At 02:28 AM 11/18/2001 -0500, Dave Emery wrote:
On Sat, Nov 17, 2001 at 10:47:21PM -0800, Steve Schear wrote:
ATM FIENDS ON A SPREE OF RIP-OFFS By LARRY CELONA and ANDY GELLER
[My security group at Citicorp (which designed and built the crypto systems for our ATMs and switching fabric processors) predicted in the late '80s that Van Eck freaking an ATM might be a successful way to eavesdrop on PINs and card info.]
November 17, 2001 -- EXCLUSIVE The NYPD and the Secret Service have launched a major investigation into complaints that bank customers have lost thousands of dollars through unauthorized ATM withdrawals.
I am very vague about US ATM protocols (not my field of expertise at all), but of course there was a very recent disclosure of a hole in the protocol for accessing the IBM tamperproof crypto processor used for generating and storing ATM keys that could be exploited if one could get access to a machine with one in it. Potentially this flaw allows readout of the entire set of keys protected by the processor.
This could be the explanation of the problem, as the protocol problem has been known in at least some form for a year or so.
In earlier ATMs, such as Citicorp manufactured models, all the I/O components were separate and the signals between them could either be captured by a Y-cable or a cable with a small hidden xmitter or by their unintended RF radiations. Newer ATMs, I believe, integrate the keypad with the crypto processor and attempt to reduce opportunities for PIN interception. ATM magstripe reader data, since it is available to any stripe reader on a credit authorization terminal, may not be as well protected. Though since you need both to pull off a card spoofing scam, it would seem prudent to secure that data as well. steve