magnetic strip, he was a genius any idea's how this guy did it
The guy must be dumb to do something like that . using phoneline that is unencrypted is unsafe for our details like our PINs and cards . Encrypted banks are more supportive
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.