Tuesday, December 26, 2006
The Vulnerability of ATM Encryption Systems
The U.S Secret Service is investigating a report from computer researchers in Israel who say they discovered a flaw in the system banks use to encrypt ATM transactions.
Because transactions most often pass through different systems connected to special networks, the account number and PIN are encrypted into a "PIN Block" as the transaction travels from the customer to their bank. The PIN Block is decrypted when it reaches a new system and is immediately encrypted by the new system using their code. It is at this point where researches believe a hack could occur and fool the system into revealing the confidential data.
Odelia Moshe Ostrovsky authored the paper with co-author Omer Berkman, a researcher at The Academic College of Tel Aviv-Yaffo. The ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries. These would enable criminals to make a series of guesses about the encryption code and break it. They explained that thousands of PINs and account numbers could be obtained and fake ATM cards could then be manufactured.
ARX, who manufactures security modules for the ATM networks, said their products are also susceptible because of the system protocols they must follow. ARX reported their findings to the VISA credit card association's risk management team six months ago, but made their report public recently because they've seen no real corrective actions being taken. The 19-page report, "The unbearable lightness of PIN cracking" is available online.
Rosetta Jones, a spokeswoman for Visa, who also helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats are minimal. "This research paper addresses an area that has been known for some time to the payments industry." "There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties - that make this kind of attack highly unlikely." Russian websites have had a lot of discussion on this topic since the paper was released. Russian mobs are often involved in the hacking of financial systems and have claimed some successes in the past, though not of this vulnerability. The hacker would need to be on the same local network as the hardware security module. But ATM switches are heavily guarded and monitored. This reduces the opportunity for such an intrusion, reports the BITS organization. BITS is a consortium of security experts from the nation's top 100 financial institutions.
Many argue that the attack could happen, while others say it isn't likely. If it did happen, the losses could be huge. ATM/debit and POS transactions are still increasing. In the U.S. there are an estimated 8 billion transactions annually with $600 billion in cash dispensed, according to Dove Consulting.
The U.S Secret Service is investigating a report from computer researchers in Israel who say they discovered a flaw in the system banks use to encrypt ATM transactions.
Because transactions most often pass through different systems connected to special networks, the account number and PIN are encrypted into a "PIN Block" as the transaction travels from the customer to their bank. The PIN Block is decrypted when it reaches a new system and is immediately encrypted by the new system using their code. It is at this point where researches believe a hack could occur and fool the system into revealing the confidential data.
Odelia Moshe Ostrovsky authored the paper with co-author Omer Berkman, a researcher at The Academic College of Tel Aviv-Yaffo. The ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries. These would enable criminals to make a series of guesses about the encryption code and break it. They explained that thousands of PINs and account numbers could be obtained and fake ATM cards could then be manufactured.
ARX, who manufactures security modules for the ATM networks, said their products are also susceptible because of the system protocols they must follow. ARX reported their findings to the VISA credit card association's risk management team six months ago, but made their report public recently because they've seen no real corrective actions being taken. The 19-page report, "The unbearable lightness of PIN cracking" is available online.
Rosetta Jones, a spokeswoman for Visa, who also helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats are minimal. "This research paper addresses an area that has been known for some time to the payments industry." "There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties - that make this kind of attack highly unlikely." Russian websites have had a lot of discussion on this topic since the paper was released. Russian mobs are often involved in the hacking of financial systems and have claimed some successes in the past, though not of this vulnerability. The hacker would need to be on the same local network as the hardware security module. But ATM switches are heavily guarded and monitored. This reduces the opportunity for such an intrusion, reports the BITS organization. BITS is a consortium of security experts from the nation's top 100 financial institutions.
Many argue that the attack could happen, while others say it isn't likely. If it did happen, the losses could be huge. ATM/debit and POS transactions are still increasing. In the U.S. there are an estimated 8 billion transactions annually with $600 billion in cash dispensed, according to Dove Consulting.
Friday, December 22, 2006
Internet Video Garners Attention
You've just had a robbery. You know the robber was on your video and both you and the police want this person found. What do you do? You release it to the press and hope that many people will watch the news and look for the bad guy.
In Canada, police in the Southern Ontario city of Hamilton released a video on YouTube. They had a 12-second clip showing a murder suspect from a nightclub. The video is actually from a bank ATM machine. The video was downloaded 30,000 times and George Gallow, of Hamilton, turned himself in. He had a ball cap with "Joker" on it in the video.
Perhaps this will lead to a newer version of "Most Wanted" but on the Internet. The video is seen here. When I searched YouTube I searched on "Hamilton police" and had two pages of hits! The one discussed here is titled "JJ Hamilton Murder."
You've just had a robbery. You know the robber was on your video and both you and the police want this person found. What do you do? You release it to the press and hope that many people will watch the news and look for the bad guy.
In Canada, police in the Southern Ontario city of Hamilton released a video on YouTube. They had a 12-second clip showing a murder suspect from a nightclub. The video is actually from a bank ATM machine. The video was downloaded 30,000 times and George Gallow, of Hamilton, turned himself in. He had a ball cap with "Joker" on it in the video.
Perhaps this will lead to a newer version of "Most Wanted" but on the Internet. The video is seen here. When I searched YouTube I searched on "Hamilton police" and had two pages of hits! The one discussed here is titled "JJ Hamilton Murder."
Dumpster Diver David Dright - Arrested
You may not know David Dright, but there are some merchants and creditors who do, but they know him as any one of 27 Lake County, IL residents or perhaps as one of almost 90 professional baseball players.
Dright, from Chicago, was arrested for identity theft. The personal information on the baseball players, including Chicago White Sox slugger Jim Thome and New York Mets outfielder Moises Alou, was potentially obtained at SFX Baseball Inc., a sports agency that deals with Major League Baseball. Dumpster diving was one way he obtained information, based on the evidence found in his home. This included included Social Security numbers, dates of birth, canceled paychecks, obituaries and infant death records.
When is the last time you reminded your commercial customers about information security, high tech and low?
You may not know David Dright, but there are some merchants and creditors who do, but they know him as any one of 27 Lake County, IL residents or perhaps as one of almost 90 professional baseball players.
Dright, from Chicago, was arrested for identity theft. The personal information on the baseball players, including Chicago White Sox slugger Jim Thome and New York Mets outfielder Moises Alou, was potentially obtained at SFX Baseball Inc., a sports agency that deals with Major League Baseball. Dumpster diving was one way he obtained information, based on the evidence found in his home. This included included Social Security numbers, dates of birth, canceled paychecks, obituaries and infant death records.
When is the last time you reminded your commercial customers about information security, high tech and low?
Friday, December 08, 2006
When we think of information security we think of computers, tapes, discs, modems, emails and such. But we need to take off the blinders and see the bigger picture. Primier Bank in Jefferson, MO was reminded of this recently and the rest of us should learn from their misfortune.
On a November night when many of the bankers were gathered at a local hotel to receive a Missouri Chamber of Commerce Award as one of the state's fastest growing businesses, a thief was breaking into their vehicles parked outside. One of those belonged to the banks chief financial officer. As many bankers do, he was taking some work home. Stolen from his truck was a list of October's new customers, 1,800 of them. This list had their names and account numbers, but no social security numbers or other confidential information. Also taken was a $250,000 non-negotiable bank certificate.
The bank immediately brought in security and attempted to recover the items and search trash bins for them as well. The book wasn't recovered, but notifications were made to law enforcement and the customers. Certainly that isn't the welcome letter the bank would want to send to new accounts. Now the customers are on notice to watch their accounts and the bank is doing the same.
We need to be vigilant in our security measures and remember that loss happen in the low-tech world, just like the hi-tech. Security procedures need to address confidential data, wherever it may be. Premier no longer allows this information outside the bank. What is your policy, will files or reports be in a personal vehicle tonight and will that employee stop on the way home being ever so much more at risk?
On a November night when many of the bankers were gathered at a local hotel to receive a Missouri Chamber of Commerce Award as one of the state's fastest growing businesses, a thief was breaking into their vehicles parked outside. One of those belonged to the banks chief financial officer. As many bankers do, he was taking some work home. Stolen from his truck was a list of October's new customers, 1,800 of them. This list had their names and account numbers, but no social security numbers or other confidential information. Also taken was a $250,000 non-negotiable bank certificate.
The bank immediately brought in security and attempted to recover the items and search trash bins for them as well. The book wasn't recovered, but notifications were made to law enforcement and the customers. Certainly that isn't the welcome letter the bank would want to send to new accounts. Now the customers are on notice to watch their accounts and the bank is doing the same.
We need to be vigilant in our security measures and remember that loss happen in the low-tech world, just like the hi-tech. Security procedures need to address confidential data, wherever it may be. Premier no longer allows this information outside the bank. What is your policy, will files or reports be in a personal vehicle tonight and will that employee stop on the way home being ever so much more at risk?
