250 likes | 265 Views
Will You Ever Use Your ATM Again?. Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates. 1 new ATM installed every 5 minutes ATM fraud in US approximately $50M/ year 1.2M ATMs installed worldwide ATM is equal in importance to cell phones & email
E N D
Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates
1 new ATM installed every 5 minutes ATM fraud in US approximately $50M/ year 1.2M ATMs installed worldwide ATM is equal in importance to cell phones & email Total cost of fraud is 4x actual amount of $$ taken 281,000 customers affected Fraud growth rate is up to 35%/year Soft target/low risk to criminals Impossible to ID criminals (often not prosecuted) New gang-oriented activity Top 10 Quick Facts
Information on Cryptology Failures • Not published or advertised • Compare to airline crashes • Team of investigators • Accountability • Fix the problem • How can you fix the problem if you don’t know there was a problem? • If you can’t investigate the steps that led to a security breach, how can you analyze?
Investigation of ATM Security • Banking industry largest business after government • How can you prove you DID not withdraw funds from your bank? • PIN security assumptions • Magnetic stripe on bank card contains account number • PIN is derived by encrypting the account number and using only 4 digits
Weakness of ATM • Magnetic stripe • Easily captured • Card skimming
Used DES to calculate a natural PIN. Offset added No real cryptographic function Lets customers choose their own PINs DES key can be compromised in 22 hrs Many banks now using triple-DES Equipment and software compatibility with DES Estimated time of compromise is 200 trillion years if no paper trail Example: Account number: 8807012345691715 PIN key: FEFEFEFEFEFEFEFE Result of DES: A2CE126C69AEC82D Result in decimal form: 0224126269042823 Natural PIN: 0224 Offset: 6565 Customer PIN: 6789 How PINS Were Derived Back
DES • 56-bit key • Considered secure until Jan 1999 • 22 hours to break • DES cracker available on line for $200,000 • ATMs vulnerable
Security Breaches • Inside • Most threats • Outside
Inside Security Breaches • Bank clerk issues two cards—one for customer, one for self • Bank had a policy that ATM withdrawals with receipts did not show up on customer statement. • ATM has computer attached that captures PINs and account numbers • Tellers issued ATM cards that can debit any customer account • For use when tellers ran out of cash • Loss of dual control security measures to cut down on costs
Outside Security Breaches • Testing programs not deleted • Vending machines that take ATMs • Record PINS and account numbers sending data by modem to thieves • Can buy used ATMs • Like a used computer with all the software included
Why 4 Digit PINs? • With standard usage: • 1 in 10,000 chance of discovering PIN • Use with 3 tries, access denied and card confiscated • Now chance of discovery is 1 in 3,333 • Ways security is decreased • Offline ATMs and POS devices without full encryption • Mathematical calculation of PINs • Credit card: • Digit 1 + Digit 4 = Digit 2 + Digit 3 • Debit card (same bank) • Digit 1 + Digit 3 = Digit 2 + Digit 4 • Can use mathematical formula to cut down on possible combinations: Ex: PIN 4455
Discovering PINs • Banks suggesting ways for persons to remember PINs (other than writing down) • Ex: 2256 • Increased odds of discovery from 1 in 3,333 to 1 in 8
Discovering PINs • Programming • Bank issued same PIN to everyone • Only 3 variations of PINs used—then forged • Random PINs (not encrypted from account number) or customer-selected PINs • Bank file holding PINs • If same encrypted version of PIN used, programmer can search account database for users with same PIN • Banks writing encrypted PIN to card stripe • Change account number on your own card to that of target and use with your own PIN
How ATM Encryption Should Work • Review DES Encryption • PIN key must be kept secret • Terminal key at each ATM, carried to each branch by two separate officials • Input at ATM keyboard • Combined to form key • PIN Key encrypted under terminal key • Sent to ATM by bank’s central computer
How Are All These Keys Kept Secure? • PC in a safe with security module • Manages all bank’s keys and PINs • Programmers only see encrypted PINs • Requires special hardware devices • Expensive • Time-consuming to install security modules • Not provided for some equipment • No special security modules • Control through software • Programmers now have more information • They can find PIN key
Poor Implementation of Security • Response codes for incoming transactions • Are they monitored, logged, analyzed? • Subcontracting ATMs and giving contractor PIN key • PIN keys shared between banks • Poor key management • No dual control • Keys kept in files rather than locked up • No documented procedures for handling keys
Triple DES • Current implementation • Two 56-bit keys • Encrypt-decrypt-encrypt model • KL (Key Left) DES encryption • KR (Key Right) DES decryption • KL encrypts again • Estimated 200 trillion years to crack
Secure Key Management • All DES keys are safe if used only once & discarded • Keys are stored in two other states: • Host’s memory or database • Transmission over networks • Vulnerable when stored or transmitted outside the HSM (hardware or host security module)
Secure Key Management • Triple DES keys are stored as two DES keys (KL and KR) • Side-by-side in a database • Access to HSM • Independent DES keys can be “attacked” • Shared among other systems attached to the host
Solution (Everywhere But US) • EMV Standard • EuroPay, MasterCard, Visa • SmartCard (with a chip) • January 2005
Bank Smart Cards • Transaction using a chip & terminal • Reduces counterfeiting due to complexity & expense • Can work with HSM
Future Enhancements of EMV/Smart Card Biometric capacity Iris scanning Fingerprinting Voice recognition Backwards compatible (magnetic stripes)
R. Anderson, “Why Cryptosystems Fail,” (March 1998); available at http://www.cl.cam.ac.uk/users/rja14/wcf.html Celent Communications, “Smart Cards in US Banking: Is the Chip Hip”? (October 18, 2001); available at http://www.celent.com/pressreleases/20011018/smartcard.htm “Combining Key Management with Triple-DES to Maximize Security,” (July 2002); available athttp://h71028.www7.hp.com/erc/downloads/atkeyblwp.pdf “EMV Smart Card Issuing,” (2004); available at http://www.thales-esecurity.com/solutions/emv_smartcard.shtml References
The Jolly Roger (alias), “Jackpotting ATM Machines,” The Anarchist’s Cookbook. (Retrieved May 17, 2005); available at http://isuisse.ifrance.com/emmaf/anarcook/jackatm.htm Levelfour Americas, “Could Growing ATM Fraud Accelerate US Conversion to the Chip Card”? (November 2004); available at http://www.atmmarketplace.com/whitepapers/Level_Four__EMV.pdf B. and D. Mikkelson, “Bank ATMs Converted to Steal IDs of Bank Customers,” (January 19, 2004); available at http://www.snopes.com/crime/warnings/atmcamera.asp References