ATM FIENDS ON A SPREE OF RIP-OFFS By LARRY CELONA and ANDY GELLER [My security group at Citicorp (which designed and built the crypto systems for our ATMs and switching fabric processors) predicted in the late '80s that Van Eck freaking an ATM might be a successful way to eavesdrop on PINs and card info.] November 17, 2001 -- EXCLUSIVE The NYPD and the Secret Service have launched a major investigation into complaints that bank customers have lost thousands of dollars through unauthorized ATM withdrawals. Since last Saturday, the NYPD has received more than a dozen complaints of unauthorized withdrawals, mostly from people who have used ATMs on the Upper East Side. But customers who use ATMs in the Financial District and the West Side have also been hit. Cops are expanding their probe citywide and expect to find many more cases. Sources said most of the complaints involve Citibank customers, but people who bank with Chase and other institutions also have been victimized. Customers have lost up to $3,000 apiece - even though their bank cards have never left their possession. Most of the victims are people who used ATMs in grocery stores, delis and shopping malls, the sources said. Investigators believe that the thieves have managed to hook up personal computers to the ATM and download information about customers, the sources said. Then they make phony bank cards and withdraw money using the customers' personal identification numbers.
On Sat, Nov 17, 2001 at 10:47:21PM -0800, Steve Schear wrote:
ATM FIENDS ON A SPREE OF RIP-OFFS By LARRY CELONA and ANDY GELLER
[My security group at Citicorp (which designed and built the crypto systems for our ATMs and switching fabric processors) predicted in the late '80s that Van Eck freaking an ATM might be a successful way to eavesdrop on PINs and card info.]
November 17, 2001 -- EXCLUSIVE The NYPD and the Secret Service have launched a major investigation into complaints that bank customers have lost thousands of dollars through unauthorized ATM withdrawals.
I am very vague about US ATM protocols (not my field of expertise at all), but of course there was a very recent disclosure of a hole in the protocol for accessing the IBM tamperproof crypto processor used for generating and storing ATM keys that could be exploited if one could get access to a machine with one in it. Potentially this flaw allows readout of the entire set of keys protected by the processor. This could be the explanation of the problem, as the protocol problem has been known in at least some form for a year or so. -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
At 02:28 AM 11/18/2001 -0500, Dave Emery wrote:
On Sat, Nov 17, 2001 at 10:47:21PM -0800, Steve Schear wrote:
ATM FIENDS ON A SPREE OF RIP-OFFS By LARRY CELONA and ANDY GELLER
[My security group at Citicorp (which designed and built the crypto systems for our ATMs and switching fabric processors) predicted in the late '80s that Van Eck freaking an ATM might be a successful way to eavesdrop on PINs and card info.]
November 17, 2001 -- EXCLUSIVE The NYPD and the Secret Service have launched a major investigation into complaints that bank customers have lost thousands of dollars through unauthorized ATM withdrawals.
I am very vague about US ATM protocols (not my field of expertise at all), but of course there was a very recent disclosure of a hole in the protocol for accessing the IBM tamperproof crypto processor used for generating and storing ATM keys that could be exploited if one could get access to a machine with one in it. Potentially this flaw allows readout of the entire set of keys protected by the processor.
This could be the explanation of the problem, as the protocol problem has been known in at least some form for a year or so.
In earlier ATMs, such as Citicorp manufactured models, all the I/O components were separate and the signals between them could either be captured by a Y-cable or a cable with a small hidden xmitter or by their unintended RF radiations. Newer ATMs, I believe, integrate the keypad with the crypto processor and attempt to reduce opportunities for PIN interception. ATM magstripe reader data, since it is available to any stripe reader on a credit authorization terminal, may not be as well protected. Though since you need both to pull off a card spoofing scam, it would seem prudent to secure that data as well. steve
On Sun, Nov 18, 2001 at 02:28:43AM -0500, Dave Emery wrote:
This could be the explanation of the problem, as the protocol problem has been known in at least some form for a year or so.
http://www.cl.cam.ac.uk/~rnc1/descrack/ -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
participants (2)
-
Dave Emery
-
Steve Schear