TORTS Lecture 6 Breach of Duty Clary Castrission [email protected].
Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen...
-
Upload
arline-summers -
Category
Documents
-
view
212 -
download
0
Transcript of Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen...
Will You Ever Use Your ATM Again?
Presented by:Bob Clary
Carolyn McLellanJane Mosher
Karen Weil-Yates
Top 10 Quick Facts
1 new ATM installed every 5 minutes
ATM fraud in US approximately $50M/ year
1.2M ATMs installed worldwide
ATM is equal in importance to cell phones & email
Total cost of fraud is 4x actual amount of $$ taken
281,000 customers affected
Fraud growth rate is up to 35%/year
Soft target/low risk to criminals
Impossible to ID criminals (often not prosecuted)
New gang-oriented activity
Information on Cryptology Failures Not published or advertised
Compare to airline crashes Team of investigators Accountability Fix the problem
How can you fix the problem if you don’t know there was a problem?
If you can’t investigate the steps that led to a security breach, how can you analyze?
Investigation of ATM Security Banking industry largest business after
government How can you prove you DID not
withdraw funds from your bank? PIN security assumptions
Magnetic stripe on bank card contains account number
PIN is derived by encrypting the account number and using only 4 digits
Weakness of ATM
Magnetic stripe Easily captured Card skimming
How PINS Were Derived
Used DES to calculate a natural PIN. Offset added
No real cryptographic function Lets customers choose their
own PINs DES key can be compromised in
22 hrs Many banks now using triple-DES
Equipment and software compatibility with DES
Estimated time of compromise is 200 trillion years if no paper trail
Example:Account number:
8807012345691715PIN key:
FEFEFEFEFEFEFEFEResult of DES:
A2CE126C69AEC82DResult in decimal form:
0224126269042823Natural PIN: 0224Offset: 6565Customer PIN: 6789
Back
DES
56-bit key Considered secure until
Jan 1999 22 hours to break DES cracker available
on line for $200,000 ATMs vulnerable
Security Breaches
Inside Most threats
Outside
Inside Security Breaches
Bank clerk issues two cards—one for customer, one for self Bank had a policy that ATM withdrawals with
receipts did not show up on customer statement. ATM has computer attached that captures PINs
and account numbers Tellers issued ATM cards that can debit any
customer account For use when tellers ran out of cash
Loss of dual control security measures to cut down on costs
Outside Security Breaches
Testing programs not deleted Vending machines that take ATMs
Record PINS and account numbers sending data by modem to thieves
Can buy used ATMs Like a used computer with all the software
included
Why 4 Digit PINs?
With standard usage: 1 in 10,000 chance of discovering PIN Use with 3 tries, access denied and card confiscated
Now chance of discovery is 1 in 3,333 Ways security is decreased
Offline ATMs and POS devices without full encryption Mathematical calculation of PINs
Credit card: Digit 1 + Digit 4 = Digit 2 + Digit 3
Debit card (same bank) Digit 1 + Digit 3 = Digit 2 + Digit 4
Can use mathematical formula to cut down on possible combinations: Ex: PIN 4455
Discovering PINs
Banks suggesting ways for persons to remember PINs (other than writing down)
Ex: 2256 Increased odds of
discovery from 1 in 3,333 to 1 in 8
1 2 3 4 5 6 7 8 9 0
r b j g f l m j c p
o l e l o a i a r u
a c e t u o r i c u
e h d n m e k y d g
Discovering PINs
Programming Bank issued same PIN to everyone Only 3 variations of PINs used—then forged
Random PINs (not encrypted from account number) or customer-selected PINs Bank file holding PINs If same encrypted version of PIN used,
programmer can search account database for users with same PIN
Banks writing encrypted PIN to card stripe Change account number on your own card to that
of target and use with your own PIN
How ATM Encryption Should Work Review DES Encryption PIN key must be kept secret
Terminal key at each ATM, carried to each branch by two separate officials
Input at ATM keyboard Combined to form key
PIN Key encrypted under terminal key Sent to ATM by bank’s central computer
How Are All These Keys Kept Secure? PC in a safe with security module
Manages all bank’s keys and PINs Programmers only see encrypted PINs Requires special hardware devices
Expensive Time-consuming to install security modules Not provided for some equipment
No special security modules Control through software
Programmers now have more information They can find PIN key
Poor Implementation of Security Response codes for incoming transactions
Are they monitored, logged, analyzed?
Subcontracting ATMs and giving contractor PIN key
PIN keys shared between banks Poor key management
No dual control
Keys kept in files rather than locked up No documented procedures for handling keys
Triple DES
Current implementation Two 56-bit keys Encrypt-decrypt-encrypt
model KL (Key Left) DES
encryption KR (Key Right) DES
decryption KL encrypts again
Estimated 200 trillion years to crack
Secure Key Management
All DES keys are safe if used only once & discarded
Keys are stored in two other states: Host’s memory
or database Transmission
over networks Vulnerable when
stored or transmitted outside the HSM (hardware or host security module)
Triple DES keys are stored as two DES keys (KL and KR)
Side-by-side in a database
Access to HSM Independent
DES keys can be “attacked”
Shared among other systems attached to the host
Secure Key Management
Solution (Everywhere But US)
EMV Standard EuroPay,
MasterCard, Visa SmartCard (with a
chip) January 2005
Bank Smart Cards
Transaction using a chip & terminal Reduces counterfeiting due to
complexity & expense Can work with HSM
Future Enhancements of EMV/Smart Card
Biometric capacity Iris scanning Fingerprinting Voice recognition
Backwards compatible (magnetic stripes)
References
R. Anderson, “Why Cryptosystems Fail,” (March 1998); available at http://www.cl.cam.ac.uk/users/rja14/wcf.html
Celent Communications, “Smart Cards in US Banking: Is the Chip Hip”? (October 18, 2001); available at http://www.celent.com/pressreleases/20011018/smartcard.htm
“Combining Key Management with Triple-DES to Maximize Security,” (July 2002); available at http://h71028.www7.hp.com/erc/downloads/atkeyblwp.pdf
“EMV Smart Card Issuing,” (2004); available at http://www.thales-esecurity.com/solutions/emv_smartcard.shtml
References
The Jolly Roger (alias), “Jackpotting ATM Machines,” The Anarchist’s Cookbook. (Retrieved May 17, 2005); available at http://isuisse.ifrance.com/emmaf/anarcook/jackatm.htm
Levelfour Americas, “Could Growing ATM Fraud Accelerate US Conversion to the Chip Card”? (November 2004); available at http://www.atmmarketplace.com/whitepapers/Level_Four__EMV.pdf
B. and D. Mikkelson, “Bank ATMs Converted to Steal IDs of Bank Customers,” (January 19, 2004); available at http://www.snopes.com/crime/warnings/atmcamera.asp