Hundreds of Millions of bank account details have been captured over the last year. Now for the first time in the UK, a man will challenge Chip&PIN security over a phantom withdrawal. A new report has exposed the ongoing data-loss crisis has been helped along by criminal masterminds using increasingly innovative and sneaky methods of attack.
Alain Job, a 40 year old football coach, saw money disappearing from his account but maintains he always had possession of his card and didn‘t make a withdrawal. His original claim made to the Financial Ombudsman Service, which mediates disputes between banks and customers was unsuccessful back in 2007. Now, Job has decided to sue over the phantom withdrawal, questioning Chip&PIN security.
“Criminals have re-engineered their processes and developed new tools — such as memory scraping malware and have successfully executed complex attack strategies previously thought to be only theoretically possible and are actively cracking PIN encryption.” revealed Verizon’s 2009 Data Breach Investigations Report. The news is a result of its Underground Intelligence Unit’s operations.
Personal Identification Number’s (PIN’s) are now the high value target of cyber criminals. Criminals implant internal rogue software to accumulate million’s of PIN’s an hour and often PIN and account information are sold over the internet to the highest bidder.
One of the methods being used according to the report to collect PIN’s is to exploit the financial networks Hardware Security Module (HSM) switches. Worryingly the fraudster requires physical access to one of these switches to be able to collect PIN’s.
Usually there is not a direct link between the ATM and the card-holders bank’s verification system. The transaction data is bundled up in a encrypted data block and hops along HSM switches on way to the bank. To ensure no single party knows an overall encryption key a different key is used between switches and so the encrypted data block is decrypted and re-encrypted at each switch. Also the data block can be re–formatted at the switch to suit different financial devices and network schemas.
An attack has been documented by a computer student of Tel Aviv University as part of his masters thesis entitled “The unbearable lightness of PIN cracking”. The author Omer Berkman describes exploiting the ‘Translate’ functionality of the box. This is a standard operation of the HSM and part of the Financial PIN Processing API, a 30–year old standard including all the functions for PIN verification, changing and reformatting.
The HSM Hack
The attacker makes transactions with any account number yet at this time he knows the value of the PIN. Once the encrypted PIN and account number data block reaches the HSM, he uses the translate function to change to a weaker data block format using a fixed account number. The attacker only needs 100 transactions and by using a cryptographic flaw in the new format the attacker can build a 10,000 entry look–up table. The attacker uses this table at the HSM to work out any subsequent PIN number.
Military grade encryption specialists, Credant Technologies have suggested a solution, this is to double the encryption by further encrypting the PIN between both end-points (ATM & Bank verification system). Vice President Michael Callahan said; “There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM–based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit”.
The Liability Shift
A lot of documentation on hacking payment systems has become available because of anger at the banks shifting the cost of fraud to the card-holder as a result of Chip&PIN.
Before Chip and PIN, magnetic stripe cards and signatures were used for authorisation, if a fraudulent transaction took place a cardholder could ask for the signature on the receipt be examined against a sample of their own.
Now banks refuse liability. “If you act without reasonable care, you may be responsible for them”. Banks now can easily stamp card–holders with not taking enough care in keeping their PIN secret. Now only CCTV can refute the customer‘s involvement.
Academic institutes have been investigating Chip&PIN attacks. In the UK, Professor Ross Anderson of Cambridge University has been the most vocal, capturing the most media attention on this subject. Anderson and his team have been reverse engineering and documenting attacks on financial security systems for years. In the case of Chip&PIN they have even set–up a dedicated website to highlight the raw–deal card–holders are getting from Chip&PIN. (www.chipandspin.co.uk)
The Cambridge team’s work includes;
(May 2005) — Chip and Spin;
The Fall-back Hack
When a card is presented at an ATM or POS terminal whose chip has been damaged, or which never had a chip, then the device falls back to magnetic stripe operation.
Magnetic stripe card skimming is used to make a clone card, and a tampered PIN Pad records the PIN. The fraudsters then use the half–baked cloned card at an ATM which allows fall–back to magnetic stripe or in a foreign country where EMV is not supported.
The Offline POS Hack
The fraudster goes to a POS which is not directly connected to the bank’s verification system. The fraudster creates a half–baked smartcard using previously stolen account details. The fraudster‘s card is programmed with any PIN he likes. The card’s authenticity is not checked until the POS goes online, in which time the fraudster is long gone.
Modern DDA (Dynamic Data Authentication) cards, have a challenge–response mechanism in which the offline POS can test for card authenticity.
(February 2006) — Phish and Chips;
The Smartcard Relay Hack
The victim pays for a small value item at the tampered POS;
“The smartcard data stream would go maybe via GPRS to a PDA in the crooks pocket, then to his fake card, and the captured PIN read out via a headphone in his ear. You think you’re paying for lunch, but in fact you’re buying the crooks a diamond! ”
(February 2009) — Optimised to Fail;
Exploiting Card Readers for Online Banking
Card Readers for Online Banking may be used to assist during a mugging. Previously, muggers marched a victim to an ATM to ensure he gave them the right PIN. Now, with potable card readers, criminals have a portable device that will tell them if their victim is lying about their PIN.
Many of the more practical attacks exist because many foreign countries are not compliant with EMV and financial systems can be fooled into operating in a non–EMV fall–back mode.
Perhaps the solution would be to apply more pressure to speed up EMV migration and stop legacy payment methods.
One thing is for sure criminals are using ever more sophisticated ways of committing fraud. Banks should be more open to the more far–stretched hacks, especially as insiders are helping the fraudsters and older style cards without the necessary anti–counterfeiting measures are in circulation.
Alain Job, will challenge chip and pin security in the UK in a lawsuit with Halifax building society. This will be the first UK case to question the strength of the bank’s security measures. Alain Job claims that £2,100 disappeared from his account whilst Halifax allegedly has evidence that Job’s real card was used at a ATM.
The Hearing will be held at Nottingham County Court on 30th April, where many will be eagerly awaiting to hear the outcome of this case, and the conclusions resulting from the questioning of bank security.
Job v. Halifax plc (case number 7BQ00307) Hearing Update;
Halifax have refused to comment on the case, other than maintaining that it was Mr Job’s exact card that was used to withdraw the money, inferring that either Mr Job tried to defraud the bank, or he was grossly negligent in handling his card and PIN. Halifax also highlighted that it would “vigorously defend” itself in court.
As a result of the complexity of this case, the Judge of the one–day trial said that it will take at least one month to deliver his verdict.
John Owen – Smartcard & Identity News