Tuesday, December 26, 2006
The Vulnerability of ATM Encryption Systems
The U.S Secret Service is investigating a report from computer researchers in Israel who say they discovered a flaw in the system banks use to encrypt ATM transactions.
Because transactions most often pass through different systems connected to special networks, the account number and PIN are encrypted into a "PIN Block" as the transaction travels from the customer to their bank. The PIN Block is decrypted when it reaches a new system and is immediately encrypted by the new system using their code. It is at this point where researches believe a hack could occur and fool the system into revealing the confidential data.
Odelia Moshe Ostrovsky authored the paper with co-author Omer Berkman, a researcher at The Academic College of Tel Aviv-Yaffo. The ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries. These would enable criminals to make a series of guesses about the encryption code and break it. They explained that thousands of PINs and account numbers could be obtained and fake ATM cards could then be manufactured.
ARX, who manufactures security modules for the ATM networks, said their products are also susceptible because of the system protocols they must follow. ARX reported their findings to the VISA credit card association's risk management team six months ago, but made their report public recently because they've seen no real corrective actions being taken. The 19-page report, "The unbearable lightness of PIN cracking" is available online.
Rosetta Jones, a spokeswoman for Visa, who also helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats are minimal. "This research paper addresses an area that has been known for some time to the payments industry." "There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties - that make this kind of attack highly unlikely." Russian websites have had a lot of discussion on this topic since the paper was released. Russian mobs are often involved in the hacking of financial systems and have claimed some successes in the past, though not of this vulnerability. The hacker would need to be on the same local network as the hardware security module. But ATM switches are heavily guarded and monitored. This reduces the opportunity for such an intrusion, reports the BITS organization. BITS is a consortium of security experts from the nation's top 100 financial institutions.
Many argue that the attack could happen, while others say it isn't likely. If it did happen, the losses could be huge. ATM/debit and POS transactions are still increasing. In the U.S. there are an estimated 8 billion transactions annually with $600 billion in cash dispensed, according to Dove Consulting.
The U.S Secret Service is investigating a report from computer researchers in Israel who say they discovered a flaw in the system banks use to encrypt ATM transactions.
Because transactions most often pass through different systems connected to special networks, the account number and PIN are encrypted into a "PIN Block" as the transaction travels from the customer to their bank. The PIN Block is decrypted when it reaches a new system and is immediately encrypted by the new system using their code. It is at this point where researches believe a hack could occur and fool the system into revealing the confidential data.
Odelia Moshe Ostrovsky authored the paper with co-author Omer Berkman, a researcher at The Academic College of Tel Aviv-Yaffo. The ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries. These would enable criminals to make a series of guesses about the encryption code and break it. They explained that thousands of PINs and account numbers could be obtained and fake ATM cards could then be manufactured.
ARX, who manufactures security modules for the ATM networks, said their products are also susceptible because of the system protocols they must follow. ARX reported their findings to the VISA credit card association's risk management team six months ago, but made their report public recently because they've seen no real corrective actions being taken. The 19-page report, "The unbearable lightness of PIN cracking" is available online.
Rosetta Jones, a spokeswoman for Visa, who also helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats are minimal. "This research paper addresses an area that has been known for some time to the payments industry." "There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties - that make this kind of attack highly unlikely." Russian websites have had a lot of discussion on this topic since the paper was released. Russian mobs are often involved in the hacking of financial systems and have claimed some successes in the past, though not of this vulnerability. The hacker would need to be on the same local network as the hardware security module. But ATM switches are heavily guarded and monitored. This reduces the opportunity for such an intrusion, reports the BITS organization. BITS is a consortium of security experts from the nation's top 100 financial institutions.
Many argue that the attack could happen, while others say it isn't likely. If it did happen, the losses could be huge. ATM/debit and POS transactions are still increasing. In the U.S. there are an estimated 8 billion transactions annually with $600 billion in cash dispensed, according to Dove Consulting.
Comments:
Post a Comment
