Forwarded from: Will Munkara-Kerr <WillMat_private> http://www.smh.com.au/news/0111/09/world/world100.html Two British PhD students have designed a computer program to crack bank security codes which potentially gives them access to hundreds of thousands of PIN numbers, it emerged today. Armed with the software and hardware, the pair have shown that it is theoretically possible to download large amounts of confidential financial information, allowing a potential thief to steal vast amounts of cash. The two Cambridge University students plan to put details of how to crack the systems on the internet in an effort to ensure security is improved. The security breach was revealed in the BBC's Newsnight program, which outlined how it was possible to translate the 16-digit number for cash cards from data downloaded by the program. Michael Bond, 22, one of the students involved, said he felt not enough was being done to insure that the hole in security was blocked. "Banks' approach to security at the moment is too closed, they are relying on outdated concepts such as security through obscurity. "What they really need to do is pay more attention to the open community including academia and get more peer review on some of the systems that they are using. "We need to see banks being more accountable for the security of people's money." He said the breach could only be performed by bank staff with access to bank computers. The system involved is based on IBM's 4758 crypto-processor used by banks, the military and governments across the world to protect their networks. The attacks work using a combination of software developed by Mr Bond and off-the-shelf hardware costing less than STG750 ($A2,140) developed by mature student Richard Clayton. Their research shows it is possible for a single individual, with only the level of access to a bank's computer system granted to a temporary computer contractor, to extract and download information. Within 20 minutes it is possible to find the secret "key" from the crypto-processor it uses to scramble customer PINs. Once taken home on a floppy disk, it would take around a day using the Cambridge equipment to reveal the secret "key". The "key" can translate the PIN into the 16-digit number on the front of cash cards meaning a criminal could plunder thousands of bank accounts. Alan Cox, a computer operating system developer, said: "This is a military grade protected encryption system where you have to have licences to possess them. "I would expect the reaction of the banking industry is probably one of pure horror ... shared by the military and a considerable number of other bodies." Computer company IBM says normal bank practice and procedure would prevent any possibility of launching such an attack. It says in a statement this academic study is based on specific laboratory conditions. IBM says in the real world there are too many physical safeguards and authority protections for such an attack to be successful. PA "This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please destroy it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the Central Sydney Area Health Service." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 02:38:30 PST