RE: Students crack bank pin codes

[InfoSec News <isn () c4i org>]

Forwarded from: William Shenfield <william.shenfield () apcentric com>

For seven years I was a major player in a team that developed the
software used by a large number of international banks (80+). On
reading this news article, I was initially surprised that there seemed
to be an easy way to hack into the security of such banks.  However,
as the story unfolded it became clear that there was a gap between the
real world and how the Media can exploit a lab exercise to propagate a
scare, so I decided to look at what Messrs Bond and Clayton were
actually saying:

There are ways to persuade the commercially available crypto processor
IBM 4758 running IBM's ATM (cash machine) support software called the
"Common Cryptographic Architecture" (CCA) to export any and all its
DES and 3DES keys AND all that is needed is:

  - about 20 minutes uninterrupted access to the device
  - one person's ability to use the Combine_Key_Parts permission
  - a standard off-the-shelf $995 FPGA evaluation board from Altera about
    two days of "cracking" time.

What they have uncovered is important and all Security and Crypto
professionals (especially software developers using encryption) need
to take note as the key management principles used by the CCA (with
the provided API (Application Programme Interface)) are not as secure
as was thought and are used in a lot of systems.  It is lucky they did
not provide an example that could be easily exploited as I'm sure
there are a lot out there.  As stated in the news article, to exploit
the flaw requires a significant amount of physical access, as you
would need to be able to permanently monitor the communication lines
(which are typically synchronous, not asynchronous as found in PCs).  
Also, there are typically other security measures in place that would
make it more difficult to breach security than the article implies. It
would be simpler for criminals to use a bulldozer to remove the ATM
from the wall of the Bank, as has been done in the past.

We need to be clear about where and what the issues are, in this case
its with CCA and it's API.

It is very important that this information becomes public, the next
generation of products need to be built upon better foundations than
the previous. However, if new vulnerability disclosure policies become
widespread, everyone stands to loose, as the security of systems will
not improve - how could it if we don't know about the issues.


Regards,

William J Shenfield
DCM-On-line - Security & Technical Architect
E: william.shenfield () dcm-on-line com

Any opinions expressed in the email are those of the individual and
not necessarily of the company.  This email and any files transmitted
with it are confidential and solely for the use of the intended
recipient.  It may contain material protected by attorney-client
privilege.  If you are not the intended recipient or person
responsible for delivering to the intended recipient, be advised that
you have received this email in error and that any use is strictly
prohibited.  If you have received this email in error please notify
the IT manager.



-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
Of InfoSec News
Sent: 09 November 2001 08:59
To: isn () attrition org
Subject: [ISN] Students crack bank pin codes


Forwarded from: Will Munkara-Kerr <WillM () CS NSW GOV AU>

http://www.smh.com.au/news/0111/09/world/world100.html

Two British PhD students have designed a computer program to crack
bank security codes which potentially gives them access to hundreds of
thousands of PIN numbers, it emerged today.

Armed with the software and hardware, the pair have shown that it is
theoretically possible to download large amounts of confidential
financial information, allowing a potential thief to steal vast
amounts of cash.

The two Cambridge University students plan to put details of how to
crack the systems on the internet in an effort to ensure security is
improved.

The security breach was revealed in the BBC's Newsnight program, which
outlined how it was possible to translate the 16-digit number for cash
cards from data downloaded by the program.

Michael Bond, 22, one of the students involved, said he felt not
enough was being done to insure that the hole in security was blocked.
"Banks' approach to security at the moment is too closed, they are
relying on outdated concepts such as security through obscurity.

"What they really need to do is pay more attention to the open
community including academia and get more peer review on some of the
systems that they are using.

"We need to see banks being more accountable for the security of
people's money."

He said the breach could only be performed by bank staff with access
to bank computers.

The system involved is based on IBM's 4758 crypto-processor used by
banks, the military and governments across the world to protect their
networks.

The attacks work using a combination of software developed by Mr Bond
and off-the-shelf hardware costing less than STG750 ($A2,140)
developed by mature student Richard Clayton.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.