Entries Tagged "banking"

Page 4 of 18

Dispute Resolution Systems for Security Protocols

Interesting paper by Steven J. Murdoch and Ross Anderson in this year’s Financial Cryptography conference: “Security Protocols and Evidence: Where Many Payment Systems Fail.”

Abstract: As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol—the dominant card payment system worldwide—does not produce adequate evidence for resolving disputes. We propose five principles for designing systems to produce robust evidence. We apply these to other systems such as Bitcoin, electronic banking and phone payment apps. We finally propose specific modifications to EMV that could allow disputes to be resolved more efficiently and fairly.

Ross Anderson has a blog post on the paper.

Posted on February 6, 2014 at 6:05 AMView Comments

Bypassing Two-Factor Authentication

Yet another way two-factor authentication has been bypassed:

For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that computer’s web browser for banking sessions. When a user visited a banking site, Eurograbber would inject JavaScript and HTML markup into their browser, prompting the user for their phone number under the guise of a “banking software security upgrade”. This is also the key to Eurograbber’s ability to bypass two-factor authentication.

It’s amazing that I wrote about this almost eight years ago. Here’s another example of the same sort of failure.

Posted on December 10, 2012 at 1:04 PMView Comments

Advances in Attacking ATMs

Cash traps and card traps are the new thing:

[Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.

“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country ­ despite warning messages that appear on the ATM screen or are displayed on the ATM fascia ­ customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale transactions.”

More descriptions, and photos of the devices, in the article.

Posted on November 29, 2012 at 4:36 PMView Comments

Man-in-the-Middle Bank Fraud Attack

This sort of attack will become more common as banks require two-factor authentication:

Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.

Next, it initiates a transfer.

At this point Tatanga uses a Web Inject to trick the user into believing that the bank is performing a chipTAN test. The fake instructions request that the user generate a TAN for the purpose of this “test” and enter the TAN.

Note that the attack relies on tricking the user, which isn’t very hard.

Posted on September 14, 2012 at 11:23 AMView Comments

New Attack Against Chip-and-Pin Systems

Well, new to us:

You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.

Paper here. And news article.

Posted on September 11, 2012 at 12:38 PMView Comments

E-Mail Accounts More Valuable than Bank Accounts

This informal survey produced the following result: “45% of the users found their email accounts more valuable than their bank accounts.”

The author believes this is evidence of some sophisticated security reasoning on the part of users:

From a security standpoint, I can’t agree more with these people. Email accounts are used most commonly to reset other websites’ account passwords, so if it gets compromised, the others will fall like dominos.

I disagree. I think something a lot simpler is going on. People believe that if their bank account is hacked, the bank will help them clean up the mess and they’ll get their money back. And in most cases, they will. They know that if their e-mail is hacked, all the damage will be theirs to deal with. I think this is public opinion reflecting reality.

Posted on June 26, 2012 at 1:57 PMView Comments

Economic Analysis of Bank Robberies

Yes, it’s clever:

The basic problem is the average haul from a bank job: for the three-year period, it was only £20,330.50 (~$31,613). And it gets worse, as the average robbery involved 1.6 thieves. So the authors conclude, “The return on an average bank robbery is, frankly, rubbish. It is not unimaginable wealth. It is a very modest £12,706.60 per person per raid.”

“Given that the average UK wage for those in full-time employment is around £26,000, it will give him a modest life-style for no more than 6 months,” the authors note. If a robber keeps hitting banks at a rate sufficient to maintain that modest lifestyle, by a year and a half into their career, odds are better than not they’ll have been caught. “As a profitable occupation, bank robbery leaves a lot to be desired.”

Worse still, the success of a robbery was a bit like winning the lottery, as the standard deviation on the £20,330.50 was £53,510.20. That means some robbers did far better than average, but it also means that fully a third of robberies failed entirely.

(If, at this point, you’re thinking that the UK is just a poor location for the bank robbery industry, think again, as the authors use FBI figures to determine that the average heist in the States only nets $4,330.00.)

There are ways to increase your chance of getting a larger haul. “Every extra member of the gang raises the expected value of the robbery proceeds by £9,033.20, on average and other things being equal,” the authors note. Brandishing some sort of firearm adds another £10 300.50, “again on average and other things being equal.”

We all kind of knew this—that’s why most of us aren’t bank robbers. The interesting question, at least to me, is why anyone is a bank robber. Why do people do things that, by any rational economic analysis, are irrational?

The answer is that people are terrible at figuring this sort of stuff out. They’re terrible at estimating the probability that any of their endeavors will succeed, and they’re terrible at estimating what their reward will be if they do succeed. There is a lot of research supporting this, but the most recent—and entertaining—thing on the topic I’ve seen recently is this TED talk by Daniel Gilbert.

Note bonus discussion terrorism at the very end.

EDITED TO ADD (7/14): Bank robbery and the Dunning-Kruger effect.

Posted on June 22, 2012 at 7:20 AMView Comments

Cybercrime as a Tragedy of the Commons

Two very interesting points in this essay on cybercrime. The first is that cybercrime isn’t as big a problem as conventional wisdom makes it out to be.

We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.

Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around.

The second is that exaggerating the effects of cybercrime is a direct result of how the estimates are generated.

For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors—­ or outright lies—cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.

Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.

[…]

A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

Posted on May 2, 2012 at 7:10 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.