Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

ATM? I don't need no stinkin' ATM!

[zmcgrew]

Hehe.
The ATM in the WalMart by us runs Windows.
And it crashes, gives blue screens, and popup error messages all the time.

Who needs security when the system can't even run stabily?

Re:ATM? I don't need no stinkin' ATM!

[TheRaven64]

I've seen windows ATMs before (there's one near me that rugularly has a dhcp error dialog showing) but I recently went up to use one in one of the London stations. As I approached it crashed (Computers often do that to me.) It then went through the OS/2 boot-up sequence...

Re:ATM? (pic)!

[$$$$$exyGal]

ATM with Windows [maximum-digital.com]

--sex [slashdot.org]

m$ wants sites to stay unavailable

[klparrot]

Click the Refresh button, or try again later.

Gotta love how when the server gets too busy, it suggests you keep hammering it. :)

Re:ATM? I don't need no stinkin' ATM!

[hazem]

It's not just Walmart - it's the people of the town who choose to shop there. If a majority of the people in a town continued to shop at their normal places, rather than the new Walmart, the Walmart would not do well, and old places would do fine.

But, most people will chose to pay $1.00 for a loaf of bread instead of $1.50. In that case, they are giving up the "old way" for that $0.50. It's their choice. You can't blame it all on Walmart.

Another PIN vuln story

[Anonymous Coward]

From The Register [theregister.co.uk].

and only 15minutes ago..

[odyrithm]

I watched the atm(called a cash machine here in the UK) I was withdrawing from reboot.. was using os/2.. Im checking now to see if it actualy deducted from my account..

Re:and only 15minutes ago..

[kfg]

For what it's worth, they're called "cash machines" here in the colonies as well.

A west coastism is to refer to twenty dollar bills as "Yuppie Foodstamps" because cash machines only dispense twenties, and thus people who rely on them never seem to have anything but.

KFG

Re:and only 15minutes ago..

[L7_]

But there is no other way to tell if you're alive in Wisconsin unless you go to the Pulse Machine.

Release the lawyers!!!

[TopShelf]

The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure.

Does anybody smell a class-action for ATM users who have filed these complaints? It would probably work similarly to the CD price-fixing settlement that was in the news lately, since it would be hard to identify the specific members of the class.

Re:Release the lawyers!!!

[rgmoore]

It should be pointed out that this is a problem in the UK, but the US has saner legal rules. The article mentions that Citibank lost a similar case in the US, so apparently the US doesn't think that "our system is secure; it must be the user's fault" is sufficient defense.

Re:Release the lawyers!!!

[geekoid]

Actually, I would be happier with a settlement that forced atm usage to be free.

Shut them up!

[Anonymous Coward]

We all want this to happen! Citi will fix it because it is in the best interest of their customers. Releasing the info would increase the risk of **YOUR** money stolen. Give them time, but follow up with them to ensure it is fixed.

Re:Shut them up!

[Daniel Dvorkin]

Um ... you're kidding, right?

Citibank has no interest in "the best interest of its customers." Like any other megacorp, they don't give a shit about you. They're much more concerned about the embarrassment of admitting that their security is worthless than they are about actually keeping people's money safe. The only way to get them to fix this problem is to publicize it as loudly as possible, because then not fixing the problem becomes even more of an embarrassment for them.

Re:Shut them up!

[dubiousmike]

He's right. My uncle-in-law is one of the heads of Citibank's private label card division (Home Depot credit card, various chain store credit cards).

He definitley doesn't give a shit.
But he does enjoy being rich as fuck.

Can't say I blame him on that last part. He makes my yearly salary every month.

Re:Shut them up!

[antis0c]

Did you even read any of it? Citi believes there system is 100% secure! They're trying to hush this so they can continue to say it is. Chances of them fixing it are very low. Remember, Citi is in the business to make money. If they can use their lawyers to hush up talk about the security vulnerabilities, then they consider the problem fixed. It's like Microsoft, security through obscurity. "If no one knows about the problem it's not a problem is it?"

No, they wont.

[Unknown Poltroon]

WHy would they fis it, when they already KNOW theres a problem, and yet they refuse to admit it to the customers who have lost money??!?! If they were quietly REIMBURSING the customers, then i would agree. But they arent.

Tell 'em to prove it.

[Dolemite_the_Wiz]

If Citibank sez that their systems are secure. Tell 'em to prove it.

Dolemite

They Can't

[neurostar]

Tell 'em to prove it.

Well, as nice as it would be to have them prove the security, it is technically impossible to prove that a system is secure. It is only possible to prove that a system is not secure by exposing a flaw.

neurostar

Re:They Can't

[SquadBoy]

The parent poster of course knew this fact. :)

Now think for a minute about what s/he was trying to say. :)

Re:They Can't

[neurostar]

Ahhh ok. Hehe. Whoops!

neurostar

New ad campaign!

[Tackhead]

> If Citibank sez that their systems are secure. Tell 'em to prove it.

I sense a new ad campaign [msn.com] in the offing.

You are not your per-card withdrawal limit.

You know things more important than your PIN.
You are worth more than your bank balance.

Live richly.
Citi.

dmca problems, again?

[micq]

This is the kind of shit that scares me about the DMCA...

New System

[alaric187]

Oh you guys, that's just Citibank's patented Security Through Litigation (tm) method. I hear it works wonders on keeping financial info secure.

This was covered at k5 also

[Anonymous Coward]

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.

Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/0548 [kuro5hin.org]

Re:This was covered at k5 also

[Dudio]

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number.

While technically true, the catch is that this applies to a lot of PINs, even those chosen by the cardholder. When you set your own PIN, the bank just stores an offset that is used in conjunction with the autogenerated PIN. The vulnerability paper [cam.ac.uk] goes into this in section 3.

right to know

[dougnaka]

The statements made by Citibank regarding their security can only be trusted as far as they are independently evaluated. Consumers in general, and especially Americans, rely far too heavily on a companies claims. If a company makes false claims these days they often simply ignore the facts, and that enough is wrong. But when someone comes out with evidence that a company is making false claims, and the company tries to silence them? That is outright immoral, and should be illegal.

Why is it they can even try things like this without massive public backlash? They would be far better off accepting the "new" information, and promising to work hard to always keep their systems secure.

I'm sure certian companies [microsoft.com] would love to see legal actions like this get upheld by a court.... Oh well, I guess we can always move to Norway... I wonder if they'd let me live on sealand [sealandgov.com] once all my rights are gone here...

Re:right to know

[KernelHappy]

All processors in the debit card industry are required to have their security procedures audited. This includes extensive documentation of any change made to production code, handling of master encryption keys, database maintenance etc. It's not that the companies don't answer to someone, it's that the someone they answer to either doesn't see the weakness or realizes the huge cost involved in rectifying these problems and ignores it.

This is SERIOUS

[arvindn]

This isn't like on of the regular "a new vulnerability has been discovered. No exploitz are known yet. Patch can be found <here>" kind of things we get on bugtraq all the time.

From the article

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys.

What the bank is doing is very irresponsible. I hope they get lots of bad publicity for this. Getting on /. is a good start.

Re:This is SERIOUS

[dachshund]

It now looks like some of these vulnerabilities have also been discovered by the bad guys.

Of course, this isn't necessarily the case. Note that this particular scheme would require a insider in the bank with access to the pin-verification system. Until somebody verifies that, or at least combs through the logs to look for patterns of suspicious PIN guessing, any connection between the increase in phantom withdrawals and this vulnerability is pure speculation.

Re:This is SERIOUS

[mosch]

Yes, but the banks are claiming that the system contains no vulnerabilities at all. The presence of any vulnerability demonstrates that the banks are being less than honest with the courts.

Last I checked, it's significantly illegal to be less than honest with the courts.

Re:This is SERIOUS

[Beryllium Sphere(tm)]

What logs?

Notice that one of the proposed fixes was to create an audit trail.

Re:This is SERIOUS

[Hammerikaner]

Everyone should just mirror the PDF [cam.ac.uk] file on your own web server. Would it matter then, if the court filed an injunction? Everyone already has it.

woah!

[spazoid12]

I'd better go back and tell my 12-year-old self not to get an ATM card!

Re:woah!

[Rojo^]

You never saw Terminator 2 then, huh? =)

Re:woah!

[Rojo^]

Don't worry. These same stories will be posted again next week. You'll have your chance. . . [grin]

Submission to /.

[prgammans]

So they submitted it to /. to gag it for them.
Much quicker then a court order.

More meat to the story

[UberLord]

http://www.theregister.co.uk/content/55/29425.html

The Register is running a story with more content

Which also explains in laymans terms how the two guys in the submitted link went about working out the vulnerability

They should just give up...

[Llywelyn]

"Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions..."

Now that it has been posted on /. there are probably thousands of geeks downloading it as we speak. I think we can safely say that it is "in the wild"

ATM with an eye

[doubtless]

I believe that in some countries banks actually install a camera in every ATM they own. They simply take a video or a snapshot of the person making transaction with the machine.

I think this is pretty good idea to record frauds, false claims, and extortions in front of the machine. Personally I don't have a privacy issue in this case.

many have 2

[Unknown Poltroon]

one right there to take your picture of the transaction, and one farther away, so they can see you when you cover it with a post it.

Re:ATM with an eye

[DragonMagic]

Except not every ATM is equipped with this, or, like those around here, when it gets really snowy, sometimes cars driving past the external ATMs can splash slush and salt onto the covering of the camera and block its view.

Probably the best thing to do is a complete overhaul of the CC, ATM and Debit Card markets, over the course of the next ten years or so. Increase the numbers to 24 digits, secure a pin of no less than six digits, and have complete address verification based on the entire address, country and postal code, instead of the absurdly simple address/postal code there is now.

It wouldn't be too difficult to supply most terminals with an update to software, and upgrade other pieces of software, to accept both types of cards until the old ones are phased out. And it wouldn't cost too much more money, since they're not replacing all the old cards, just phasing them out when new ones are released.

So why don't they?

Re:ATM with an eye

[Skyshadow]

I believe that in some countries banks actually install a camera in every ATM they own. They simply take a video or a snapshot of the person making transaction with the machine.

Most ATMs in the US are under video survailance, too.

Of course, this won't prevent me from using a techincal exploit to rob them. All I need to do is find an ATM in a somewhat secluded place (not hard), put on a ski mask just before I go to work and not take it off while I'm robbing the thing blind.

Cameras != protection from crime. They just assist in catching stupid criminals.

Credit please

[grub]

involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure

"Honestly, Mr. Citibank Manager, why would I guy several cases of Fort Garry Ale [fortgarry.com] or Guinness [guinness.ie]? I demand you credit my account.

Wrong hardware listed

[chiph]

These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

While the IBM 4758 has been cracked before [slashdot.org], it's not something that someone can do on their lunch break. What I suspect is being cracked is the little desktop unit that the customer service rep spins around for you to enter your PIN when you sign up for ATM service.

Chip H.

Anyone have details on Judd vs. Citibank?

[burgburgburg]

Since this is the case listed as establishing US law on phantom withdrawals, and is listed as a Citibank loss, anyone have further details?

Judd vs. Citibank

[SirWhoopass]

This is the best that I could find:

http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/liabil ity.pdf [cam.ac.uk]

From the linked PDF:

The US is totally different; there, in the landmark court case Judd v Citibank

[JC], Dorothy Judd claimed that she had not made a number of ATM with-
drawals which Citibank had debited to her account; Citibank claimed that she
must have done. The judge ruled that Citibank was wrong in law to claim that
its systems were infallible, as this placed `an unmeetable burden of proof' on
the plaintif. Since then, if a US bank customer disputes an electronic debit, the
bank must refund the money within 30 days, unless it can prove that the claim
is an attempted fraud.

Basically, it says that the bank has the burden of proof in the United States, because the court decided it was unreasonable to have the customer "prove" a flaw within the bank's systems. The UK, however, is different. The customer has the burden of proof.

Coincidence..., I think not.

[revery]

First there was the Phantom Menace, then there was the Phantom Edit, now we have "phantom" transactions... coindidence? I think not.

George Lucas is involved here somwhere.

--

I sense a great disturbance in the fiber, as if a million ATM transactions were suddenly silenced...

Link to news story about this attack

[skintigh2]

http://www.theregister.co.uk/content/55/29425.html

Sorry, HTML formatting doesn't seem to be working...

PINS based on acct. number??

[cayenne8]

I got from the paper, that this attack was somehow based on PINS originally coming from an encryption of the users acct. number?? I chose my PIN number when I set up my acct....not one assigned. Don't most banks let you choose your own PIN number?

Re:PINS based on acct. number??

[DragonMagic]

My bank, when you first open an account, chooses the password for you. But it's not just a hash of your account number or completely random, but it's the digits based on the telephone keypad letters of a four letter word, like BOTH, YOLK, THIS, etc.

Then in the menu of the ATM, once the card is activated by typing in this word, you can select your new PIN.

Go back to sleep children

[ralphus]

Everything is ok.

Your money is safe.

The world is simple.

You are with us or against us.

Go buy yourself something, you deserve it.

Those in charge know what they are doing and will take care of you.

Re:Go back to sleep children

[aussersterne]

Everything is ok.

Your money is safe.

The world is simple.

You are with us or against us.

Go buy yourself something, you deserve it.

Those in charge know what they are doing and will take care of you.

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

Re:Go back to sleep children

[ralphus]

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

I agree. I'm frightened myself, and had a high level of sarcasm when I wrote it, but I feel that this basic sales pitch is done over and over again to the mass public and for the most part they buy it! The moderators probably picked up on that and agreed.

Link to PDF

[FlyingCarrot]

Link to PDF given in page

Link to PDF [cam.ac.uk]

Old news

[MarkGriz]

A young John Connor figured out how to crack PINs way back in 1991 [imdb.com]. How is this "News" for Nerds?

ATMs are fallible in lots of ways

[osgeek]

With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.

I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.

The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.

Re:ATMs are fallible in lots of ways

[Roofus]

That reminds me of the ATM where I asked for $20, and got $40 out instead. I checked my next statement to see how much it took out of my account, and it was $20! I guess I owe you and some other guy $10 each then huh?

Re:ATMs are fallible in lots of ways

[shotgunefx]

I got shorted $20 dollars once. Luckily I counted it in front of the ATM (which has a video, most here do) and got really pissed off.

I held it up and counted, like there was a little guy in there and started screaming at it. I went to my bank the next day, and the say they had to review it. A few days later they credited me. I assume one of the things they did was look at the tape.

Now I always count it in front of the camera so if there is a problem I've got proof.

Candid Camera

[scottennis]

Don't most ATMs have cameras now that take your picture when you do a transaction?

When these "phantom transactions" occur, I assume there is a picture taken of a dark wraith in a hooded cloak.

But seriously, wouldn't the bank have your picture if you had performed a transaction?

Re:Candid Camera

[nochops]

Yes they do, and that's how I got out of a bad charge on my account.

I went to the ATM and tried to make a withdrawal. The machine tried to give me the cash, but something went wrong mechanically, and the money never came out.

I disputed the charge, but since their systems said that I did make the withdrawal, they didn't want to give me my money back.

I told them I wanted to see the surveilance tape for my personal records. Well, they didn't let me see the tape, but I'm assuming they looked at it and saw that no money came out of the machine. A few days later, i had a credit for the withdrawal.

Am I missing something?

[asscroft]

How the hell do you use a pin, if you don't have the card. I'm pretty sure the ATM doesn't let me type in my card number.

Sure I could make a card, if I had the right equipment and had the card for long enough to make it, but in that case I could just as easily use the card.

I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #, then I could steal 300.00 a day.

but if I owned a business why would I need to steal money?

Is there some easier way to use the pin #???

Re:Am I missing something?

[HughsOnFirst]

A while back there was a case where some bad guys made up a fake ATM machine along the lines of the ones you see in convenience stores. It would simply record the mag stripe on the card and capture the keystrokes, then display an error message about communication lines being down. They planted it in a mall for a week or so and captured thousands of mag stripes and PINs.

An imaginative person could come up with dozens of similar scenarios.

Re:Am I missing something?

[jjon]

Parent is plain wrong. Read the paper describing the attack (PDF) [cam.ac.uk]. (Link courtesy of The Register [theregister.co.uk].

Sure I could make a card, if I had the right equipment

Making a card is trivial - blank magstripe cards and encoders are legally and cheaply available.

and had the card for long enough to make it,

To clone a card you just need the account number, that's all that's encoded on the magstripe.

but in that case I could just as easily use the card.

No, because you wouldn't know the PIN.

I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #

No, if the customer enters their PIN into your dodgy ATM then you just record the account number and PIN - you don't need to hack anything.

This attack can only be done by someone inside the bank with access to the PIN checking machine. These machines are meant to be protected against insider attack, but this attack gets around it. The number of guesses required is so small (~30 - if the machines were secure it should be ~5000 for a 4-digit PIN) they might not even be detected by the bank's auditing (assuming that the PIN checker has a suitable audit trail at all).

then I could steal 300.00 a day

For about one (or maybe two) days, before the bank or cardholder noticed and cancelled the card. For this to work, you need lots of PINs and just use each account once. The paper claims 20,000+ dollars per day (presumably this is based on how long it physically takes to use the ATM with several cards then move to another one before the cops arrive), and claims 2 million dollars total given a half-hour lunchbreak spent cracking PINs.

but if I owned a business why would I need to steal money?

Some people can never have enough money.

What really happened..

[Metallic Matty]

Citibank Tries to Hush ATM Crypto Vulnerability..

The problem was discovered in the syste-
*sounds of struggle*
Where are you throwing meeeeee...

Liability, Phantoms, and Security.

[nweaver]

One major difference between the US and UK is the liability on phantom and fradulent transactions. In the US, the bank has to prove you performed the transaction. In the UK, you have to prove that you did NOT perform the transaction.

This difference in liability results in vastly different response to vulnerabilities. In the US, a vulnerability like this is taken very seriously, and phantom transactions are tracked down as they cost the bank money. In the UK, since it is the customer left holding the bag, the banks just don't care until they are sued, and, when sued, will deny deny deny.

This is a classic example of Citibank trying to cover up a problem, because it allows the customer, in court, to prove that the problem is Citibank's.

I just had a thought. . .

[Rojo^]

The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

What the fuck are there video cameras embedded in ATMs for? When do they turn on? Have my efforts to moon the bank people been completely in vain?

Article got /.ed. Text of the article below:

[JRHelgeson]

Protocol Analysis, Composability and Computation

Updated 20 February 2003

18 February 2003

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf [cam.ac.uk]

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf [cam.ac.uk]

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf [cam.ac.uk]

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm [cryptome.org]

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...

_____
Abstract

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski

Decimalisation table attacks for PIN cracking [cam.ac.uk]

February 2003

-----

From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: ukcrypto@chiark.greenend.org.uk
Subject: Yet another failure of commercial cryptographic equipment
Date: Tue, 18 Feb 2003 17:52:13 +0000

I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

The paper is available online at:

http://research.microsoft.com/~aherbert/volume63.p df [microsoft.com] [4.8MB] (link appears to be broken)

as pages 27-30 in the PDF. [HTML below]

I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of information which they accept as being confidential and which ought not to be in the public domain.'

I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

Protocol Analysis, Composability and Computation

Ross Anderson, Michael Bond
University of Cambridge, England

Security protocols early days

The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all authentication protocols.

Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

Clarifying the assumptions

Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design. Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol mechanisms to perform a service denial attack?

The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic and other formal tools were developed and extended to tackle a range of problems in protocol design.

One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

Dishonest insiders, and the composition problem

Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

Attacks often involve using two separate mechanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

Differential protocol analysis

We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters: Account number: 8807 0123 4569 1715 PIN derivation key: FEFE FEFE FEFE FEFE Encrypted account number: A2CE 126C 69AE C82D Natural (decimalised) PIN: 0224 Offset: 6565 Customer PIN: 6789

The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further, he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525 unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against application-level crypto.

It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

Quantitative analysis and multiparty computation

Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This leads in turn to a possible real-world application of an attack previously considered theoretical.

Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a predetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them, and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by using cryptography!

Conclusion

The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems. The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

References

1. NEEDHAM, R.M. AND SCHROEDER, R.M., Using encryption for authentication in large networks of computers. [yale.edu] Comm. ACM, vol. 21, no. 12, pp. 993-999, 1978.

2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M., A logic of authentication [dec.com], ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18-36, 1990.

Too late..

[xchino]

I just downloaded the pdf. I'm sure thousands of others have as well. If they manage to get a BS gag order, I'll happily send my archived copy to a web server outside the US.

It's a ridiculous scam, and if it works, that simply reflects the propensity of lack of true patriotism among those in charge.

An old vulnerability

[frovingslosh]

This seems the right time and place to relate a story about a 30 year old ATM bug I heard about:

A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.

He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.

The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.

The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.

Re:An old vulnerability

[blair1q]

When does he get out of prison?

My experience with ATM cameras...

[bearl]

So here's my ATM camera story...

In 1983, my first job out of college was as an internal auditor at a small regional bank that had only seven branches. We were just installing ATMs and most of our customers were elderly types who weren't interested in these new fangled computers. I, being young and more enlightened, loved them, used them all the time, and rarely carried much cash at all, preferring to just stop by a convenient ATM for a fresh withdrawal. This was in the days when banks considered ATMs as a money saver because customers would use the ATM rather than coming inside to bother a teller, thus saving the bank loads of money by reducing the number of tellers they had to employ, so there were no fees. But I digress...

One of our older patrons had his ATM card misappropriated by a handyman, family member, or other close associate, and said villian used the card to make several large withdrawals. The customer reported the problem, we told the system to capture the card on the next use, and waited.

Within a week, the card was used, and captured. The film from the camera was sent off (these days it's probably digital). The ATM company found that either our tellers had been ordering the wrong kind of film for our ATMs, or they had been sending us the wrong kind, or the tellers where installing it wrong, or something. They sent a note with that info to our President, explaining that the photo was probably the wrong person and wouldn't hold up in court, along with the developed photograph.

Fortunately he read the note before he looked at the photograph, because the guy in the photo was me! He came into my office and with as serious an expression as he could manage, told me they had the photo back, and had their man (I didn't know about the problem with the film at this point). He slid open the envelope, and there in stark black and white was me, probably on a Saturday morning, unshaven and in a dirty Ramones t-shirt.

I stuttered for a few seconds but he couldn't hold it together and started laughing. Needless to say that photo appeared all over the bank for the next several years, along with signs like "Have you seen this man?" and "Do not serve - notify security." We figured that since I used the ATM so much, I was probably on 85% of the photos on the film. The odds were pretty good that with the indexes being wrong I would come up, but it couldn't have been a worse photograph.

Oh, eventually the real crook was caught because he came into the bank to complain that the ATM had taken "his" card and the replacement hadn't arrived yet.

The real issue

[SiliconEntity]

Few of you have read the document from Citibank [cam.ac.uk]. In the first place, it's not even Citibank! It's Diner's Club, and specifically Diner's Club South Africa, which is suing two customers who refuse to make good on supposed ATM withdrawals. (The withdrawals were made in England while the customers were in South Africa.)

In the second place, the really funny part is that Diner's Club South Africa is trying to force Diner's Club International to produce experts to testify! DCI didn't want to help DCSA to this degree so DCSA is trying to get the courts to force them to help.

But the main point is that the "gag order" reads as follows:

The parties, their legal representative and their experts shall keep confidential all information revealed during the examination and such information shall not be used for any purpose other than the purposes of the Proceedings and the parties shall take all steps necessary to keep such information confidential

This is what Ross Anderson objects to. He agrees that if the DCI experts testify about confidential information regarding the workings of the ATM system, that that should be kept secret. But he doesn't want the secrecy order to be so broad that it would interfere with him and his students publishing data based on publicly available information. He wants to make sure that the secrecy order is drawn to clarify the distinction between information that is available elsewhere and confidential information revealed by the experts.

So when you look at it this way, it's not at all the black and white issue that is being presented here. Neither Diner's Club nor Citibank is seeking a "gag order" to suppress discussion of vulnerabilities. They just want to make sure that confidential testimony by their experts (information which they are contractually bound to keep confidential based on their relationships with others in the financial community) is kept secret. And the only issue is the technical details of how to draft the secrecy order.

In short, it's a tempest in a teapot. Move along, folks. There's really nothing to see here.

Question (from the vulnerability report)

[giminy]

Quoth the report:

"However, HSMs [Hardware Security Modules] implementing several common PIN generation methods have a flaw. The first ATMs were IBM 3624s, introduced widely in the US in around 1980, and most PIN generation methods are based upon their approach. They calculate the customer's original PIN by encrypting the account number printed on the front of the customer's card with a secret DES key called a 'PIN generation key'."

Weird. So they're talking about _generated_ PINs. Every bank account I've opened in the last 7 years, I've been able to request my PIN. And if I wanted to change it, I request what to change it to. Does any bank actually still use this method?

I'm a wee bit confused....

Re:Question (from the vulnerability report)

[Beryllium Sphere(tm)]

The system stores an offset which is the difference between your chosen PIN and the calculated PIN.

Not suprising

[j_kenpo]

This is not very suprising at all.Having worked for Citibank, I can vouch for their poor security and joke of a ethical hack process, Im not suprised that their ATM's (Global CATS is what they are called internaly) encryption scheme for PIN numbers is poor. If I remember correctly, its actually a VB app on a PC. The goal of the ATM was focused more on ease of use and accessibility, or so the training would lead you to believe. Im not exactly sure what the process is in the Branches for PIN assignment, but with the cluelessness of their CGTI (Citigroup Technical Infastrucutre) and their development team, I wouldnt be suprised if these boxes were more vunerable to other attacks. There used to be sites like citibanksucks.com and shitibank.com (I dont think they are still around, I think they were "silenced") that used to point out flaws in Citis systems. They arent the first to sweep bad press under the rug though.

4 digits anyway

[Darth_Burrito]

Alright I realize this is "different" but ... come on ... how much can we can complain about the secrecy of a 4 digit number. There's only 10,000 different combinations. What pisses me off is my bank uses the pin numbers for your online banking password and they use your frickin social security number as the username. You get 3 tries on every account. So how hard is that to automate a hack?

How many morons we got on this ship?

Re:in case of /.

[Anonymous Coward]

Nice formatting, why not go vomit on some toddlers while you're at it?

So easy to read!

[Anonymous Coward]

Thanks for making sure it looked okay!

Mirror (was: Re:in case of /.)

[cetan]

How about this:

http://www.phule.net/mirrors/pacc.htm [phule.net]

for formatting? :)

Mirror: Formatted Correctly

[purduephotog]

Updated 20 February 2003

18 February 2003

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf [cam.ac.uk]

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf [cam.ac.uk]

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf [cam.ac.uk]

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike
and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm [cryptome.org]

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in
many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's
an omen, if not a precedent ...
_____

Abstract

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the
maximum amount of information is learnt about the true PIN upon each guess.
It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute
lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski
Decimalisation table attacks for PIN cracking [cam.ac.uk]
February 2003

-----

From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: ukcrypto@chiark.greenend.org.uk
Subject: Yet another failure of commercial cryptographic equipment
Date: Tue, 18 Feb 2003 17:52:13 +0000

I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

The paper is available online at:

http://research.microsoft.com/~aherbert/volume63.p df [microsoft.com] [4.8MB]

as pages 27-30 in the PDF. [HTML below]

I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of nformation which they accept as being confidential and which ought not to be in the public domain.'

I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

Protocol Analysis, Composability and Computation

Ross Anderson, Michael Bond

University of Cambridge, England

Security protocols early days

The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob
shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all uthentication protocols.

Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

Clarifying the assumptions

Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be
replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only
claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design.
Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks
run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol
mechanisms to perform a service denial attack?

The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of
authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic
and other formal tools were developed and extended to tackle a range of problems in protocol design.

One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the
objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

Dishonest insiders, and the composition problem

Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

Attacks often involve using two separate echanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN
derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear
value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device
with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in
isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

Differential protocol analysis

We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters:
Account number: 8807 0123 4569 1715
PIN derivation key: FEFE FEFE FEFE FEFE
Encrypted account number: A2CE 126C 69AE C82D
Natural (decimalised) PIN: 0224
Offset: 6565
Customer PIN: 6789

The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further,
he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525
unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions
of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against
application-level crypto.

It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular
designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

Quantitative analysis and multiparty computation

Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for
PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This
leads in turn to a possible real-world application of an attack previously considered theoretical.

Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope
with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a redetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal
operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to
stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them,
and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by
using cryptography!

Conclusion

The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems.
The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

References

1. NEEDHAM, R.M. AND SCHROEDER, R.M.,
Using encryption [yale.edu]
for authentication in large networks of computers. Comm. ACM, vol.
21, no. 12, pp. 993-999, 1978.

2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M.,
A [dec.com]
logic of authentication, ACM Transactions on Computer Systems,
vol. 8, no. 1, pp. 18-36, 1990.

Re:in case of /.

[PhxBlue]

The hell? This isn't informative--without any sort of formatting, it's painful!

Re:How do banks secure ATM lines?

[Lxy]

The ATMs I've seen are POTS lines. The older machines actually dial up to somewhere, the newer ones either found a better way to do it or turned off the modem speaker. As for what's being done I don't know, but doing RSA over PPP sounds like a decent, flexible option.

Re:POTS

[Lxy]

Plain Old Telephone System.

Yes, POTS is a POS.

Re:How do banks secure ATM lines?

[SquadBoy]

They are some kind of leased line. We have customers that run on Frame, ISDN, and yes even dialup but mostly they go into some kind of Frame cloud. No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing. While this does not apply to what they are talking about in the article they mostly use 3DES for all the traffic that goes over the line. So an attacker could most likely wardial and find the dial backup lines and try to get in that way. But why bother with that when most places have dial in lines on their mainframes. Other than that if you had or could get access to the Frame cloud you could try. But at least the ones I work with are *very* hardened and most likely not worth the time /effort to break them remotly because it is hard to get cash over a line and breaking a ATM does not really get you into the mainframe. Far better and easier to try to break the mainframe mostly because there are far more ways to get to them and banks etc. do not pay nearly as much attention to security as you would think. This in spite of the fact that I yell at people all day long on the subject but I'm just one guy and they consider me paranoid. Gawd I hate people. Anyway hope the above answers your questions which could be summed up as I've never heard of anybody breaking them remotely and it would be *very* hard to do so.

They don't need to in many cases.

[rnicey]

What goes across the line is mostly a hash of the pin and some data stored on the card. That's why ATM transactions can only typically occur with card present. I believe this vunerability is based on a weak hash algorithm or something in that region that allows you to derive the original pin much quicker than the 5000 or so guess normally required.

Therefore you'd also need to steal the physical card and make a dupe, so I'm not sure of the potential loss here. Other places where pins are asked for such as online banking may be vunerable however.

I'm probably missing something here, but I'm fairly sure from the Visa transaction specs I've got sitting here you need data from the card and the pin to initiate a transaction. Could be wrong :)

Re:They don't need to in many cases.

[KernelHappy]

The parent post is mostly correct except that there are a few satelite based ATM's. IIRC military credit union(s) use them for ATM's deployed on large warships or remote bases. But most ATM's are leased line and/or terminated to a frame relay cloud somewhere. ATM's ustilizing POTS are a more recent development (mid 90's) and are generally reserved for low traffic volume locations such as convenience stores and boobie bars. But the advent of the ATM surcharge has vaulted the number of POTS based ATM's to new heights. What goes across the line is considerably more than a hash of the pin and some data stored on the card. There is information such as the type of transaction, ther terminal ID of the machine it's coming from, transaction sequence number, etc. A copy of the data stored on the mag stripe is also usually sent in the transaction request. This additional information is necessary for reconciliation of funds as well as tracking customer problems.

Unfortunately a large portion of the security in the debit processing industry is by obscurity, minimizing theft incident values and by keeping the system sealed. In order to exploit these networks a user on the inside is usually necessary and the process of exploitation will leave that persons "fingerprints" all over the theft. Without a person on the inside the actual amounts a person could steal are rather small (thank the theives the next time you need $500 from your ATM card and your bank only allows you to withdraw $400 a day).

The biggest problem is that the debit industry relies on legacy systems. Trying to retrofit the authorization process to use newer technologies is both difficult and extremely expensive and would require industry wide cooperation.

Re:How do banks secure ATM lines?

[Rich0]

No they are not satelite and although a few people are trying to do them over VPNs it is for obvious reasons thought of as being a *very* bad thing.

You mean like running your ATM network [cotse.com] from a system accessible by the general internet?

Re:How do banks secure ATM lines?

[greechneb]

Basically, there are two options for an ATM,

Either POTS (plain old telephone service) with a modem dialing in to a service provider, whether it be the bank itself, or outsourced.

or Leased Line - always connected to the service provider.

Encryption is going towards all triple DES encryption within the next year. The ATMs that I have been dealing with all run a form of OS2 for the operating system.

The majority of ATMs just have a dial up line that is set to block incoming calls, so the only connection is being made from the ATM to the service provider.

Re:How do banks secure ATM lines?

[froth]

Everyone has mentioned that ATMs use POTS. This is true. But most of them use a dial-back feature to increase secuirty. They phone home (a pre-configured number, the only way to change this number is to physically open the ATM), hang up and wait for the return call. They will not answer unless they have called out first. ATMs are pretty damn secure.

Re:How do banks secure ATM lines?

[rusty0101]

There are several different methods used.

There are two basic ATM types. IP connected, and bisync/sdlc connected.

IP connected use routers with frame and dedicated circuit connections. Some may be using VPNs with ISPs, but none that I have worked with do.

Biysnc/sdlc connected atms may use a link converter to become effectively IP connected ATMs. As new ATMs come out, those connected via link converters are being replaced.

Those atms that are not connected via a link converter and ip based network use one of three types of connection. Point to point, point to multi-point, and dial. Point to point and point to multi-point may use either analog or digital leased lines.

Dial up atms use a "modem" that acts as a remote front end for the back end system.

Encryption of the data on the line is handled by the end points. Links between the banks that allow information about your account to be retrieved, or approval for debits and deposits to happen at the atm are also encrypted at several points. Both end point computers encrypt their transactions, the lines themselves use encryptors as well.

There are some variations to these designs. Each ATM provider uses their own design, and may use a variety of methods to implement ATMs in a particular region, simply to prevent one problem taking down all of the ATMs in an area.

I have seen atms implemented using CDPD for temporary instalations.

Satelite connected installations are extreamly rare. The current network infrastructure via sattelite is either extreamly expensive with low latency, as for example Iridium, or reasonable cost with high latency, via geo-stationary sats. 30Mm adds a 10th of a second in each direction just for speed of light. In a polled environment (bisync/sdlc) a half second delay for each polled device would make atm responsiveness extreamly unpleasent. A bisync line supports up to 32 devices. With Geosync sats, that means that there would be a built in 16 second delay between polls. SDLC supports up to 255 devices, or over 2 minutes. With the existing latency in the back end, getting that kind of a delay in your transactions would be extreamly unpleasent.

The situation may change if prices improve for GlobalStar, but I wouldn't expect it to be used any time soon.

As has been mentioned elsewhere, breaking into an atm remotely would be pretty much useless. You can not interact with the device over such a connection, no telnet, ftp or http servers, nor a command prompt interact with this line. So you will not be able to install data capture tools, or tell the atm to watch for your card and multiply your request authorizations.

As the article points out, you could spoof a withdrawl, but spoofing a deposit will be voided by no deposit in the atm.

I could be wrong however. Just remember that attempting a man in the middle attack for any connection across a telco connection constitutes wire fraud.

-Rusty

Re:atm pins

[TheRaven64]

Am I going crazy?
Yes.

Re:atm pins

[Hell O'World]

I bet you are getting your K5 mixed up with your /.
Happens to me all the time. I almost submitted it here when I saw it there, but my last 4 submissions were are rejected :( so I didn't bother.

Was on kuro5hin earlier...

[Skim123]

perhaps that's where you saw it.

Re:Wouldn't have happened....

[doubtless]

Well, taken from http://www.sophos.com/support/faqs/savos2.html [sophos.com]:

There are no OS/2 specific viruses in circulation but OS/2 computers can still be affected:

* Macro viruses that infect Word, Excel and other Windows mode applications can spread as usual.
* Boot sector viruses can affect the master boot sector, the OS/2 boot sector and the Boot Manager.
* DOS executable file viruses can run on OS/2 systems and infect other DOS executables.
* Any type of file can be stored on an OS/2 server and could infect a vulnerable workstation.

So yes, there are hacks that will affect OS/2, though they might not target OS/2 exclusively.

Re:Fees...

[Lawbeefaroni]

They're not completely secure because if they were, it would put a dent in all that dough they're raking in. Security through obscurity is free, security that is secure isn't.

A second ATM PIN crack in NEWS today

[goombah99]

oops...posting with the correct formatting this time:
The Register reports [theregister.co.uk]that Mike Bond and Piotr Zielinski have detailed how any ATM programmer (bank, repairman, etc..) insider can crack any ATM PIN in just 15 guesses. Banks use a hardware encryption scheme to avoid the having a crackable psswd-like file. Oops...turns out theres a hole in the hardware design. Direct link to download [cam.ac.uk]the pdf paper.

Here is how the crack works.

first you have to understand how the pin is generated.

banks had two problems they needed to solve, first an ATM had to be able to verify a card even if it went off-line from the bank computers. Thus to allow for on the spot verification, the pin has to derivable from the card somehow. Second, they also did not want to endure the security risk having to distribute a list of all PIN numbers of all cards to all machines, even if it was encrypted.

So the scheme they came up with is they take your PIN number and DES encrypt it, and the first four digits of the encrypted number becomes your base PIN. Then to allow you to change your pin, they permit an offset number. Since knowing this offset number does not tell anyone the base PIN, these offset numbers can be kept in the public domain and distributed worldwide.

thus when you type in your "pin" number to an ATM the sequence of steps is the machine reads the account code off the mag stripe, DES encodes it, grabs the first four numbers, adds your public offset, and compares it to the number you typed in at the key pad.

to keep everything secure the entire process is done in hardware. So even a priviledged bank employee could not have access to the encrypted account code and thus learn the PIN.

But wait, there's just one teeny tiny extra step I omitted that causes all the problems. when you DES encode something you get back a HEX number and since PINS are decimal you have to convert it to a decimal number. There's lots of ways you could do this, but what is done is simply to have a table that maps the 15 hex digits 0...F many-to-one down to 0...9.

Again still no problem if this mapping had been done in hardware. Unfortunately, it was not viewed as a securtiy risk and this mapping table is not fixed but is rather a software input to the hardware unit. Any one with access to the hardware device such as a priviledged bank employee or a repair man, or someone who found one at a salvage yard can send a substitute table to the hardware. And thats where the problem lies.

The paper gives several crack approaches one of which takes 15 tries maximum and is not easily explianed in a few words. they also give a simpler approach that takes max of 46 steps to get the pin which I'll explain.

first change the many-to-one mapping to all zeros, except for 1 digit. say this digit is a 3. Then type in a trial PIN of 0000. the hardware unit will say this pin is a correct match unless the encrypted Account number happens to have a 3 anywhere in it. (all other get mapped to zero) Next Change the map to all zeros, except say for say the digit 4, and repeat. after trying all ten digits, you know know which digits are in the PIN number. Now you just try all permuations of these. worst case is a total of 36+10=46 trials.

Their other algorithm is more efficient (only 15 trials maxiumum), but you get the idea.

I note that this is a big problem for the banks. The reason is that it would not simply do to replace the hardware units with ones that have a fixed map table. The PINS are crackable by anyone who still has one of the old hardware units. To fix the system they would have to both change all of the ATM hardware, change the DES salt in the hardware (to render old machines useless), and change everyone's PINS. this would all have to be done simultaneouly, world wide in every ATM for the banking systems ATMs not to stop working for customers. alternatively I guess they could upgrade all the hardware slowly if they were willing to leave the crack in place until they finished. to do this they woul have to have two sets of offsets. one for the new machines and one for the old machines. the cards would remain crackable until the last machine was removed and the users changed their PIN numbers.

I note that in a real system it only takes about 5000 tries on average to crack a 4 digit pin. However, the hardware units limit the rate of trials, so that reducing the number of trials by a couple orders of magnitude is significant.

The real threat

[goombah99]

After pondering this some I have come to the conclusion that this is a real threat. at first I dismissed it because it was going to take a bank employee with access to programming the machines low level inputs, plus a Very large list of card numbers, plus access to the pin offsets, plus a way to launder the money, plus the ability to make 15 tries without losing the card or having to override the system (which would get noticed).

but then I thought, well where could you do this an not get caught? how about North Korea or Nigeria. North Korea already mints high tech conterfeit US 100 dollar bills on government printing presses. So this would be small but useful potatoes.

but more important than the money, It also would make a nice weapon: UN provokes N. Korea, N korea dumps 100,000 cards with pins written on them in say the NY subway system. Next day all ATM banking is halted world wide. Nice little panic. Travelers stranded. Runs on banks as people have to now go inside to get money and they run out of cash. Anyhow you get the idea.

or maybe just one of the millions of merchant accounts visa hands out is owned by ..... well you name it.
Yikes

You know what sucks about this?

[PotatoHead]

Is that you can do nothing about it!

The banks current position is that everything works fine. Afterall, they do handle the world economy everyday, so your little small potatoes checking account is no big deal right?

Unless you can demonstrate a bank error that meets their criteria I might add, the bank basically says you must pay all fees like it or not.

So, let me tell you from experience, you are screwed. Either you pay even though you may not be totally in the wrong, or you don't.

If you pay, you will be out some cash, but the bank will be happy to let you continue doing business and will even screw you again later if you are willing.

If you don't pay, it gets worse. They charge off your account so they can get the tax benefit. They still send you to collections, and they report you to ChexSystems. This database will record your debt to your current bank and will be used as the reason you cannot get new accounts elsewhere. 95% of all banks use this. Getting a record removed is very difficult. The worst part is that even if you pay at this stage, your record will last for 7 years.

Big banks really suck right now. There are only a few laws they must follow, the rest are rules and regulations they get to set for us without our feedback. Big banks are greedy and are making more money each year. They charge fees for almost anything and have no reasonable appeal process. Currently the larger banks are even beginning to charge check cashing fees on their own checks!

You could write me a check for $5.00 and it could be worth nothing if I presented to the bank it was drafted on.

My advice to you would be to pay that bank, and realize that (1) you have no power here. --Trust me I tried hard to work through a problem with my bank and could not and (2) big banks are not working in your best interests.

Keep your banking record clean and look for a smaller bank that actually wants your business and will serve you as needed to keep it.

Things to look for:

- Low fees across the board.

- Daily caps on overdraft charges to prevent cascading fees. (This is what happened to me. $300 turned into $1100 in a couple of days !?!)

- Teller access without fees

- Reasonable ATM policy. No double dipping ATM transactions. Some bigger banks can and do charge you for use of a free ATM even though the ATM owner does not!

For those wondering, the banks that I have found particularly nasty are:

US Bank

Beginning to impose check cashing fees, highest overdraft charge with no daily cap, poor deposit policy. They hold every check they can for three days. Their own tellers advise you to cash your check then deposit cash.

Key Bank

Very strict on transaction type. Will freeze accounts for very little reason. A disagreement with a teller is enough for this. Check cashing fees with no daily cap. Poor deposit policy combined with their allowed transaction types make some common deposits very difficult.

Both banks guilty of transaction ordering with intent to charge fees. Basically they will clear large checks in order to let many smaller ones bounce. They say it is for your own good, but realistically which is better? Personally, I would rather reissue the larger check, pay the fees and use the rest of my money to cover the damage as cheap as I can. You decide.

Both banks guilty of issuing dangerous check cards by default. Check card works like credit, but with none of the protections.

All this talk of PIN theft is one thing, losing one of these cards is way worse. They can use it any number of places without a PIN and you have to pay.

Personally, the errors are likely to be unstated fees for transactions. Many places charge a fee when you use a debit card. Not all of them let you know about it even though they should. Another error comes from charges when you pay for dinner out. Remember the little place on the receipt for tips? If you don't fill it out, they can later. Problem here is that you don't always get to see the amount they key into the little visa machine. Your copy says one thing, theirs says another..

Seriously, if you are banking with a larger bank, ditch it and go shopping and tell your friends when you are done. You will be better for it.

One other thing I forgot

[PotatoHead]

In the last few years reports have been written about ways banks can increase revenue. In the early 90's the easiest way was to increase fees.

There are consultants that will analyze a banks customer transaction histories in order to recommend a fee structure that will retain the highest number of customers and generate the most revenue from fees while lowering costs.

They do this with the teller fee, minimum balance fee, account inactivity fee and the overdraft fee.

Recently the check cashing fee was added to both make money on both the check writer and the casher while discouraging face to face business at the bank which lowers costs.

The high growth of bank profits combined with growing negative public perception of the fees has recently sparked a few recommendations toward more reasonable structures that actually do help people and the bank without so much profit.

Try and find a couple of those. They get almost zero notice.

See how it works? Remember that the next time you read a shiny well produced brochure that 'assures' you that no other bank is working harder for you.