Will You Ever Use Your ATM Again?

Presented by:Bob Clary

Carolyn McLellanJane Mosher

Karen Weil-Yates

Top 10 Quick Facts

1 new ATM installed every 5 minutes

ATM fraud in US approximately $50M/ year

1.2M ATMs installed worldwide

ATM is equal in importance to cell phones & email

Total cost of fraud is 4x actual amount of $$ taken

281,000 customers affected

Fraud growth rate is up to 35%/year

Soft target/low risk to criminals

Impossible to ID criminals (often not prosecuted)

New gang-oriented activity

Information on Cryptology Failures Not published or advertised

Compare to airline crashes Team of investigators Accountability Fix the problem

How can you fix the problem if you don’t know there was a problem?

If you can’t investigate the steps that led to a security breach, how can you analyze?

Investigation of ATM Security Banking industry largest business after

government How can you prove you DID not

withdraw funds from your bank? PIN security assumptions

Magnetic stripe on bank card contains account number

PIN is derived by encrypting the account number and using only 4 digits

Weakness of ATM

Magnetic stripe Easily captured Card skimming

How PINS Were Derived

Used DES to calculate a natural PIN. Offset added

No real cryptographic function Lets customers choose their

own PINs DES key can be compromised in

22 hrs Many banks now using triple-DES

Equipment and software compatibility with DES

Estimated time of compromise is 200 trillion years if no paper trail

Example:Account number:

8807012345691715PIN key:

FEFEFEFEFEFEFEFEResult of DES:

A2CE126C69AEC82DResult in decimal form:

0224126269042823Natural PIN: 0224Offset: 6565Customer PIN: 6789

Back

DES

56-bit key Considered secure until

Jan 1999 22 hours to break DES cracker available

on line for $200,000 ATMs vulnerable

Security Breaches

Inside Most threats

Outside

Inside Security Breaches

Bank clerk issues two cards—one for customer, one for self Bank had a policy that ATM withdrawals with

receipts did not show up on customer statement. ATM has computer attached that captures PINs

and account numbers Tellers issued ATM cards that can debit any

customer account For use when tellers ran out of cash

Loss of dual control security measures to cut down on costs

Outside Security Breaches

Testing programs not deleted Vending machines that take ATMs

Record PINS and account numbers sending data by modem to thieves

Can buy used ATMs Like a used computer with all the software

included

Why 4 Digit PINs?

With standard usage: 1 in 10,000 chance of discovering PIN Use with 3 tries, access denied and card confiscated

Now chance of discovery is 1 in 3,333 Ways security is decreased

Offline ATMs and POS devices without full encryption Mathematical calculation of PINs

Credit card: Digit 1 + Digit 4 = Digit 2 + Digit 3

Debit card (same bank) Digit 1 + Digit 3 = Digit 2 + Digit 4

Can use mathematical formula to cut down on possible combinations: Ex: PIN 4455

Discovering PINs

Banks suggesting ways for persons to remember PINs (other than writing down)

Ex: 2256 Increased odds of

discovery from 1 in 3,333 to 1 in 8

1 2 3 4 5 6 7 8 9 0

r b j g f l m j c p

o l e l o a i a r u

a c e t u o r i c u

e h d n m e k y d g

Discovering PINs

Programming Bank issued same PIN to everyone Only 3 variations of PINs used—then forged

Random PINs (not encrypted from account number) or customer-selected PINs Bank file holding PINs If same encrypted version of PIN used,

programmer can search account database for users with same PIN

Banks writing encrypted PIN to card stripe Change account number on your own card to that

of target and use with your own PIN

How ATM Encryption Should Work Review DES Encryption PIN key must be kept secret

Terminal key at each ATM, carried to each branch by two separate officials

Input at ATM keyboard Combined to form key

PIN Key encrypted under terminal key Sent to ATM by bank’s central computer

How Are All These Keys Kept Secure? PC in a safe with security module

Manages all bank’s keys and PINs Programmers only see encrypted PINs Requires special hardware devices

Expensive Time-consuming to install security modules Not provided for some equipment

No special security modules Control through software

Programmers now have more information They can find PIN key

Poor Implementation of Security Response codes for incoming transactions

Are they monitored, logged, analyzed?

Subcontracting ATMs and giving contractor PIN key

PIN keys shared between banks Poor key management

No dual control

Keys kept in files rather than locked up No documented procedures for handling keys

Triple DES

Current implementation Two 56-bit keys Encrypt-decrypt-encrypt

model KL (Key Left) DES

encryption KR (Key Right) DES

decryption KL encrypts again

Estimated 200 trillion years to crack

Secure Key Management

All DES keys are safe if used only once & discarded

Keys are stored in two other states: Host’s memory

or database Transmission

over networks Vulnerable when

stored or transmitted outside the HSM (hardware or host security module)

Triple DES keys are stored as two DES keys (KL and KR)

Side-by-side in a database

Access to HSM Independent

DES keys can be “attacked”

Shared among other systems attached to the host

Secure Key Management

Solution (Everywhere But US)

EMV Standard EuroPay,

MasterCard, Visa SmartCard (with a

chip) January 2005

Bank Smart Cards

Transaction using a chip & terminal Reduces counterfeiting due to

complexity & expense Can work with HSM

Future Enhancements of EMV/Smart Card

Biometric capacity Iris scanning Fingerprinting Voice recognition

Backwards compatible (magnetic stripes)

References

R. Anderson, “Why Cryptosystems Fail,” (March 1998); available at http://www.cl.cam.ac.uk/users/rja14/wcf.html

Celent Communications, “Smart Cards in US Banking: Is the Chip Hip”? (October 18, 2001); available at http://www.celent.com/pressreleases/20011018/smartcard.htm

“Combining Key Management with Triple-DES to Maximize Security,” (July 2002); available at http://h71028.www7.hp.com/erc/downloads/atkeyblwp.pdf

“EMV Smart Card Issuing,” (2004); available at http://www.thales-esecurity.com/solutions/emv_smartcard.shtml

References

The Jolly Roger (alias), “Jackpotting ATM Machines,” The Anarchist’s Cookbook. (Retrieved May 17, 2005); available at http://isuisse.ifrance.com/emmaf/anarcook/jackatm.htm

Levelfour Americas, “Could Growing ATM Fraud Accelerate US Conversion to the Chip Card”? (November 2004); available at http://www.atmmarketplace.com/whitepapers/Level_Four__EMV.pdf

B. and D. Mikkelson, “Bank ATMs Converted to Steal IDs of Bank Customers,” (January 19, 2004); available at http://www.snopes.com/crime/warnings/atmcamera.asp