Presentation is loading. Please wait.

Presentation is loading. Please wait.

Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates.

Published byArline Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates."— Presentation transcript:

1 Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates

2 Top 10 Quick Facts  1 new ATM installed every 5 minutes  ATM fraud in US approximately $50M/ year  1.2M ATMs installed worldwide  ATM is equal in importance to cell phones & email  Total cost of fraud is 4x actual amount of $$ taken  281,000 customers affected  Fraud growth rate is up to 35%/year  Soft target/low risk to criminals  Impossible to ID criminals (often not prosecuted)  New gang-oriented activity

3 Information on Cryptology Failures  Not published or advertised Compare to airline crashes  Team of investigators  Accountability  Fix the problem  How can you fix the problem if you don’t know there was a problem?  If you can’t investigate the steps that led to a security breach, how can you analyze?

4 Investigation of ATM Security  Banking industry largest business after government  How can you prove you DID not withdraw funds from your bank?  PIN security assumptions Magnetic stripe on bank card contains account number PIN is derived by encrypting the account number and using only 4 digits

5 Weakness of ATM  Magnetic stripe Easily captured Card skimming

6 How PINS Were Derived  Used DES to calculate a natural PIN. Offset added  No real cryptographic function  Lets customers choose their own PINs DES key can be compromised in 22 hrs  Many banks now using triple-DES Equipment and software compatibility with DES Estimated time of compromise is 200 trillion years if no paper trail  Example: Account number: 8807012345691715 PIN key: FEFEFEFEFEFEFEFE Result of DES: A2CE126C69AEC82D Result in decimal form: 0224126269042823 Natural PIN: 0224 Offset: 6565 Customer PIN: 6789 Back

7 DES  56-bit key  Considered secure until Jan 1999 22 hours to break DES cracker available on line for $200,000  ATMs vulnerable

8 Security Breaches  Inside Most threats  Outside

9 Inside Security Breaches  Bank clerk issues two cards—one for customer, one for self Bank had a policy that ATM withdrawals with receipts did not show up on customer statement.  ATM has computer attached that captures PINs and account numbers  Tellers issued ATM cards that can debit any customer account For use when tellers ran out of cash  Loss of dual control security measures to cut down on costs

10 Outside Security Breaches  Unscrupulous persons stand in ATM line, observe customers entering PINs Pick up discarded ATM tickets, which used to have the entire account number  Copied account numbers to blank cards Changed in 1992 to display only few numbers of account.  Jackpotting Record a `pay‘ response (which is not authenticated or encrypted) from the bank to the machine Replay it until the machine is empty.

11 Outside Security Breaches  Poor programming Telephone card inserted Program assumed it was previous ATM card  Sending cards and PINs through postal service Think college students

12 Outside Security Breaches  Testing programs not deleted  Vending machines that take ATMs Record PINS and account numbers sending data by modem to thieves  Can buy used ATMs Like a used computer with all the software included

13 PINs  Personal Identification Number  Used in conjunction with magnetic stripe

14 Why 4 Digit PINs?  With standard usage: 1 in 10,000 chance of discovering PIN Use with 3 tries, access denied and card confiscated  Now chance of discovery is 1 in 3,333  Ways security is decreased Offline ATMs and POS devices without full encryption Mathematical calculation of PINs  Credit card: Digit 1 + Digit 4 = Digit 2 + Digit 3  Debit card (same bank) Digit 1 + Digit 3 = Digit 2 + Digit 4  Can use mathematical formula to cut down on possible combinations: Ex: PIN 4455

15 Discovering PINs  Banks suggesting ways for persons to remember PINs (other than writing down)  Ex: 2256  Increased odds of discovery from 1 in 3,333 to 1 in 8 1234567890 rbjgflmjcp oleloaiaru acetuoricu ehdnmekydg

16 Discovering PINs  Programming Bank issued same PIN to everyone Only 3 variations of PINs used—then forged  Random PINs (not encrypted from account number) or customer-selected PINs Bank file holding PINs If same encrypted version of PIN used, programmer can search account database for users with same PIN Banks writing encrypted PIN to card stripe  Change account number on your own card to that of target and use with your own PIN

17 How ATM Encryption Should Work  Review DES Encryption Review DES Encryption  PIN key must be kept secret Terminal key at each ATM, carried to each branch by two separate officials Input at ATM keyboard Combined to form key  PIN Key encrypted under terminal key  Sent to ATM by bank’s central computer

18 ATM Encryption Between Banks  Foreign PINs encrypted at ATM Use of Working Key shared at own bank (current ATM)  Decrypted and immediately re-encrypted using another working key shared with the card issuing bank (customer’s ATM)  Working keys must be protected by ZONE key with other banks or network switch Sets up fresh working keys every day to each ATM, encrypting under ATM’s terminal key.

19 How Are All These Keys Kept Secure?  PC in a safe with security module Manages all bank’s keys and PINs Programmers only see encrypted PINs Requires special hardware devices  Expensive  Time-consuming to install security modules  Not provided for some equipment  No special security modules Control through software  Programmers now have more information They can find PIN key

20 Security Module Software Problems  Back-door for vendor maintenance  Terminal emulation software can be set to log all transactions Ex: Bank setting up zone keys with VISA  Working keys 20 bits instead of 56 bits  Once 1000 keys generated, probability increases that there will be duplicates

21 Security Module Software Problems  Lose the key to the secure room? Drill in  Are switches to secure computer secure?  Where is backup of security modules?  Where is controller for ATM dispenser? Needs to be next to dispenser so information is not sent over wire to branch office.

22 Poor Implementation of Security  Response codes for incoming transactions Are they monitored, logged, analyzed?  Subcontracting ATMs and giving contractor PIN key  PIN keys shared between banks  Poor key management No dual control  Keys kept in files rather than locked up  No documented procedures for handling keys

23 Cryptanalysis  Some banks using old algorithms  Hacking into proprietary system to determine algorithm  Weak algorithms RSA with key sizes between 100 and 400 bits (need minimum of 500 bits)  Brute force, especially of zone keys

24 Triple DES  Current implementation  Two 56-bit keys  Encrypt-decrypt-encrypt model KL (Key Left) DES encryption KR (Key Right) DES decryption KL encrypts again  Estimated 200 trillion years to crack

25 Secure Key Management  All DES keys are safe if used only once & discarded  Keys are stored in two other states: Host’s memory or database Transmission over networks  Vulnerable when stored or transmitted outside the HSM (hardware or host security module)

26  Triple DES keys are stored as two DES keys (KL and KR)  Side-by-side in a database  Access to HSM Independent DES keys can be “attacked” Shared among other systems attached to the host Secure Key Management

27 Solution (Everywhere But US)  EMV Standard EuroPay, MasterCard, Visa SmartCard (with a chip) January 2005

28 Bank Smart Cards  Transaction using a chip & terminal Reduces counterfeiting due to complexity & expense Can work with HSM

29 Future Enhancements of EMV/Smart Card  Biometric capacity Iris scanning Fingerprinting Voice recognition  Backwards compatible (magnetic stripes)

30 References R. Anderson, “Why Cryptosystems Fail,” (March 1998); available at http://www.cl.cam.ac.uk/users/rja14/wcf.htmlhttp://www.cl.cam.ac.uk/users/rja14/wcf.html Celent Communications, “Smart Cards in US Banking: Is the Chip Hip”? (October 18, 2001); available at http://www.celent.com/pressreleases/20011018/smartcard.htmhttp://www.celent.com/pressreleases/20011018/smartcard.htm “Combining Key Management with Triple-DES to Maximize Security,” (July 2002); available at http://h71028.www7.hp.com/erc/downloads/atkeyblwp.pdfhttp://h71028.www7.hp.com/erc/downloads/atkeyblwp.pdf “EMV Smart Card Issuing,” (2004); available at http://www.thales-esecurity.com/solutions/emv_smartcard.shtmlhttp://www.thales-esecurity.com/solutions/emv_smartcard.shtml

31 References The Jolly Roger (alias), “Jackpotting ATM Machines,” The Anarchist’s Cookbook. (Retrieved May 17, 2005); available at http://isuisse.ifrance.com/emmaf/anarcook/jackatm.htmhttp://isuisse.ifrance.com/emmaf/anarcook/jackatm.htm Levelfour Americas, “Could Growing ATM Fraud Accelerate US Conversion to the Chip Card”? (November 2004); available at http://www.atmmarketplace.com/whitepapers/Level_Four__EMV.pdf http://www.atmmarketplace.com/whitepapers/Level_Four__EMV.pdf B. and D. Mikkelson, “Bank ATMs Converted to Steal IDs of Bank Customers,” (January 19, 2004); available at http://www.snopes.com/crime/warnings/atmcamera.asphttp://www.snopes.com/crime/warnings/atmcamera.asp

32

Download ppt "Will You Ever Use Your ATM Again? Presented by: Bob Clary Carolyn McLellan Jane Mosher Karen Weil-Yates."

Similar presentations

Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.

Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.
Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.

Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.
GCSE ICT By the end of this session, you will be able to: Explain main features of ATM machines Identify features of credit cards, debit cards, smart cards.

GCSE ICT By the end of this session, you will be able to: Explain main features of ATM machines Identify features of credit cards, debit cards, smart cards.
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
2.7.1.G1 © Family Economics & Financial Education – December 2005– Get Ready to Take Charge of Your Finances – Electronic Banking Bonanza – Slide 1 Funded.

2.7.1.G1 © Family Economics & Financial Education – December 2005– Get Ready to Take Charge of Your Finances – Electronic Banking Bonanza – Slide 1 Funded.
ATM Security Requirements & Specification Decomposition Team B: Martijn Christiaan Vasilis Benjamin.

ATM Security Requirements & Specification Decomposition Team B: Martijn Christiaan Vasilis Benjamin.
COMPUTER CRIMES CREDIT CARD FRAUD “A BILLION DOLLAR PROBLEM”

COMPUTER CRIMES CREDIT CARD FRAUD “A BILLION DOLLAR PROBLEM”
ICT at Work Banking and Finance.

ICT at Work Banking and Finance.
1.7.2.G1 © Family Economics & Financial Education – Revised May 2005 – Financial Institutions Unit – Electronic Banking Funded by a grant from Take Charge.

1.7.2.G1 © Family Economics & Financial Education – Revised May 2005 – Financial Institutions Unit – Electronic Banking Funded by a grant from Take Charge.
Direct Attacks on Computational Devices

Direct Attacks on Computational Devices
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
1.2.2.G1 © Take Charge Today – Revised May 2010 – Electronic Banking Bonanza – Slide 1 Funded by a grant from Take Charge America, Inc. to the Norton School.

1.2.2.G1 © Take Charge Today – Revised May 2010 – Electronic Banking Bonanza – Slide 1 Funded by a grant from Take Charge America, Inc. to the Norton School.
Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.

Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.

Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.

1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Why Cryptosystems Fail?

Why Cryptosystems Fail?
Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 2010-20784 김학봉.

Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 김학봉.

Similar presentations

Ads by Google