RE: [ISN] Students crack bank pin codes

From: InfoSec News (isnat_private)
Date: Mon Nov 12 2001 - 01:41:32 PST

  • Next message: InfoSec News: "Re: [ISN] Linux snares security tool"

    Forwarded from: William Shenfield <william.shenfieldat_private>
    For seven years I was a major player in a team that developed the
    software used by a large number of international banks (80+). On
    reading this news article, I was initially surprised that there seemed
    to be an easy way to hack into the security of such banks.  However,
    as the story unfolded it became clear that there was a gap between the
    real world and how the Media can exploit a lab exercise to propagate a
    scare, so I decided to look at what Messrs Bond and Clayton were
    actually saying:
    There are ways to persuade the commercially available crypto processor
    IBM 4758 running IBM's ATM (cash machine) support software called the
    "Common Cryptographic Architecture" (CCA) to export any and all its
    DES and 3DES keys AND all that is needed is:
      - about 20 minutes uninterrupted access to the device
      - one person's ability to use the Combine_Key_Parts permission
      - a standard off-the-shelf $995 FPGA evaluation board from Altera about
        two days of "cracking" time.
    What they have uncovered is important and all Security and Crypto
    professionals (especially software developers using encryption) need
    to take note as the key management principles used by the CCA (with
    the provided API (Application Programme Interface)) are not as secure
    as was thought and are used in a lot of systems.  It is lucky they did
    not provide an example that could be easily exploited as I'm sure
    there are a lot out there.  As stated in the news article, to exploit
    the flaw requires a significant amount of physical access, as you
    would need to be able to permanently monitor the communication lines
    (which are typically synchronous, not asynchronous as found in PCs).  
    Also, there are typically other security measures in place that would
    make it more difficult to breach security than the article implies. It
    would be simpler for criminals to use a bulldozer to remove the ATM
    from the wall of the Bank, as has been done in the past.
    We need to be clear about where and what the issues are, in this case
    its with CCA and it's API.
    It is very important that this information becomes public, the next
    generation of products need to be built upon better foundations than
    the previous. However, if new vulnerability disclosure policies become
    widespread, everyone stands to loose, as the security of systems will
    not improve - how could it if we don't know about the issues.
    William J Shenfield
    DCM-On-line - Security & Technical Architect
    Any opinions expressed in the email are those of the individual and
    not necessarily of the company.  This email and any files transmitted
    with it are confidential and solely for the use of the intended
    recipient.  It may contain material protected by attorney-client
    privilege.  If you are not the intended recipient or person
    responsible for delivering to the intended recipient, be advised that
    you have received this email in error and that any use is strictly
    prohibited.  If you have received this email in error please notify
    the IT manager.
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    Of InfoSec News
    Sent: 09 November 2001 08:59
    To: isnat_private
    Subject: [ISN] Students crack bank pin codes
    Forwarded from: Will Munkara-Kerr <WillMat_private>
    Two British PhD students have designed a computer program to crack
    bank security codes which potentially gives them access to hundreds of
    thousands of PIN numbers, it emerged today.
    Armed with the software and hardware, the pair have shown that it is
    theoretically possible to download large amounts of confidential
    financial information, allowing a potential thief to steal vast
    amounts of cash.
    The two Cambridge University students plan to put details of how to
    crack the systems on the internet in an effort to ensure security is
    The security breach was revealed in the BBC's Newsnight program, which
    outlined how it was possible to translate the 16-digit number for cash
    cards from data downloaded by the program.
    Michael Bond, 22, one of the students involved, said he felt not
    enough was being done to insure that the hole in security was blocked.
    "Banks' approach to security at the moment is too closed, they are
    relying on outdated concepts such as security through obscurity.
    "What they really need to do is pay more attention to the open
    community including academia and get more peer review on some of the
    systems that they are using.
    "We need to see banks being more accountable for the security of
    people's money."
    He said the breach could only be performed by bank staff with access
    to bank computers.
    The system involved is based on IBM's 4758 crypto-processor used by
    banks, the military and governments across the world to protect their
    The attacks work using a combination of software developed by Mr Bond
    and off-the-shelf hardware costing less than STG750 ($A2,140)
    developed by mature student Richard Clayton.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 08:37:28 PST