ATM Fiends On A Spree Of Rip-Offs

[Steve Schear]

At 02:28 AM 11/18/2001 -0500, Dave Emery wrote:
>On Sat, Nov 17, 2001 at 10:47:21PM -0800, Steve Schear wrote:
> > ATM FIENDS ON A SPREE OF RIP-OFFS
> > By LARRY CELONA and ANDY GELLER
> >
> > [My security group at Citicorp (which designed and built the crypto 
> systems
> > for our ATMs and switching fabric processors) predicted in the late '80s
> > that Van Eck freaking an ATM might be a successful way to eavesdrop on 
> PINs
> > and card info.]
> >
> > November 17, 2001 -- EXCLUSIVE
> > The NYPD and the Secret Service have launched a major investigation into
> > complaints that bank customers have lost thousands of dollars through
> > unauthorized ATM withdrawals.
> >
>
>         I am very vague about US ATM protocols (not my field of expertise
>at all), but of course there was a very recent disclosure of a hole
>in the protocol for accessing the IBM tamperproof crypto processor
>used for generating and storing ATM keys that could be exploited if one
>could get access to a machine with one in it.   Potentially this flaw
>allows readout of the entire set of keys protected by the processor.
>
>         This could be the explanation of the problem, as the protocol
>problem has been known in at least some form for a year or so.

In earlier ATMs, such as Citicorp manufactured models, all the I/O 
components were separate and the signals between them could either be 
captured by a Y-cable or a cable with a small hidden xmitter or by their 
unintended RF radiations.  Newer ATMs, I believe, integrate the keypad with 
the crypto processor and attempt to reduce opportunities for PIN 
interception.  ATM magstripe reader data, since it is available to any 
stripe reader on a credit authorization terminal, may not be as well 
protected.  Though since you need both to pull off a card spoofing scam, it 
would seem prudent to secure that data as well.

steve