Forgot your password?
typodupeerror
Encryption Security

Citibank Tries to Hush ATM Crypto Vulnerability 410

Posted by michael
from the be-vewwy-vewwy-qweit dept.
palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."
This discussion has been archived. No new comments can be posted.

Citibank Tries to Hush ATM Crypto Vulnerability

Comments Filter:
  • by Anonymous Coward on Friday February 21, 2003 @04:05PM (#5355194)
    From The Register [theregister.co.uk].
  • by Lxy (80823) on Friday February 21, 2003 @04:07PM (#5355223) Journal
    The ATMs I've seen are POTS lines. The older machines actually dial up to somewhere, the newer ones either found a better way to do it or turned off the modem speaker. As for what's being done I don't know, but doing RSA over PPP sounds like a decent, flexible option.
  • right to know (Score:5, Informative)

    by dougnaka (631080) on Friday February 21, 2003 @04:08PM (#5355246) Homepage Journal
    The statements made by Citibank regarding their security can only be trusted as far as they are independently evaluated. Consumers in general, and especially Americans, rely far too heavily on a companies claims. If a company makes false claims these days they often simply ignore the facts, and that enough is wrong. But when someone comes out with evidence that a company is making false claims, and the company tries to silence them? That is outright immoral, and should be illegal.

    Why is it they can even try things like this without massive public backlash? They would be far better off accepting the "new" information, and promising to work hard to always keep their systems secure.

    I'm sure certian companies [microsoft.com] would love to see legal actions like this get upheld by a court.... Oh well, I guess we can always move to Norway... I wonder if they'd let me live on sealand [sealandgov.com] once all my rights are gone here...

  • by UberLord (631313) on Friday February 21, 2003 @04:14PM (#5355319) Homepage
    http://www.theregister.co.uk/content/55/29425.html

    The Register is running a story with more content

    Which also explains in laymans terms how the two guys in the submitted link went about working out the vulnerability
  • ATM with an eye (Score:5, Informative)

    by doubtless (267357) on Friday February 21, 2003 @04:15PM (#5355328) Homepage
    I believe that in some countries banks actually install a camera in every ATM they own. They simply take a video or a snapshot of the person making transaction with the machine.

    I think this is pretty good idea to record frauds, false claims, and extortions in front of the machine. Personally I don't have a privacy issue in this case.
  • by chiph (523845) on Friday February 21, 2003 @04:16PM (#5355342)
    These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

    While the IBM 4758 has been cracked before [slashdot.org], it's not something that someone can do on their lunch break. What I suspect is being cracked is the little desktop unit that the customer service rep spins around for you to enter your PIN when you sign up for ATM service.

    Chip H.
  • Re:They Can't (Score:2, Informative)

    by SquadBoy (167263) on Friday February 21, 2003 @04:18PM (#5355354) Homepage Journal
    The parent poster of course knew this fact. :)

    Now think for a minute about what s/he was trying to say. :)
  • by skintigh2 (456496) on Friday February 21, 2003 @04:18PM (#5355359)
    http://www.theregister.co.uk/content/55/29425.html

    Sorry, HTML formatting doesn't seem to be working...
  • by greechneb (574646) on Friday February 21, 2003 @04:18PM (#5355363) Homepage Journal
    Basically, there are two options for an ATM,

    Either POTS (plain old telephone service) with a modem dialing in to a service provider, whether it be the bank itself, or outsourced.

    or Leased Line - always connected to the service provider.

    Encryption is going towards all triple DES encryption within the next year. The ATMs that I have been dealing with all run a form of OS2 for the operating system.

    The majority of ATMs just have a dial up line that is set to block incoming calls, so the only connection is being made from the ATM to the service provider.
  • by cetan (61150) on Friday February 21, 2003 @04:20PM (#5355375) Journal
    How about this:

    http://www.phule.net/mirrors/pacc.htm [phule.net]

    for formatting? :)
  • Link to PDF (Score:2, Informative)

    by FlyingCarrot (181545) on Friday February 21, 2003 @04:22PM (#5355390)
    Link to PDF given in page

    Link to PDF [cam.ac.uk]
  • by doubtless (267357) on Friday February 21, 2003 @04:24PM (#5355407) Homepage
    Well, taken from http://www.sophos.com/support/faqs/savos2.html [sophos.com]:

    There are no OS/2 specific viruses in circulation but OS/2 computers can still be affected:

    * Macro viruses that infect Word, Excel and other Windows mode applications can spread as usual.
    * Boot sector viruses can affect the master boot sector, the OS/2 boot sector and the Boot Manager.
    * DOS executable file viruses can run on OS/2 systems and infect other DOS executables.
    * Any type of file can be stored on an OS/2 server and could infect a vulnerable workstation.

    So yes, there are hacks that will affect OS/2, though they might not target OS/2 exclusively.
  • Re:This is SERIOUS (Score:5, Informative)

    by dachshund (300733) on Friday February 21, 2003 @04:24PM (#5355409)
    It now looks like some of these vulnerabilities have also been discovered by the bad guys.

    Of course, this isn't necessarily the case. Note that this particular scheme would require a insider in the bank with access to the pin-verification system. Until somebody verifies that, or at least combs through the logs to look for patterns of suspicious PIN guessing, any connection between the increase in phantom withdrawals and this vulnerability is pure speculation.

  • by purduephotog (218304) <[moc.tibroni] [ta] [hcsrih]> on Friday February 21, 2003 @04:26PM (#5355431) Homepage Journal


    Updated 20 February 2003


    18 February 2003



    To: ukcrypto@chiark.greenend.org.uk
    Subject: Citibank tries to gag crypto bug disclosure
    Date: Thu, 20 Feb 2003 09:57:34 +0000
    From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

    Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf [cam.ac.uk]

    I have written to the judge opposing the order:

    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf [cam.ac.uk]

    The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf [cam.ac.uk]

    These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike
    and I were working as expert witnesses on a `phantom withdrawal' case.

    The vulnerabilities are also scientifically interesting:

    http://cryptome.org/pacc.htm [cryptome.org]

    For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in
    many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

    Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's
    an omen, if not a precedent ...
    _____

    Abstract

    We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the
    maximum amount of information is learnt about the true PIN upon each guess.
    It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute
    lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

    -- Mike Bond and Piotr Zielinski
    Decimalisation table attacks for PIN cracking [cam.ac.uk]
    February 2003

    -----

    From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
    To: ukcrypto@chiark.greenend.org.uk
    Subject: Yet another failure of commercial cryptographic equipment
    Date: Tue, 18 Feb 2003 17:52:13 +0000

    I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

    The paper is available online at:

    http://research.microsoft.com/~aherbert/volume63.p df [microsoft.com] [4.8MB]

    as pages 27-30 in the PDF. [HTML below]

    I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of nformation which they accept as being confidential and which ought not to be in the public domain.'

    I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...



    Protocol Analysis, Composability and Computation


    Ross Anderson, Michael Bond

    University of Cambridge, England



    Security protocols early days


    The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob
    shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all uthentication protocols.


    Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.


    Clarifying the assumptions


    Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be
    replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only
    claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design.
    Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks
    run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol
    mechanisms to perform a service denial attack?


    The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of
    authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic
    and other formal tools were developed and extended to tackle a range of problems in protocol design.


    One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the
    objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.


    Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.


    Dishonest insiders, and the composition problem


    Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?


    Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.


    Attacks often involve using two separate echanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN
    derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear
    value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device
    with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.


    Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in
    isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.


    Differential protocol analysis


    We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters:
    Account number: 8807 0123 4569 1715
    PIN derivation key: FEFE FEFE FEFE FEFE
    Encrypted account number: A2CE 126C 69AE C82D
    Natural (decimalised) PIN: 0224
    Offset: 6565
    Customer PIN: 6789


    The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further,
    he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525
    unprivileged cryptoprocessor transactions to discover the PIN on a single target account.


    This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.


    For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions
    of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against
    application-level crypto.


    It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular
    designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.


    Quantitative analysis and multiparty computation


    Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for
    PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This
    leads in turn to a possible real-world application of an attack previously considered theoretical.


    Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope
    with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a redetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal
    operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)


    A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to
    stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them,
    and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by
    using cryptography!


    Conclusion


    The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems.
    The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.


    References


    1. NEEDHAM, R.M. AND SCHROEDER, R.M.,
    Using encryption [yale.edu]
    for authentication in large networks of computers. Comm. ACM, vol.
    21, no. 12, pp. 993-999, 1978.


    2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M.,
    A [dec.com]
    logic of authentication, ACM Transactions on Computer Systems,
    vol. 8, no. 1, pp. 18-36, 1990.

  • by froth (466330) on Friday February 21, 2003 @04:28PM (#5355451)
    Everyone has mentioned that ATMs use POTS. This is true. But most of them use a dial-back feature to increase secuirty. They phone home (a pre-configured number, the only way to change this number is to physically open the ATM), hang up and wait for the return call. They will not answer unless they have called out first. ATMs are pretty damn secure.
  • by nweaver (113078) on Friday February 21, 2003 @04:39PM (#5355551) Homepage
    One major difference between the US and UK is the liability on phantom and fradulent transactions. In the US, the bank has to prove you performed the transaction. In the UK, you have to prove that you did NOT perform the transaction.

    This difference in liability results in vastly different response to vulnerabilities. In the US, a vulnerability like this is taken very seriously, and phantom transactions are tracked down as they cost the bank money. In the UK, since it is the customer left holding the bag, the banks just don't care until they are sued, and, when sued, will deny deny deny.

    This is a classic example of Citibank trying to cover up a problem, because it allows the customer, in court, to prove that the problem is Citibank's.
  • by Dudio (529949) on Friday February 21, 2003 @04:41PM (#5355572)
    Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number.

    While technically true, the catch is that this applies to a lot of PINs, even those chosen by the cardholder. When you set your own PIN, the bank just stores an offset that is used in conjunction with the autogenerated PIN. The vulnerability paper [cam.ac.uk] goes into this in section 3.
  • Judd vs. Citibank (Score:5, Informative)

    by SirWhoopass (108232) on Friday February 21, 2003 @04:42PM (#5355579)
    This is the best that I could find:

    http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/liabil ity.pdf [cam.ac.uk]


    From the linked PDF:

    The US is totally different; there, in the landmark court case Judd v Citibank

    [JC], Dorothy Judd claimed that she had not made a number of ATM with-
    drawals which Citibank had debited to her account; Citibank claimed that she
    must have done. The judge ruled that Citibank was wrong in law to claim that
    its systems were infallible, as this placed `an unmeetable burden of proof' on
    the plaintif. Since then, if a US bank customer disputes an electronic debit, the
    bank must refund the money within 30 days, unless it can prove that the claim
    is an attempted fraud.

    Basically, it says that the bank has the burden of proof in the United States, because the court decided it was unreasonable to have the customer "prove" a flaw within the bank's systems. The UK, however, is different. The customer has the burden of proof.

  • by JRHelgeson (576325) on Friday February 21, 2003 @04:45PM (#5355605) Homepage Journal
    Protocol Analysis, Composability and Computation

    Updated 20 February 2003

    18 February 2003

    To: ukcrypto@chiark.greenend.org.uk
    Subject: Citibank tries to gag crypto bug disclosure
    Date: Thu, 20 Feb 2003 09:57:34 +0000
    From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

    Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf [cam.ac.uk]

    I have written to the judge opposing the order:

    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf [cam.ac.uk]

    The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf [cam.ac.uk]

    These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.

    The vulnerabilities are also scientifically interesting:

    http://cryptome.org/pacc.htm [cryptome.org]

    For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

    Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...

    _____
    Abstract

    We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

    -- Mike Bond and Piotr Zielinski

    Decimalisation table attacks for PIN cracking [cam.ac.uk]

    February 2003

    -----

    From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
    To: ukcrypto@chiark.greenend.org.uk
    Subject: Yet another failure of commercial cryptographic equipment
    Date: Tue, 18 Feb 2003 17:52:13 +0000

    I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

    The paper is available online at:

    http://research.microsoft.com/~aherbert/volume63.p df [microsoft.com] [4.8MB] (link appears to be broken)

    as pages 27-30 in the PDF. [HTML below]

    I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of information which they accept as being confidential and which ought not to be in the public domain.'

    I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

    Protocol Analysis, Composability and Computation

    Ross Anderson, Michael Bond
    University of Cambridge, England

    Security protocols early days

    The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all authentication protocols.

    Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

    Clarifying the assumptions

    Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design. Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol mechanisms to perform a service denial attack?

    The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic and other formal tools were developed and extended to tackle a range of problems in protocol design.

    One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

    Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

    Dishonest insiders, and the composition problem

    Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

    Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

    Attacks often involve using two separate mechanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

    Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

    Differential protocol analysis

    We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters: Account number: 8807 0123 4569 1715 PIN derivation key: FEFE FEFE FEFE FEFE Encrypted account number: A2CE 126C 69AE C82D Natural (decimalised) PIN: 0224 Offset: 6565 Customer PIN: 6789

    The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further, he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525 unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

    This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

    For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against application-level crypto.

    It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

    Quantitative analysis and multiparty computation

    Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This leads in turn to a possible real-world application of an attack previously considered theoretical.

    Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a predetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

    A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them, and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by using cryptography!

    Conclusion

    The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems. The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

    References

    1. NEEDHAM, R.M. AND SCHROEDER, R.M., Using encryption for authentication in large networks of computers. [yale.edu] Comm. ACM, vol. 21, no. 12, pp. 993-999, 1978.

    2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M., A logic of authentication [dec.com], ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18-36, 1990.

  • Re:ATM? (pic)! (Score:5, Informative)

    by $$$$$exyGal (638164) on Friday February 21, 2003 @04:48PM (#5355629) Homepage Journal
    ATM with Windows [maximum-digital.com]

    --sex [slashdot.org]

  • A bit of background (Score:2, Informative)

    by tarquin_fim_bim (649994) on Friday February 21, 2003 @04:57PM (#5355717)
    To the court case is at the Inququirer [theinquirer.net]
  • by Anonymous Coward on Friday February 21, 2003 @05:12PM (#5355855)
    Dial-up or kilostream, normally. PIN traffic is hashed with the account number to prevent replay attacks and encrypted using DES (soon to be triple DES).

    It's virtually impossible to mount a successful attack from outside. The vulnerable part used to be inside the machine, between the keypad and the encrypting device, where the PIN travels in clear down a short cable. Bent engineers have actually planted devices (like Psion handhelds) inside ATMs to capture PINs and card numbers! This is currently being addressed by retro-fittable keypads which do the encryption themselves, so there are no cables to tap.

    This exploit for the ATM system (like the one last year for IBM 4758 cryptoprocessors) requires privileged access and would have to be an "inside job". The fix is also relatively simple - ensure no-one can frig about with the decimalisation table in the Host Security Module. Typically only two or three people in the bank have access to these boxes; they usually require more than one person to unlock the case and get to the keypad, so you can't just hack in and change the tables over the corporate network.

  • The real issue (Score:5, Informative)

    by SiliconEntity (448450) on Friday February 21, 2003 @05:25PM (#5356013)
    Few of you have read the document from Citibank [cam.ac.uk]. In the first place, it's not even Citibank! It's Diner's Club, and specifically Diner's Club South Africa, which is suing two customers who refuse to make good on supposed ATM withdrawals. (The withdrawals were made in England while the customers were in South Africa.)

    In the second place, the really funny part is that Diner's Club South Africa is trying to force Diner's Club International to produce experts to testify! DCI didn't want to help DCSA to this degree so DCSA is trying to get the courts to force them to help.

    But the main point is that the "gag order" reads as follows:

    The parties, their legal representative and their experts shall keep confidential all information revealed during the examination and such information shall not be used for any purpose other than the purposes of the Proceedings and the parties shall take all steps necessary to keep such information confidential
    This is what Ross Anderson objects to. He agrees that if the DCI experts testify about confidential information regarding the workings of the ATM system, that that should be kept secret. But he doesn't want the secrecy order to be so broad that it would interfere with him and his students publishing data based on publicly available information. He wants to make sure that the secrecy order is drawn to clarify the distinction between information that is available elsewhere and confidential information revealed by the experts.

    So when you look at it this way, it's not at all the black and white issue that is being presented here. Neither Diner's Club nor Citibank is seeking a "gag order" to suppress discussion of vulnerabilities. They just want to make sure that confidential testimony by their experts (information which they are contractually bound to keep confidential based on their relationships with others in the financial community) is kept secret. And the only issue is the technical details of how to draft the secrecy order.

    In short, it's a tempest in a teapot. Move along, folks. There's really nothing to see here.

  • by goombah99 (560566) on Friday February 21, 2003 @05:31PM (#5356076)
    oops...posting with the correct formatting this time:
    The Register reports [theregister.co.uk]that Mike Bond and Piotr Zielinski have detailed how any ATM programmer (bank, repairman, etc..) insider can crack any ATM PIN in just 15 guesses. Banks use a hardware encryption scheme to avoid the having a crackable psswd-like file. Oops...turns out theres a hole in the hardware design. Direct link to download [cam.ac.uk]the pdf paper.

    Here is how the crack works.

    first you have to understand how the pin is generated.

    banks had two problems they needed to solve, first an ATM had to be able to verify a card even if it went off-line from the bank computers. Thus to allow for on the spot verification, the pin has to derivable from the card somehow. Second, they also did not want to endure the security risk having to distribute a list of all PIN numbers of all cards to all machines, even if it was encrypted.

    So the scheme they came up with is they take your PIN number and DES encrypt it, and the first four digits of the encrypted number becomes your base PIN. Then to allow you to change your pin, they permit an offset number. Since knowing this offset number does not tell anyone the base PIN, these offset numbers can be kept in the public domain and distributed worldwide.

    thus when you type in your "pin" number to an ATM the sequence of steps is the machine reads the account code off the mag stripe, DES encodes it, grabs the first four numbers, adds your public offset, and compares it to the number you typed in at the key pad.

    to keep everything secure the entire process is done in hardware. So even a priviledged bank employee could not have access to the encrypted account code and thus learn the PIN.

    But wait, there's just one teeny tiny extra step I omitted that causes all the problems. when you DES encode something you get back a HEX number and since PINS are decimal you have to convert it to a decimal number. There's lots of ways you could do this, but what is done is simply to have a table that maps the 15 hex digits 0...F many-to-one down to 0...9.

    Again still no problem if this mapping had been done in hardware. Unfortunately, it was not viewed as a securtiy risk and this mapping table is not fixed but is rather a software input to the hardware unit. Any one with access to the hardware device such as a priviledged bank employee or a repair man, or someone who found one at a salvage yard can send a substitute table to the hardware. And thats where the problem lies.

    The paper gives several crack approaches one of which takes 15 tries maximum and is not easily explianed in a few words. they also give a simpler approach that takes max of 46 steps to get the pin which I'll explain.

    first change the many-to-one mapping to all zeros, except for 1 digit. say this digit is a 3. Then type in a trial PIN of 0000. the hardware unit will say this pin is a correct match unless the encrypted Account number happens to have a 3 anywhere in it. (all other get mapped to zero) Next Change the map to all zeros, except say for say the digit 4, and repeat. after trying all ten digits, you know know which digits are in the PIN number. Now you just try all permuations of these. worst case is a total of 36+10=46 trials.

    Their other algorithm is more efficient (only 15 trials maxiumum), but you get the idea.

    I note that this is a big problem for the banks. The reason is that it would not simply do to replace the hardware units with ones that have a fixed map table. The PINS are crackable by anyone who still has one of the old hardware units. To fix the system they would have to both change all of the ATM hardware, change the DES salt in the hardware (to render old machines useless), and change everyone's PINS. this would all have to be done simultaneouly, world wide in every ATM for the banking systems ATMs not to stop working for customers. alternatively I guess they could upgrade all the hardware slowly if they were willing to leave the crack in place until they finished. to do this they woul have to have two sets of offsets. one for the new machines and one for the old machines. the cards would remain crackable until the last machine was removed and the users changed their PIN numbers.

    I note that in a real system it only takes about 5000 tries on average to crack a 4 digit pin. However, the hardware units limit the rate of trials, so that reducing the number of trials by a couple orders of magnitude is significant.
  • by KernelHappy (517524) on Friday February 21, 2003 @05:32PM (#5356081) Homepage
    The parent post is mostly correct except that there are a few satelite based ATM's. IIRC military credit union(s) use them for ATM's deployed on large warships or remote bases. But most ATM's are leased line and/or terminated to a frame relay cloud somewhere. ATM's ustilizing POTS are a more recent development (mid 90's) and are generally reserved for low traffic volume locations such as convenience stores and boobie bars. But the advent of the ATM surcharge has vaulted the number of POTS based ATM's to new heights. What goes across the line is considerably more than a hash of the pin and some data stored on the card. There is information such as the type of transaction, ther terminal ID of the machine it's coming from, transaction sequence number, etc. A copy of the data stored on the mag stripe is also usually sent in the transaction request. This additional information is necessary for reconciliation of funds as well as tracking customer problems.

    Unfortunately a large portion of the security in the debit processing industry is by obscurity, minimizing theft incident values and by keeping the system sealed. In order to exploit these networks a user on the inside is usually necessary and the process of exploitation will leave that persons "fingerprints" all over the theft. Without a person on the inside the actual amounts a person could steal are rather small (thank the theives the next time you need $500 from your ATM card and your bank only allows you to withdraw $400 a day).

    The biggest problem is that the debit industry relies on legacy systems. Trying to retrofit the authorization process to use newer technologies is both difficult and extremely expensive and would require industry wide cooperation.
  • Re:This is SERIOUS (Score:2, Informative)

    by dachshund (300733) on Friday February 21, 2003 @05:37PM (#5356139)
    According to the researchers, the attack would really require direct access to the bank's pin-verification computer (Hardware Security Module) in order to be useful.

    They also note that you can avoid traps that rely on a series of bad PIN entries by mixing your "guesses" with valid requests from the card's owner.

  • Re:right to know (Score:4, Informative)

    by KernelHappy (517524) on Friday February 21, 2003 @05:39PM (#5356169) Homepage
    All processors in the debit card industry are required to have their security procedures audited. This includes extensive documentation of any change made to production code, handling of master encryption keys, database maintenance etc. It's not that the companies don't answer to someone, it's that the someone they answer to either doesn't see the weakness or realizes the huge cost involved in rectifying these problems and ignores it.
  • by Old Wolf (56093) on Friday February 21, 2003 @05:57PM (#5356403)
    Here they use X.25 (traveling via the PSTN to get to the X.25 network). The X.25 protocol includes security so that you can't forge a source address. The communications aspect is considered to be secure, which is why this attack is happening at the HSM level.
  • by rusty0101 (565565) on Friday February 21, 2003 @06:11PM (#5356547) Homepage Journal
    There are several different methods used.

    There are two basic ATM types. IP connected, and bisync/sdlc connected.

    IP connected use routers with frame and dedicated circuit connections. Some may be using VPNs with ISPs, but none that I have worked with do.

    Biysnc/sdlc connected atms may use a link converter to become effectively IP connected ATMs. As new ATMs come out, those connected via link converters are being replaced.

    Those atms that are not connected via a link converter and ip based network use one of three types of connection. Point to point, point to multi-point, and dial. Point to point and point to multi-point may use either analog or digital leased lines.

    Dial up atms use a "modem" that acts as a remote front end for the back end system.

    Encryption of the data on the line is handled by the end points. Links between the banks that allow information about your account to be retrieved, or approval for debits and deposits to happen at the atm are also encrypted at several points. Both end point computers encrypt their transactions, the lines themselves use encryptors as well.

    There are some variations to these designs. Each ATM provider uses their own design, and may use a variety of methods to implement ATMs in a particular region, simply to prevent one problem taking down all of the ATMs in an area.

    I have seen atms implemented using CDPD for temporary instalations.

    Satelite connected installations are extreamly rare. The current network infrastructure via sattelite is either extreamly expensive with low latency, as for example Iridium, or reasonable cost with high latency, via geo-stationary sats. 30Mm adds a 10th of a second in each direction just for speed of light. In a polled environment (bisync/sdlc) a half second delay for each polled device would make atm responsiveness extreamly unpleasent. A bisync line supports up to 32 devices. With Geosync sats, that means that there would be a built in 16 second delay between polls. SDLC supports up to 255 devices, or over 2 minutes. With the existing latency in the back end, getting that kind of a delay in your transactions would be extreamly unpleasent.

    The situation may change if prices improve for GlobalStar, but I wouldn't expect it to be used any time soon.

    As has been mentioned elsewhere, breaking into an atm remotely would be pretty much useless. You can not interact with the device over such a connection, no telnet, ftp or http servers, nor a command prompt interact with this line. So you will not be able to install data capture tools, or tell the atm to watch for your card and multiply your request authorizations.

    As the article points out, you could spoof a withdrawl, but spoofing a deposit will be voided by no deposit in the atm.

    I could be wrong however. Just remember that attempting a man in the middle attack for any connection across a telco connection constitutes wire fraud.

    -Rusty
  • by alaric_uk (652522) on Friday February 21, 2003 @06:35PM (#5356790) Homepage
    First off it might be appropriate to link to Mike Bond's site [cam.ac.uk], where he's tracking some of the news articles about his research, and it has unicycle jousting photos. Also of interest may be Ross Anderson's site [cam.ac.uk].

    When Ross mentioned the case and the gagging order in a software engineering lecture he was giving on thursday I was amused... but i didn't expect all this. What i think is most amusing is the fact that if citibank hadn't taken the pretty rash decision to pursue litigation rather than investigate it internal and fix the vuln quietly then they wouldn't look anywhere near as foolish!

    I think that's probably enough for my first post, but i'd just like to say that i expect the software engineering lecture with Ross Anderson tomorrow will be most amusing.

    Ross: 1
    Citibank: 0

    Alaric.
  • Re:They Can't (Score:2, Informative)

    by wirelessbuzzers (552513) on Friday February 21, 2003 @06:38PM (#5356808)
    No. It hasn't even been proved that cracking RSA requires factoring, even with simplified assumpions about how you're going to be using it. And nobody knows whether tomorrow someone will solve factoring. You can't prove anything secure without P!=NP or some small-n approximation to that. A proof like that would be revolutionary.
  • by jjon (555854) on Friday February 21, 2003 @06:39PM (#5356824)

    Parent is plain wrong. Read the paper describing the attack (PDF) [cam.ac.uk]. (Link courtesy of The Register [theregister.co.uk].

    Sure I could make a card, if I had the right equipment

    Making a card is trivial - blank magstripe cards and encoders are legally and cheaply available.

    and had the card for long enough to make it,

    To clone a card you just need the account number, that's all that's encoded on the magstripe.

    but in that case I could just as easily use the card.

    No, because you wouldn't know the PIN.

    I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #

    No, if the customer enters their PIN into your dodgy ATM then you just record the account number and PIN - you don't need to hack anything.

    This attack can only be done by someone inside the bank with access to the PIN checking machine. These machines are meant to be protected against insider attack, but this attack gets around it. The number of guesses required is so small (~30 - if the machines were secure it should be ~5000 for a 4-digit PIN) they might not even be detected by the bank's auditing (assuming that the PIN checker has a suitable audit trail at all).

    then I could steal 300.00 a day

    For about one (or maybe two) days, before the bank or cardholder noticed and cancelled the card. For this to work, you need lots of PINs and just use each account once. The paper claims 20,000+ dollars per day (presumably this is based on how long it physically takes to use the ATM with several cards then move to another one before the cops arrive), and claims 2 million dollars total given a half-hour lunchbreak spent cracking PINs.

    but if I owned a business why would I need to steal money?

    Some people can never have enough money.

  • by giminy (94188) on Friday February 21, 2003 @07:04PM (#5357047) Homepage Journal
    Quoth the report:

    "However, HSMs [Hardware Security Modules] implementing several common PIN generation methods have a flaw. The first ATMs were IBM 3624s, introduced widely in the US in around 1980, and most PIN generation methods are based upon their approach. They calculate the customer's original PIN by encrypting the account number printed on the front of the customer's card with a secret DES key called a 'PIN generation key'."

    Weird. So they're talking about _generated_ PINs. Every bank account I've opened in the last 7 years, I've been able to request my PIN. And if I wanted to change it, I request what to change it to. Does any bank actually still use this method?

    I'm a wee bit confused....
  • by Beryllium Sphere(tm) (193358) on Friday February 21, 2003 @08:23PM (#5357623) Homepage Journal
    The system stores an offset which is the difference between your chosen PIN and the calculated PIN.
  • by Anonymous Coward on Friday February 21, 2003 @10:00PM (#5358093)
    When I worked with the systems that printed the daily logs of ATMs, I noticed the reports that we call the oddities, the ones that print out for unusual transactions. As I pieced one of the reports together, I read how the exact some transaction for the exact same amount with the exact same card at the exact same time occured in areas, at seperate ATMs, about 30 miles apart from each other. I thought to myself, that is called "transvesting."

What this country needs is a good five dollar plasma weapon.

Working...