ATM Eavesdropping Attack
I’m amazed that ATMs still don’t have basic communications security measures. One fraudster inserted a recording device into the ATM’s phone line and recorded customer card numbers and PINs.
Entries Tagged "banking"
Page 14 of 19
Attacking Bank-Card PINs
Research paper by Omer Berkman and Odelia Moshe Ostrovsky: “The Unbearable Lightness of PIN Cracking“:
Abstract. We describe new attacks on the financial PIN processing API. The attacks apply to switches as well as to verification facilities. The attacks are extremely severe allowing an attacker to expose customer PINs by executing only one or two API calls per exposed PIN. One of the attacks uses only the translate function which is a required function in every switch. The other attacks abuse functions that are used to allow customers to select their PINs online. Some of the attacks can be applied on a switch even though the attacked functions require issuer’s keys which do not exist on a switch. This is particularly disturbing as it was widely believed that functions requiring issuer’s keys cannot do any harm if the respective keys are unavailable.
Basically, the paper describes an inherent flaw with the way ATM PINs are encrypted and transmitted on the international financial networks, making them vulnerable to attack from malicious insiders in a bank.
One of the most disturbing aspects of the attack is that you’re only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank’s ATMs.
The authors tell me that they’ve contacted the major credit card companies and banks with this information, and haven’t received much of a response. They believe it is now time to alert the public.
Programming ATMs to Believe $20 Bills Are $5 Bills
Clever attack:
Last month, a man reprogrammed an automated teller machine at a gas station on Lynnhaven Parkway to spit out four times as much money as it should.
He then made off with an undisclosed amount of cash.
No one noticed until nine days later, when a customer told the clerk at a Crown gas station that the machine was disbursing more money than it should. Police are now investigating the incident as fraud.
Police spokeswoman Rene Ball said the first withdrawal occurred at 6:17 p.m. Aug. 19. Surveillance footage documented a man about 5-foot-8 with a thin build walking into the gas station on the 2400 block of Lynnhaven Parkway and swiping an ATM card.
The man then punched a series of numbers on the machine’s keypad, breaking the security code. The ATM was programmed to disburse $20 bills. The man reprogrammed the machine so it recorded each $20 bill as a $5 debit to his account.
The suspect returned to the gas station a short time later and took more money, but authorities did not say how much. Because the account was pre-paid and the card could be purchased at several places, police are not sure who is behind the theft.
What’s weird is that it seems that this is easy. The ATM is a Tranax Mini Bank 1500. And you can buy the manuals from the Tranax website. And they’re useful for this sort of thing:
I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are:
- Instructions on how to enter the diagnostic mode
Default passwords
- Default Combinations For the Safe
Do not ask me for them. If you maintain one of these devices, make sure that you are not using the default password. If you are, change it immediately.
This is from an eWeek article:
“If you get your hand on this manual, you can basically reconfigure the ATM if the default password was not changed. My guess is that most of these mini-bank terminals are sitting around with default passwords untouched,” Goldsmith said.
Officials at Tranax did not respond to eWEEK requests for comment. According to a note on the company’s Web site, Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around the country. The majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist.
So, as long as you can use an account that’s not traceable back to you, and you disguise yourself for the ATM cameras, this is a pretty easy crime.
eWeek claims you can get a copy of the manual simply by Googling for it. (Here’s one on eBay.
And Tranax is promising a fix that will force operators to change the default passwords. But honestly, what’s the liklihood that someone who can’t be bothered to change the default password will take the time to install a software patch?
EDITED TO ADD (9/22): Here’s the manual.
On-Card Displays
This is impressive: a display that works on a flexible credit card.
One of the major security problems with smart cards is that they don’t have their own I/O. That is, you have to trust whatever card reader/writer you stick the card in to faithfully send what you type into the card, and display whatever the card spits back out. Way back in 1999, Adam Shostack and I wrote a paper about this general class of security problem.
Think WYSIWTCS: What You See Is What The Card Says. That’s what an on-card display does.
No, it doesn’t protect against tampering with the card. That’s part of a completely different set of threats.
Land Title Fraud
There seems to be a small epidemic of land title fraud in Ontario, Canada.
What happens is someone impersonates the homeowner, and then sells the house out from under him. The former owner is still liable for the mortgage, but can’t get in his former house. Cleaning up the problem takes a lot of time and energy.
The problem is one of economic incentives. If banks were held liable for fraudulent mortgages, then the problem would go away really quickly. But as long as they’re not, they have no incentive to ensure that this fraud doesn’t occur. (They have some incentive, because the fraud costs them money, but as long as the few fraud cases cost less than ensuring the validity of every mortgage, they’ll just ignore the problem and eat the losses when fraud occurs.)
EDITED TO ADD (9/8): Another article.
HSBC Insecurity Hype
The Guardian has the story:
One of Britain’s biggest high street banks has left millions of online bank accounts exposed to potential fraud because of a glaring security loophole, the Guardian has learned.
The defect in HSBC’s online banking system means that 3.1 million UK customers registered to use the service have been vulnerable to attack for at least two years. One computing expert called the lapse “scandalous”.
The discovery was made by a group of researchers at Cardiff University, who found that anyone exploiting the flaw was guaranteed to be able to break into any account within nine attempts.
Sounds pretty bad.
But look at this:
The flaw, which is not being detailed by the Guardian, revolves around the way HSBC customers access their web-based banking service. Criminals using so-called “keyloggers” – readily available gadgets or viruses which record every keystroke made on a target computer – can easily deduce the data needed to gain unfettered access to accounts in just a few attempts.
So, the “scandalous” flaw is that an attacker who already has a keylogger installed on someone’s computer can break into his HSBC account. Seems to me if an attacker has a keylogger installed on someone’s computer, then he’s got all sorts of security issues.
If this is the biggest flaw in HSBC’s login authentication system, I think they’re doing pretty good.
Bank Bans Cell Phones
Not because they’re annoying, but as a security measure:
Cell phones have been banned inside the five branches of the First National Bank in the Chicago area, to enhance security.
Even using a cell phone in the bank’s lobby may result in the person being asked to leave the premises.
“We ban cell phone use in the lobby because you don’t know what people are doing,” Ralph Oster, a senior vice president, told the Chicago Tribune. Cell phone cameras are also a worry.
Oster said there have been holdups in which bandits were on the phone with lookouts outside while committing bank robberies.
“You’re trying to stop that communication,” he says.
Banks in Mexico City banned call phones in May and Citizens Financial Bank of Munster, Ind., asks customers to turn off their cell phones.
West Suburban Bank, based in Lombard, Ill., barred customers wearing hats in January but has not moved to silence cell phones.
This is just plain dumb. It’s easy to get around the ban: a Bluetooth earpiece is inconspicuous enough. Or a couple of earbuds that look like an iPod. Or an SMS device. It only has to work at the beginning. After all, once you start actually robbing the bank, a ban isn’t going to deter you from using your cell phone.
Voice Authentication in Telephone Banking
This seems like a good idea, assuming it is reliable.
The introduction of voice verification was preceded by an extensive period of testing among more than 1,450 people and 25,000 test calls. These were made using both fixed-line and mobile telephones, at all times of day and also by relatives (including six twins). Special attention was devoted to people who were suffering from colds during the test period. ABN AMRO is the first major bank in the world to introduce this technology in this way.
Paris Bank Hack at Center of National Scandal
From Wired News:
Among the falsified evidence produced by the conspirators before the fraud unraveled were confidential bank records originating with the Clearstream bank in Luxembourg, which were expertly modified to make it appear that some French politicians had secretly established offshore bank accounts to receive bribes. The falsified records were then sent to investigators, with enough authentic account information left in to make them appear credible.
Failure of Two-Factor Authentication
Here’s a report of phishers defeating two-factor authentication using a man-in-the-middle attack.
The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit—a tactic used by some security-savvy people—you might be fooled. That’s because this site acts as the “man in the middle”—it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.
I predicted this last year.
Sidebar photo of Bruce Schneier by Joe MacInnis.