The Federal Reserve System's Cyberdefense Force
Interesting article on the cybersecurity branch of the Federal Reserve System.
Entries Tagged "banking"
Page 4 of 18
Dispute Resolution Systems for Security Protocols
Interesting paper by Steven J. Murdoch and Ross Anderson in this year’s Financial Cryptography conference: “Security Protocols and Evidence: Where Many Payment Systems Fail.”
Abstract: As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol—the dominant card payment system worldwide—does not produce adequate evidence for resolving disputes. We propose five principles for designing systems to produce robust evidence. We apply these to other systems such as Bitcoin, electronic banking and phone payment apps. We finally propose specific modifications to EMV that could allow disputes to be resolved more efficiently and fairly.
Ross Anderson has a blog post on the paper.
New Security Risks for Windows XP Systems
Microsoft is trying to stop supporting Windows XP. The problem is that a majority of ATMs still use that OS. And once Microsoft stops issuing security updates to XP, those machines will become increasingly vulnerable.
Although I have to ask the question: how many of those ATMs have been keeping up with their patches so far?
We have far to go with our security of embedded systems.
Bypassing Two-Factor Authentication
Yet another way two-factor authentication has been bypassed:
For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that computer’s web browser for banking sessions. When a user visited a banking site, Eurograbber would inject JavaScript and HTML markup into their browser, prompting the user for their phone number under the guise of a “banking software security upgrade”. This is also the key to Eurograbber’s ability to bypass two-factor authentication.
It’s amazing that I wrote about this almost eight years ago. Here’s another example of the same sort of failure.
Advances in Attacking ATMs
Cash traps and card traps are the new thing:
[Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.
“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country despite warning messages that appear on the ATM screen or are displayed on the ATM fascia customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale transactions.”
More descriptions, and photos of the devices, in the article.
Man-in-the-Middle Bank Fraud Attack
This sort of attack will become more common as banks require two-factor authentication:
Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.
Next, it initiates a transfer.
At this point Tatanga uses a Web Inject to trick the user into believing that the bank is performing a chipTAN test. The fake instructions request that the user generate a TAN for the purpose of this “test” and enter the TAN.
Note that the attack relies on tricking the user, which isn’t very hard.
New Attack Against Chip-and-Pin Systems
Well, new to us:
You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.
Paper here. And news article.
Criminals Using Commercial Spamflooding Services
Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack.
Clever, but in retrospect kind of obvious.
E-Mail Accounts More Valuable than Bank Accounts
This informal survey produced the following result: “45% of the users found their email accounts more valuable than their bank accounts.”
The author believes this is evidence of some sophisticated security reasoning on the part of users:
From a security standpoint, I can’t agree more with these people. Email accounts are used most commonly to reset other websites’ account passwords, so if it gets compromised, the others will fall like dominos.
I disagree. I think something a lot simpler is going on. People believe that if their bank account is hacked, the bank will help them clean up the mess and they’ll get their money back. And in most cases, they will. They know that if their e-mail is hacked, all the damage will be theirs to deal with. I think this is public opinion reflecting reality.
Economic Analysis of Bank Robberies
Yes, it’s clever:
The basic problem is the average haul from a bank job: for the three-year period, it was only £20,330.50 (~$31,613). And it gets worse, as the average robbery involved 1.6 thieves. So the authors conclude, “The return on an average bank robbery is, frankly, rubbish. It is not unimaginable wealth. It is a very modest £12,706.60 per person per raid.”
“Given that the average UK wage for those in full-time employment is around £26,000, it will give him a modest life-style for no more than 6 months,” the authors note. If a robber keeps hitting banks at a rate sufficient to maintain that modest lifestyle, by a year and a half into their career, odds are better than not they’ll have been caught. “As a profitable occupation, bank robbery leaves a lot to be desired.”
Worse still, the success of a robbery was a bit like winning the lottery, as the standard deviation on the £20,330.50 was £53,510.20. That means some robbers did far better than average, but it also means that fully a third of robberies failed entirely.
(If, at this point, you’re thinking that the UK is just a poor location for the bank robbery industry, think again, as the authors use FBI figures to determine that the average heist in the States only nets $4,330.00.)
There are ways to increase your chance of getting a larger haul. “Every extra member of the gang raises the expected value of the robbery proceeds by £9,033.20, on average and other things being equal,” the authors note. Brandishing some sort of firearm adds another £10 300.50, “again on average and other things being equal.”
We all kind of knew this—that’s why most of us aren’t bank robbers. The interesting question, at least to me, is why anyone is a bank robber. Why do people do things that, by any rational economic analysis, are irrational?
The answer is that people are terrible at figuring this sort of stuff out. They’re terrible at estimating the probability that any of their endeavors will succeed, and they’re terrible at estimating what their reward will be if they do succeed. There is a lot of research supporting this, but the most recent—and entertaining—thing on the topic I’ve seen recently is this TED talk by Daniel Gilbert.
Note bonus discussion terrorism at the very end.
EDITED TO ADD (7/14): Bank robbery and the Dunning-Kruger effect.
Sidebar photo of Bruce Schneier by Joe MacInnis.