Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

Fees...

[RyansPrivates]

I love ATM fees. I can use a 'FREE' ATM and still am charged a fee from my own bank! With all this dough they are raking in, they should be COMPLETELY secure!!!

and only 15minutes ago..

[odyrithm]

I watched the atm(called a cash machine here in the UK) I was withdrawing from reboot.. was using os/2.. Im checking now to see if it actualy deducted from my account..

Shut them up!

[Anonymous Coward]

We all want this to happen! Citi will fix it because it is in the best interest of their customers. Releasing the info would increase the risk of **YOUR** money stolen. Give them time, but follow up with them to ensure it is fixed.

This was covered at k5 also

[Anonymous Coward]

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.

Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/0548 [kuro5hin.org]

Re:ATM? I don't need no stinkin' ATM!

[TheRaven64]

I've seen windows ATMs before (there's one near me that rugularly has a dhcp error dialog showing) but I recently went up to use one in one of the London stations. As I approached it crashed (Computers often do that to me.) It then went through the OS/2 boot-up sequence...

They should just give up...

[Llywelyn]

"Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions..."

Now that it has been posted on /. there are probably thousands of geeks downloading it as we speak. I think we can safely say that it is "in the wild"

Re:How do banks secure ATM lines?

[SquadBoy]

They are some kind of leased line. We have customers that run on Frame, ISDN, and yes even dialup but mostly they go into some kind of Frame cloud. No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing. While this does not apply to what they are talking about in the article they mostly use 3DES for all the traffic that goes over the line. So an attacker could most likely wardial and find the dial backup lines and try to get in that way. But why bother with that when most places have dial in lines on their mainframes. Other than that if you had or could get access to the Frame cloud you could try. But at least the ones I work with are *very* hardened and most likely not worth the time /effort to break them remotly because it is hard to get cash over a line and breaking a ATM does not really get you into the mainframe. Far better and easier to try to break the mainframe mostly because there are far more ways to get to them and banks etc. do not pay nearly as much attention to security as you would think. This in spite of the fact that I yell at people all day long on the subject but I'm just one guy and they consider me paranoid. Gawd I hate people. Anyway hope the above answers your questions which could be summed up as I've never heard of anybody breaking them remotely and it would be *very* hard to do so.

ATMs are fallible in lots of ways

[osgeek]

With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.

I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.

The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.

Am I missing something?

[asscroft]

How the hell do you use a pin, if you don't have the card. I'm pretty sure the ATM doesn't let me type in my card number.

Sure I could make a card, if I had the right equipment and had the card for long enough to make it, but in that case I could just as easily use the card.

I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #, then I could steal 300.00 a day.

but if I owned a business why would I need to steal money?

Is there some easier way to use the pin #???

Re:Candid Camera

[nochops]

Yes they do, and that's how I got out of a bad charge on my account.

I went to the ATM and tried to make a withdrawal. The machine tried to give me the cash, but something went wrong mechanically, and the money never came out.

I disputed the charge, but since their systems said that I did make the withdrawal, they didn't want to give me my money back.

I told them I wanted to see the surveilance tape for my personal records. Well, they didn't let me see the tape, but I'm assuming they looked at it and saw that no money came out of the machine. A few days later, i had a credit for the withdrawal.

An old vulnerability

[frovingslosh]

This seems the right time and place to relate a story about a 30 year old ATM bug I heard about:

A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.

He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.

The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.

The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.

Re:ATMs are fallible in lots of ways

[antiprime]

I had a similar experience, withdrew $200 and counted. The machine shorted me $20. So next time I was in the credit union, I mentioned it to a clerk. She looked up the transaction and said they had me on record as withdrawing $180, and that their ATM accounting is full of little checks and balances. I have never ever been given grief at a credit union when I questioned their ATM's accuracy. This is just one of many reasons to not deal with a large impersonal bank if you can help it. The folks at your local branch may be all personable, but when 'Corporate' barks an order from half a world away it's their job to snap to, even if it's not fair to the customers.

Re:Am I missing something?

[HughsOnFirst]

A while back there was a case where some bad guys made up a fake ATM machine along the lines of the ones you see in convenience stores. It would simply record the mag stripe on the card and capture the keystrokes, then display an error message about communication lines being down. They planted it in a mall for a week or so and captured thousands of mag stripes and PINs.

An imaginative person could come up with dozens of similar scenarios.

Who has access?

[barryfandango]

From reading the article it would seem that the only people who could pull off something like this are "Bank Programmers," but there's a much bigger security hole that i can think of.

Here in Canada we have non-bank ATM machines proliferating across the countryside - it's basically a machine that performs an Interac (debit) transaction and spits out money. It runs over a telephone line, you can buy one for a few thousand dollars, and you plonk it down in the middle of a bar where people are too drunk to care that you're adding $2.00 to every transaction.

But who are the people making these machines? They have no certification that I'm aware of. I've seen at least a dozen varieties of these "mini-ATMs" from companies whose names I have never heard of. It seems to me that it would be very easy to build a few of these, rent them to bar owners or corner stores (also very common) and just log magnetic strips and PINs till the cows come home. What does the guy who owns the corner store know about security? He'll just be glad that he has an alternative in his store to offering debit himself, which costs him money on every transaction.

So anyway, if anybody has some plans or examples of how to build your own Interac-ATM please post them on the net ASAP and lets talk business.

Pin numbers aren't secure

[estoll]

I know a guy who's brother writes software for POS terminals that you use at gas pumps. He says if you choose the "debit card" payment option, your pin number is transmitted in plain text over the Internet.

Re:Release the lawyers!!!

[geekoid]

Actually, I would be happier with a settlement that forced atm usage to be free.

Not suprising

[j_kenpo]

This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.

4 digits anyway

[Darth_Burrito]

Alright I realize this is "different" but ... come on ... how much can we can complain about the secrecy of a 4 digit number. There's only 10,000 different combinations. What pisses me off is my bank uses the pin numbers for your online banking password and they use your frickin social security number as the username. You get 3 tries on every account. So how hard is that to automate a hack?

How many morons we got on this ship?

Why bother to crack it when you can just read it?

[Anonymous Coward]

Nobody ever bothers to mention the fact that ATM machines are electromagnetically insecure. They aren't RF shielded worth doodle and any reasonably competent spook can capture all of the details of any transaction from across a parking lot. Find a bank with some outside ATMs, park a van with some affordable electronics a hundred or so feet away, spend a few hours capturing data, encode the magnetic strips on a few blank cards using different and still affordable electronics, write the PIN numbers on each card, wait a few days so that everybody forgets seeing your van, travel a few miles to another ATM, and then start withdrawing cash. Move to another ATM and repeat. A couple of hundred bucks 40 or 50 times a day for three or four days adds up to serious cash quickly and probably before anybody notices. Burn the cards and return to step one.

Re:RTFA!

[grimarr]

Just because the article didn't mention the DMCA, doesn't mean it can't be relevant. Sure this was an article about British events. His point was that if it was an American bank, and American people discovered the flaw, the banks (or the government) could use the DMCA to prevent them from telling people.

Yeah, I know that the DMCA is supposed to be about preventing illegal copying, but it gets stretched WAY beyond that sometimes. Maybe the banks would claim that the encrypted data in the ATM was copyrighted....

One other thing I forgot

[PotatoHead]

In the last few years reports have been written about ways banks can increase revenue. In the early 90's the easiest way was to increase fees.

There are consultants that will analyze a banks customer transaction histories in order to recommend a fee structure that will retain the highest number of customers and generate the most revenue from fees while lowering costs.

They do this with the teller fee, minimum balance fee, account inactivity fee and the overdraft fee.

Recently the check cashing fee was added to both make money on both the check writer and the casher while discouraging face to face business at the bank which lowers costs.

The high growth of bank profits combined with growing negative public perception of the fees has recently sparked a few recommendations toward more reasonable structures that actually do help people and the bank without so much profit.

Try and find a couple of those. They get almost zero notice.

See how it works? Remember that the next time you read a shiny well produced brochure that 'assures' you that no other bank is working harder for you.