ATMs Give up PIN Numbers -- Millions stolen

[aehurst]

http://news.yahoo.com/s/ap/20080701/...tec_atm_breach

and guess what OS the ATMS are based on?

I still don't think the debit cards are safe and for sure not as safe as most think.

[Mikey-San]

Quote: I still don't think the debit cards are safe and for sure not as safe as most think.

A debit card is a form of two-factor authentication. (The card is something you HAVE, and the access code is something you KNOW.) It's a sound concept, unless:

A) You write your PIN on a piece of paper in your wallet.

B) The machine in which you use your card has an underlying security flaw and a compromise exploits it.

In concept, it's a reasonably secure method of authentication. ("Reasonably" because it can be stronger, and there are weaknesses that can be exploited to break the security provided by such a system.)

The problem these machines had was that the sensitive data transmitted over the wire was not encrypted properly. This kind of screw-up was human: the people who designed or set up the machine didn't take sufficient steps to secure the transactions. Someone could've failed to encrypt data correctly with any operating system, be it OS/2, Windows, Mac OS X, Linux, QNX, OpenBSD, or any custom embedded OS.

Sure, Windows is typically thought of as being less secure than other systems, but that wasn't really the failure here.

[schneb]

How many ATMs are there? How many have been electronically broken in to? This is reminding me of the attempted ban on Mylar balloons here in California. How many balloons have been sold? How many have caused an electrical outage? And we want to ban them and penalize how many industries?

No fan of Microsoft, but Mikey-San is correct. This probably would have failed no matter what the OS. But really, ATM interfaces are the real problem. They should be designed by Apple and not left-brained coders. I mean really, five menus just to withdraw $40? Yeesh.

[EatsWithFingers]

Quote: Originally Posted by Mikey-San Sure, Windows is typically thought of as being less secure than other systems, but that wasn't really the failure here.

Correct. All PIN verifications are handled by secure crypto-processors (such as IBM's 4758 - IBM page).

There are three liklely causes for the breach:

1. A corrupt insider either revealed his administration password for such a device, or had it stolen.
2. The individuals responsible for initialising a new device did so in a way which would allow PINs to be recovered.
3. The encrypted PIN blocks were attacked (see this article for info)

Another point to note, is that PINs are typically calculated from account numbers by encrypting them with a PIN Derivation Key (PDK) - a system developed by IBM in the 1970s to avoid the need to store the actual PIN anywhere (there are a few subtleties which I've ignored here).

It doesn't sound like this key has been compromised (each bank typically has only one such key, so it's discovery would be much more severe). The first two possibilities given above would typically allow for such an outcome. Therefore, my money would be on the last method.


And if anyone wonders, analysing the interfaces provided by devices such as the 4758 is what I do...

EDIT: ...but I'm not the person who contributed to the PIN cracking article linked to above!

[NovaScotian]

The references in this thread and their references make for scary reading.

[wdympcf]

Quote: Another point to note, is that PINs are typically calculated from account numbers by encrypting them with a PIN Derivation Key (PDK)

Good thing I chose my own PIN, rather than sticking with the one the bank gave me!

[EatsWithFingers]

Quote: Originally Posted by wdympcf Good thing I chose my own PIN, rather than sticking with the one the bank gave me!

The ability to do this is one of the bits I glossed over. To allow customers to choose their own PIN, an offset is stored on your card. This offset is added (digit-wise modulo 10) to the calculated PIN to get the PIN that you have to enter.

Therefore, if you are a customer of a bank which uses the IBM PIN calculation system, then choosing your own PIN will not avoid this method of verification.

[wdympcf]

Hmmm... then I guess I just better hope that my bank doesn't let the proverbial cat out of the bag.

[aehurst]

Computers, unlike people, are incapable of making a mistake, but then so is a pencil.

Like NovaScotian, I find all this pretty scary. No doubt somebody, somewhere, dropped the ball on this one. Could one prove they dropped the ball accidentally? With millions at stake and only a couple people needed to collaborate and make this happen, we have to admit the potential exists for wrong doing.

And, it's not just pins. It's everything. In this morning's paper, a couple employees were arrested at the local hospital admissions office... yup, check 'em in and give me all your info and by the time the patient was discharged they were victims of identify theft with their debt out of sight.

Guess that has nothing to do with computers, but what has changed is technology expanding the possibilities as well as the available dollars to astronomical levels. I think we may be in for a lot more of this, and I really hope the good guys can keep up.

[EatsWithFingers]

Quote: Originally Posted by wdympcf Hmmm... then I guess I just better hope that my bank doesn't let the proverbial cat out of the bag.

I've just realised that my last post was slightly wrong (I think!). The offset which is stored on your card does not get sent from the ATM to the bank's main servers, it is used to modify the PIN which is sent for verification. As a result, if the back-end servers were targeted, then anyone who has modified their PIN (or was given the same PIN as for a previous account number) will probably be safe. It's only if the actual ATMs are targeted that the offset can be discovered as well.

Of course, CitiBank could use a completely different PIN verification scheme...

Quote: Originally Posted by aehurst Guess that has nothing to do with computers, but what has changed is technology expanding the possibilities as well as the available dollars to astronomical levels. I think we may be in for a lot more of this, and I really hope the good guys can keep up.

Yeah, it is quite scary when you think how much trust is put in the computer systems that handle our sensitive information.

(time to hide under the bed, beside all my money...!)

[aehurst]

Quote: (time to hide under the bed, beside all my money...!)

Ha! How quickly we forget. Wasn't that many years ago that the old timers would indeed hide their money under the mattress or buried in the back yard. Banks did fail. People did lose their money. We'd all like to think the system is much safer now, but is it really?

Given that during a depression you get deflation (well we did last time anyway because govt didn't print money), hiding your money at home was probably a good investment !!

[NovaScotian]

Quote: Originally Posted by aehurst Computers, unlike people, are incapable of making a mistake, but then so is a pencil. Like NovaScotian, I find all this pretty scary. No doubt somebody, somewhere, dropped the ball on this one. Could one prove they dropped the ball accidentally? With millions at stake and only a couple people needed to collaborate and make this happen, we have to admit the potential exists for wrong doing. And, it's not just pins. It's everything. In this morning's paper, a couple employees were arrested at the local hospital admissions office... yup, check 'em in and give me all your info and by the time the patient was discharged they were victims of identify theft with their debt out of sight. Guess that has nothing to do with computers, but what has changed is technology expanding the possibilities as well as the available dollars to astronomical levels. I think we may be in for a lot more of this, and I really hope the good guys can keep up.

Modern technology just gives the bad guys new ways to cheat, but the something-for-nothing-crowd has been with us since people assembled in groups of more than two adults and some children. Modern media keep us informed of all these new and creative ways the bad guys use to cheat us so we think they're more pervasive, but I doubt that. When the penalty for picking pockets in England was public hanging, the pickpockets made a killing in the crowd that came to watch.

[tlarkin]

OK

I just read the article and yeah so what it runs off of a Microsoft infrastructure and it is actually very secure. However, some clients did not set up encryption, which is why those PINs were accessed in plain text. So, I fail to see how this is a problem related to MS. What I do see it as, is a network administrator who doesn't know what they are doing and failed to encrypt data. It would be along the same lines of you trying to blame Linksys for not securing your wireless network when you never went in and configured encryption on your WiFi.

So, basically in other news, there are still plenty of inept over paid IT people in the world......Someone give me a high paying job, hell I would at least turn on freaking encryption!

[NovaScotian]

Quote: Originally Posted by tlarkin So, basically in other news, there are still plenty of inept over paid IT people in the world......Someone give me a high paying job, hell I would at least turn on freaking encryption!

Assuming the cause as you posit -- a lack of appropriate encryption -- I think the problem is that managers in charge of sensitive data (bankers in this case) don't appreciate the importance of internet security, nor the skill set required to ensure it, so they assign the job of setting up such a system to a few IT workers whose credentials don't match the task.

[aehurst]

Quote: I just read the article and yeah so what it runs off of a Microsoft infrastructure and it is actually very secure.

Okay.. I give in. It wasn't a Microsoft issue. But I still think it's funny that they would stick "windows based" into the article.... kinda like everybody sorta expects that now days. Goes with being #1 I guess.

[cwtnospam]

I think it is a Microsoft issue, but not for "technical" reasons. Microsoft's culture is generally a "good enough" culture. Emphasizing things like feature counts with no real concern for how well they're implemented creates a culture where it's highly likely that this will happen.

On a minimal level, the system worked, so no one looked for the flaws until hackers found them. Sound familiar? It should, because it's the way Microsoft has always done business.

[tlarkin]

Quote: Originally Posted by cwtnospam I think it is a Microsoft issue, but not for "technical" reasons. Microsoft's culture is generally a "good enough" culture. Emphasizing things like feature counts with no real concern for how well they're implemented creates a culture where it's highly likely that this will happen. On a minimal level, the system worked, so no one looked for the flaws until hackers found them. Sound familiar? It should, because it's the way Microsoft has always done business.

Wrong

The problem is people didn't set up encryption. Look at my wireless router analogy, it is a parallel of this exact thing. Out of the box you have to set up your own encryption, it doesn't wipe your butt for you. Banks need to hire people who know the basics of security period.

[cwtnospam]

Quote: Originally Posted by tlarkin The problem is people didn't set up encryption. Look at my wireless router analogy, it is a parallel of this exact thing. Out of the box you have to set up your own encryption, it doesn't wipe your butt for you. Banks need to hire people who know the basics of security period.

Yes, Professional IT people didn't set up encryption. That's my point. Those professionals are heavily influenced by the Microsoft dominated culture that they train and work in.

And I do blame wireless router makers for not requiring security. It would be very simple for a wireless router to redirect all internet traffic to a setup or warning page if security isn't configured. Of course, they're influenced by Microsoft's blame the user culture too.

[tlarkin]

Quote: Originally Posted by cwtnospam Yes, Professional IT people didn't set up encryption. That's my point. Those professionals are heavily influenced by the Microsoft dominated culture that they train and work in. And I do blame wireless router makers for not requiring security. It would be very simple for a wireless router to redirect all internet traffic to a setup or warning page if security isn't configured. Of course, they're influenced by Microsoft's blame the user culture too.

Do you blame car companies when you get in a wreck, or a speeding ticket?

[cwtnospam]

I blame car companies for selling cars for decades without important safety features like seat belts, and only adding them when they were required to, just as router makers should be required to fix their wireless routers.