Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

Release the lawyers!!!

[TopShelf]

The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure.

Does anybody smell a class-action for ATM users who have filed these complaints? It would probably work similarly to the CD price-fixing settlement that was in the news lately, since it would be hard to identify the specific members of the class.

dmca problems, again?

[micq]

This is the kind of shit that scares me about the DMCA...

This is SERIOUS

[arvindn]

This isn't like on of the regular "a new vulnerability has been discovered. No exploitz are known yet. Patch can be found <here>" kind of things we get on bugtraq all the time.

From the article

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys.

What the bank is doing is very irresponsible. I hope they get lots of bad publicity for this. Getting on /. is a good start.

They Can't

[neurostar]

Tell 'em to prove it.

Well, as nice as it would be to have them prove the security, it is technically impossible to prove that a system is secure. It is only possible to prove that a system is not secure by exposing a flaw.

neurostar

Re:Release the lawyers!!!

[rgmoore]

It should be pointed out that this is a problem in the UK, but the US has saner legal rules. The article mentions that Citibank lost a similar case in the US, so apparently the US doesn't think that "our system is secure; it must be the user's fault" is sufficient defense.

Re:Shut them up!

[Daniel Dvorkin]

Um ... you're kidding, right?

Citibank has no interest in "the best interest of its customers." Like any other megacorp, they don't give a shit about you. They're much more concerned about the embarrassment of admitting that their security is worthless than they are about actually keeping people's money safe. The only way to get them to fix this problem is to publicize it as loudly as possible, because then not fixing the problem becomes even more of an embarrassment for them.

Re:This is SERIOUS

[mosch]

Yes, but the banks are claiming that the system contains no vulnerabilities at all. The presence of any vulnerability demonstrates that the banks are being less than honest with the courts.

Last I checked, it's significantly illegal to be less than honest with the courts.

Re:This is SERIOUS

[Hammerikaner]

Everyone should just mirror the PDF [cam.ac.uk] file on your own web server. Would it matter then, if the court filed an injunction? Everyone already has it.

Re:Fees...

[Lawbeefaroni]

They're not completely secure because if they were, it would put a dent in all that dough they're raking in. Security through obscurity is free, security that is secure isn't.

Re:Go back to sleep children

[aussersterne]

Everything is ok.

Your money is safe.

The world is simple.

You are with us or against us.

Go buy yourself something, you deserve it.

Those in charge know what they are doing and will take care of you.

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

Re:ATM with an eye

[Skyshadow]

I believe that in some countries banks actually install a camera in every ATM they own. They simply take a video or a snapshot of the person making transaction with the machine.

Most ATMs in the US are under video survailance, too.

Of course, this won't prevent me from using a techincal exploit to rob them. All I need to do is find an ATM in a somewhat secluded place (not hard), put on a ski mask just before I go to work and not take it off while I'm robbing the thing blind.

Cameras != protection from crime. They just assist in catching stupid criminals.

Re:Go back to sleep children

[ralphus]

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

I agree. I'm frightened myself, and had a high level of sarcasm when I wrote it, but I feel that this basic sales pitch is done over and over again to the mass public and for the most part they buy it! The moderators probably picked up on that and agreed.

The real threat

[goombah99]

After pondering this some I have come to the conclusion that this is a real threat. at first I dismissed it because it was going to take a bank employee with access to programming the machines low level inputs, plus a Very large list of card numbers, plus access to the pin offsets, plus a way to launder the money, plus the ability to make 15 tries without losing the card or having to override the system (which would get noticed).

but then I thought, well where could you do this an not get caught? how about North Korea or Nigeria. North Korea already mints high tech conterfeit US 100 dollar bills on government printing presses. So this would be small but useful potatoes.

but more important than the money, It also would make a nice weapon: UN provokes N. Korea, N korea dumps 100,000 cards with pins written on them in say the NY subway system. Next day all ATM banking is halted world wide. Nice little panic. Travelers stranded. Runs on banks as people have to now go inside to get money and they run out of cash. Anyhow you get the idea.

or maybe just one of the millions of merchant accounts visa hands out is owned by ..... well you name it.
Yikes

Re:ATM? I don't need no stinkin' ATM!

[hazem]

It's not just Walmart - it's the people of the town who choose to shop there. If a majority of the people in a town continued to shop at their normal places, rather than the new Walmart, the Walmart would not do well, and old places would do fine.

But, most people will chose to pay $1.00 for a loaf of bread instead of $1.50. In that case, they are giving up the "old way" for that $0.50. It's their choice. You can't blame it all on Walmart.

Re:This is SERIOUS

[Beryllium Sphere(tm)]

What logs?

Notice that one of the proposed fixes was to create an audit trail.

Re:A second ATM PIN crack in NEWS today

[Anonymous Coward]

I haven't been able to read the actual paper yet (link is slashdotted) to see if it contains more information than the post but I fail to see why you have to be an insider to perform these attacks.

Because you don't have the DES keys stored on the secure hardware device. I came to read comments hoping to gain some knowledge on the specifics of this attack by maybe reading some posts by slashdotters who work in the field, but I had once again overestimated the collective IQ of this assumption happy crowd. sigh..

You know what sucks about this?

[PotatoHead]

Is that you can do nothing about it!

The banks current position is that everything works fine. Afterall, they do handle the world economy everyday, so your little small potatoes checking account is no big deal right?

Unless you can demonstrate a bank error that meets their criteria I might add, the bank basically says you must pay all fees like it or not.

So, let me tell you from experience, you are screwed. Either you pay even though you may not be totally in the wrong, or you don't.

If you pay, you will be out some cash, but the bank will be happy to let you continue doing business and will even screw you again later if you are willing.

If you don't pay, it gets worse. They charge off your account so they can get the tax benefit. They still send you to collections, and they report you to ChexSystems. This database will record your debt to your current bank and will be used as the reason you cannot get new accounts elsewhere. 95% of all banks use this. Getting a record removed is very difficult. The worst part is that even if you pay at this stage, your record will last for 7 years.

Big banks really suck right now. There are only a few laws they must follow, the rest are rules and regulations they get to set for us without our feedback. Big banks are greedy and are making more money each year. They charge fees for almost anything and have no reasonable appeal process. Currently the larger banks are even beginning to charge check cashing fees on their own checks!

You could write me a check for $5.00 and it could be worth nothing if I presented to the bank it was drafted on.

My advice to you would be to pay that bank, and realize that (1) you have no power here. --Trust me I tried hard to work through a problem with my bank and could not and (2) big banks are not working in your best interests.

Keep your banking record clean and look for a smaller bank that actually wants your business and will serve you as needed to keep it.

Things to look for:

- Low fees across the board.

- Daily caps on overdraft charges to prevent cascading fees. (This is what happened to me. $300 turned into $1100 in a couple of days !?!)

- Teller access without fees

- Reasonable ATM policy. No double dipping ATM transactions. Some bigger banks can and do charge you for use of a free ATM even though the ATM owner does not!

For those wondering, the banks that I have found particularly nasty are:

US Bank

Beginning to impose check cashing fees, highest overdraft charge with no daily cap, poor deposit policy. They hold every check they can for three days. Their own tellers advise you to cash your check then deposit cash.

Key Bank

Very strict on transaction type. Will freeze accounts for very little reason. A disagreement with a teller is enough for this. Check cashing fees with no daily cap. Poor deposit policy combined with their allowed transaction types make some common deposits very difficult.

Both banks guilty of transaction ordering with intent to charge fees. Basically they will clear large checks in order to let many smaller ones bounce. They say it is for your own good, but realistically which is better? Personally, I would rather reissue the larger check, pay the fees and use the rest of my money to cover the damage as cheap as I can. You decide.

Both banks guilty of issuing dangerous check cards by default. Check card works like credit, but with none of the protections.

All this talk of PIN theft is one thing, losing one of these cards is way worse. They can use it any number of places without a PIN and you have to pay.

Personally, the errors are likely to be unstated fees for transactions. Many places charge a fee when you use a debit card. Not all of them let you know about it even though they should. Another error comes from charges when you pay for dinner out. Remember the little place on the receipt for tips? If you don't fill it out, they can later. Problem here is that you don't always get to see the amount they key into the little visa machine. Your copy says one thing, theirs says another..

Seriously, if you are banking with a larger bank, ditch it and go shopping and tell your friends when you are done. You will be better for it.