1 / 25

Will You Ever Use Your ATM Again?

Will You Ever Use Your ATM Again?. Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates. 1 new ATM installed every 5 minutes ATM fraud in US approximately $50M/ year 1.2M ATMs installed worldwide ATM is equal in importance to cell phones & email

rocampo
Download Presentation

Will You Ever Use Your ATM Again?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates

  2. 1 new ATM installed every 5 minutes ATM fraud in US approximately $50M/ year 1.2M ATMs installed worldwide ATM is equal in importance to cell phones & email Total cost of fraud is 4x actual amount of $$ taken 281,000 customers affected Fraud growth rate is up to 35%/year Soft target/low risk to criminals Impossible to ID criminals (often not prosecuted) New gang-oriented activity Top 10 Quick Facts

  3. Information on Cryptology Failures • Not published or advertised • Compare to airline crashes • Team of investigators • Accountability • Fix the problem • How can you fix the problem if you don’t know there was a problem? • If you can’t investigate the steps that led to a security breach, how can you analyze?

  4. Investigation of ATM Security • Banking industry largest business after government • How can you prove you DID not withdraw funds from your bank? • PIN security assumptions • Magnetic stripe on bank card contains account number • PIN is derived by encrypting the account number and using only 4 digits

  5. Weakness of ATM • Magnetic stripe • Easily captured • Card skimming

  6. Used DES to calculate a natural PIN. Offset added No real cryptographic function Lets customers choose their own PINs DES key can be compromised in 22 hrs Many banks now using triple-DES Equipment and software compatibility with DES Estimated time of compromise is 200 trillion years if no paper trail Example: Account number: 8807012345691715 PIN key: FEFEFEFEFEFEFEFE Result of DES: A2CE126C69AEC82D Result in decimal form: 0224126269042823 Natural PIN: 0224 Offset: 6565 Customer PIN: 6789 How PINS Were Derived Back

  7. DES • 56-bit key • Considered secure until Jan 1999 • 22 hours to break • DES cracker available on line for $200,000 • ATMs vulnerable

  8. Security Breaches • Inside • Most threats • Outside

  9. Inside Security Breaches • Bank clerk issues two cards—one for customer, one for self • Bank had a policy that ATM withdrawals with receipts did not show up on customer statement. • ATM has computer attached that captures PINs and account numbers • Tellers issued ATM cards that can debit any customer account • For use when tellers ran out of cash • Loss of dual control security measures to cut down on costs

  10. Outside Security Breaches • Testing programs not deleted • Vending machines that take ATMs • Record PINS and account numbers sending data by modem to thieves • Can buy used ATMs • Like a used computer with all the software included

  11. Why 4 Digit PINs? • With standard usage: • 1 in 10,000 chance of discovering PIN • Use with 3 tries, access denied and card confiscated • Now chance of discovery is 1 in 3,333 • Ways security is decreased • Offline ATMs and POS devices without full encryption • Mathematical calculation of PINs • Credit card: • Digit 1 + Digit 4 = Digit 2 + Digit 3 • Debit card (same bank) • Digit 1 + Digit 3 = Digit 2 + Digit 4 • Can use mathematical formula to cut down on possible combinations: Ex: PIN 4455

  12. Discovering PINs • Banks suggesting ways for persons to remember PINs (other than writing down) • Ex: 2256 • Increased odds of discovery from 1 in 3,333 to 1 in 8

  13. Discovering PINs • Programming • Bank issued same PIN to everyone • Only 3 variations of PINs used—then forged • Random PINs (not encrypted from account number) or customer-selected PINs • Bank file holding PINs • If same encrypted version of PIN used, programmer can search account database for users with same PIN • Banks writing encrypted PIN to card stripe • Change account number on your own card to that of target and use with your own PIN

  14. How ATM Encryption Should Work • Review DES Encryption • PIN key must be kept secret • Terminal key at each ATM, carried to each branch by two separate officials • Input at ATM keyboard • Combined to form key • PIN Key encrypted under terminal key • Sent to ATM by bank’s central computer

  15. How Are All These Keys Kept Secure? • PC in a safe with security module • Manages all bank’s keys and PINs • Programmers only see encrypted PINs • Requires special hardware devices • Expensive • Time-consuming to install security modules • Not provided for some equipment • No special security modules • Control through software • Programmers now have more information • They can find PIN key

  16. Poor Implementation of Security • Response codes for incoming transactions • Are they monitored, logged, analyzed? • Subcontracting ATMs and giving contractor PIN key • PIN keys shared between banks • Poor key management • No dual control • Keys kept in files rather than locked up • No documented procedures for handling keys

  17. Triple DES • Current implementation • Two 56-bit keys • Encrypt-decrypt-encrypt model • KL (Key Left) DES encryption • KR (Key Right) DES decryption • KL encrypts again • Estimated 200 trillion years to crack

  18. Secure Key Management • All DES keys are safe if used only once & discarded • Keys are stored in two other states: • Host’s memory or database • Transmission over networks • Vulnerable when stored or transmitted outside the HSM (hardware or host security module)

  19. Secure Key Management • Triple DES keys are stored as two DES keys (KL and KR) • Side-by-side in a database • Access to HSM • Independent DES keys can be “attacked” • Shared among other systems attached to the host

  20. Solution (Everywhere But US) • EMV Standard • EuroPay, MasterCard, Visa • SmartCard (with a chip) • January 2005

  21. Bank Smart Cards • Transaction using a chip & terminal • Reduces counterfeiting due to complexity & expense • Can work with HSM

  22. Future Enhancements of EMV/Smart Card Biometric capacity Iris scanning Fingerprinting Voice recognition Backwards compatible (magnetic stripes)

  23. R. Anderson, “Why Cryptosystems Fail,” (March 1998); available at http://www.cl.cam.ac.uk/users/rja14/wcf.html Celent Communications, “Smart Cards in US Banking: Is the Chip Hip”? (October 18, 2001); available at http://www.celent.com/pressreleases/20011018/smartcard.htm “Combining Key Management with Triple-DES to Maximize Security,” (July 2002); available athttp://h71028.www7.hp.com/erc/downloads/atkeyblwp.pdf “EMV Smart Card Issuing,” (2004); available at http://www.thales-esecurity.com/solutions/emv_smartcard.shtml References

  24. The Jolly Roger (alias), “Jackpotting ATM Machines,” The Anarchist’s Cookbook. (Retrieved May 17, 2005); available at http://isuisse.ifrance.com/emmaf/anarcook/jackatm.htm Levelfour Americas, “Could Growing ATM Fraud Accelerate US Conversion to the Chip Card”? (November 2004); available at http://www.atmmarketplace.com/whitepapers/Level_Four__EMV.pdf B. and D. Mikkelson, “Bank ATMs Converted to Steal IDs of Bank Customers,” (January 19, 2004); available at http://www.snopes.com/crime/warnings/atmcamera.asp References

More Related