Monday, February 24, 2003

Bank ATM Security Not So Secure ... ???

Both the Volkskrant and report that Cambridge researchers have found flaws that may have an impact on ATM-security. An article in e-week explains more. It turns out that as a part of a court case, scientific evidence is used to back a claim of a South African couple.

The case concerns a South African couple that claims someone used their Diners Club card to make 190 withdrawals at ATMs all over the U.K. while they were in South Africa. The card's issuer says that's not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card.

As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, the plaintiffs, Diners Club SA Ltd., have asked for a secrecy order around the testimony of Bond and other security experts, saying that the publication of the ATM issues described in the paper would harm their business and open their networks up to attack.

The register has some more detail:

Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. and provide the reference to the original paper:

Decimalisation table attacks for PIN cracking, by Mike Bond and Pietr Zielinski of Cambridge University. One can learn that the attack is one that needs to be performed by internal bank employees with a considerable amount of knowledge and access to resources.

Now the one-million or $ 80.000 question is of course. Is this paper on an internal employee attack relevant to the court-case? In my view it may not be. The essential questions to be asked by the judge are:

- when did the couple first discover the illegitimate ATM-withdrawals?

- where did they use their card in the months before these withdrawals occured; could their pin have been detected/observed at those instances, whilst also skimming took place?

- are there any more similar fraud-occurances with other account holders that may imply an organised crime which involves the technial attack as described in the paper?

- are there other indicators for perhaps a less sophisticated but similarly effective internal procedural fraud (internal employees orders and intercepts a regenerated pin-code; ordered because account holder 'forgot their pin')?

- do the couple know each others' pincode?

- when did they report the losses to their bank?

- who did actually make the withdrawals and was it always one individual or does the pattern imply an organised multi-atm attack (foto's at ATM=sites)?

- when did Diners start becoming aware of the irregularities in withdrawal pattern (repeated withdrawals may point to fraud)?

- did the couple use their card regularly for this purpose ?

- did the couple extend their credit-line recently?

As for the Netherlands, this attack may not be immediately relevant to our ATM-security. The technical attack involved is also rather unlikely. Any situation in which a corrupted programmer would have access to the operational ATM infrastructure and autorisation protocols would be a breach of the strict requirement to separate development and operational ICT-environments.

Then again. Even if such an attack occured, the detection and logging application should be able to detect corrupted polling the HSM to obtain more detailed information. All that the bank needs to do is to summarize the HSM-logs of the past years and match whether anomalies exist with respect to sudden increase of verification requests. If not, it is rather unlikely that the described attack in the paper is the basis for the illegitimate ATM transactions. And that's what the court case was all about.

Still, this is an interesting case. I'm curious if we get more details on it in the future.