Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 12-01-2006, 03:32 PM
nemo_outis
Guest
 
Posts: n/a
Default On sci.crypt: New attacks on the financial PIN processing

An interesting post on sci.crypt on attacks on bank PINs:

________

Possible Serious Security Flaw In ATMs
http://it.slashdot.org/it/06/11/30/2139235.shtml

ATM system called unsafe
http://redtape.msnbc.com/2006/11/researchers_who.html

from above:

A U.S. Secret Service memo obtained by MSNBC.com indicates that
organized criminals are systematically attempting to subvert the ATM
system and unscramble encrypted PIN codes.

_______


The underlying paper, which came out about 2 weeks ago, is at:

http://www.arx.com/documents/The_Unb...N_Cracking.pdf

Regards,



Reply With Quote
  #2 (permalink)  
Old 12-02-2006, 08:17 PM
Anne & Lynn Wheeler
Guest
 
Posts: n/a
Default Re: On sci.crypt: New attacks on the financial PIN processing

"nemo_outis" <abc@xyz.com> writes:
> The underlying paper, which came out about 2 weeks ago, is at:
>
> http://www.arx.com/documents/The_Unb...N_Cracking.pdf


re:
http://www.garlic.com/~lynn/2006v.html#33 New attacks on the financial PIN processing

and some misc. older posts related to ATM and debit card issues,
vulnerabilities, exploits and threats:

http://www.garlic.com/~lynn/2005u.html#16 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#22 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006k.html#23 Value of an old IBM PS/2 CL57 SX Laptop
http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#22 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#25 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm23.htm#35 3 of the big 4 - all doing payment systems
http://www.garlic.com/~lynn/aadsm23.htm#37 3 of the big 4 - all doing payment systems
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm26.htm#1 Extended Validation - setting the minimum liability, the CA trap, the market in browser governance
http://www.garlic.com/~lynn/aadsm26.htm#6 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#11 What is the point of encrypting informati
on that is publicly visible?
http://www.garlic.com/~lynn/2006v.html#1 New attacks on the financial PIN processing

in the mid-90s, the x9a10 financial standard working group was given
the requirement to protect the financial infrastructure for all retail
payments. the result was the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

part of x9.59 standard was attempting to eliminate most of the known
exploits, threats and vulnerabilities in the infrastructure.

another part was being privacy agnostic ... i.e. name and/or other
identifying information would not be required at point-of-sale.
part of that was looking at promoting x9.59 to ISO (international)
level ... and in that period the EU had made some directive (in
conjunction with the EU-DPD) that all retail/pos electronic
transactions should be as anonymous as cash.

for some other drift ... as part of co-authoring the x9.99 financial
industry privacy standard ... did some work on trying to pull together
a merged privacy taxonomy and glossary from several sources
(including GLBA, EU-DPD, HIPAA, etc)
http://www.garlic.com/~lynn/index.html#glosnote

Reply With Quote
  #3 (permalink)  
Old 12-02-2006, 09:26 PM
nemo_outis
Guest
 
Posts: n/a
Default Re: On sci.crypt: New attacks on the financial PIN processing

Anne & Lynn Wheeler <lynn@garlic.com> wrote in
news:m3hcwe59xz.fsf@lhwlinux.garlic.com:

> re:
> http://www.garlic.com/~lynn/2006v.html#33 New attacks on the financial
> PIN processing

....


Thanks for the comprehensive reference material and overview.

Regards,


Reply With Quote
  #4 (permalink)  
Old 12-03-2006, 12:40 AM
Anne & Lynn Wheeler
Guest
 
Posts: n/a
Default Re: On sci.crypt: New attacks on the financial PIN processing


ref:
http://www.garlic.com/~lynn/2006v.html#39 On sci.crypt: New attacks on the financial PIN processing

and some more background and related topics

Bank-card PINs 'wide open' to insider attack
http://www.theregister.co.uk/2006/11...ard_pin_fraud/
Researchers uncover PIN security flaw
http://www.finextra.com/fullstory.asp?id=16183
Banks face growing threat of identity theft from insiders
http://www.hackinthebox.org/modules....icle&sid=21817
Banks face growing threat of identity theft from insiders
http://news.com.com/Banks+face+growi...3-6137940.html

and repeat about some PIN issues
http://www.garlic.com/~lynn/aadsm26.htm#6
as well as the insider issue
http://www.garlic.com/~lynn/aadsm26.htm#7

UK Leads Europe In Card Crime
http://www.epaynews.com/index.cgi?su...0215354&block=
Britain card fraud hotspot of Europe
http://business.timesonline.co.uk/ar...463348,00.html
UK tops Europe for card fraud
http://www.finextra.com/fullstory.asp?id=16182
Britain branded 'card fraud capital'
http://www.itv.com/news/britain_f165...7ebbdab8a.html
Britons are Europe's biggest victims of card fraud
http://today.reuters.co.uk/news/arti...siness-C9-PF-2
UK banks face phishing chaos
http://www.computerweekly.com/Articl...hing+chaos.htm
Phishing still hits banks and customers
http://www.crime-research.org/news/21.11.2006/2361/

then there is the old "yes cards" discussions and the generic issue
with "replay attacks" when static authentication data is being used
http://www.garlic.com/~lynn/subintegrity.html#yescard

and related issue is that if there is authentication separate from the
transaction ... the infrastructure can be exposed to man-in-the-middle
attacks ... something that x9a10 financial standard working group
spent some amount of time studying

shows up relatively recently in these posts
http://www.garlic.com/~lynn/2006v.html#26 Fighting Fraudulent Transactions
http://www.garlic.com/~lynn/2006v.html#27 Federal Rules May Not Fully Secure Online Banking Sites

Reply With Quote
  #5 (permalink)  
Old 12-04-2006, 03:30 PM
Anne & Lynn Wheeler
Guest
 
Posts: n/a
Default Re: On sci.crypt: New attacks on the financial PIN processing

Anne & Lynn Wheeler <lynn@garlic.com> writes:
> then there is the old "yes cards" discussions and the generic issue
> with "replay attacks" when static authentication data is being used
> http://www.garlic.com/~lynn/subintegrity.html#yescard


re:
http://www.garlic.com/~lynn/2006v.html#39 On sci.crypt: New attacks on the financial PIN processing

general class of harvesting/skimming authentication static data for various
forms of replay attacks.
http://www.garlic.com/~lynn/subintegrity.html#secrets
http://www.garlic.com/~lynn/subintegrity.html#harvest

in the "yes card" scenario, some considered the chip worse than the
magstripe cards that it replaced. a countermeasure in the standard
financial account transaction is to flag the account and negate future
(online) transactions. in the "yes card" scenario ... once the
(counterfeit) "yes card" replayed the authentication static data, it
was allowed to instruct the terminal to do an "offline"
transaction. by the time the terminal finds out the account has been
flagged, it is way too late. also when the "terminal" asked the
(counterfeit) "yes card" if the entered PIN was correct, the "yes
card" would always reply "YES" (part of the where the counterfeit card
got its label "yes card"). As a result, the attacker doesn't even need
to know the PIN.

in three-factor authentication model
http://www.garlic.com/~lynn/subintegrity.html#3factor

* something you have
* something you know
* something you are

normally in multi-factor authentication, the different factors are
assumed to have independent vulnerabilities. A ("something you know")
PIN is countermeasure to lost/stolen ("something you have") card. In
the "yes card" scenario, an attacker just needs to harvest/skim the
card "authentication" information (and/or trick a lost/stolen card
into divulging the information). That information then can be loaded
into a (counterfeit) "yes card". Futhermore, while the account for a
lost/stolen card can be reported and have the corresponding account
flagged, since a (counterfeit) "yes card" can instruct the terminal to
do an offline transactions, it defeats the effect of flagging the
account.

some other recent items related to static data authentication and
replay attacks
http://www.garlic.com/~lynn/2006v.html#29 User Authentication
http://www.garlic.com/~lynn/2006v.html#44 User Authentication

and

User agency warns of online security risks
http://news.ninemsn.com.au/article.aspx?id=168199
Warning over use of repeat passwords
http://www.hackinthebox.org/modules....icle&sid=21901
Warning over use of repeat passwords
http://www.theage.com.au/news/securi...080812161.html
Schumer warns on no-swipe credit cards
http://news.yahoo.com/s/ap/schumer_id_theft

now one of the countermeasures to the static data authentication and
"yes card" vulnerability is to convert to some form of dynamic data
authentication (like digital signatures). note however, that even
"dynamic data authentication" may be vulnerable to a "yes card"
man-in-the-middle attack if it is used for card authentication as
opposed to transaction authentication, i.e. pair a counterfeit "yes
card" with a valid lost/stolen card ... where the counterfeit "yes
card" transparently passes the card authentication messages and then
controls the rest of the session (when the terminal asks if the
correct PIN was entered the "yes card" responds "YES" and when the
terminal asks if it should do an offline transactions, the "yes card"
also responds "YES").

recent related item
http://www.garlic.com/~lynn/2006v.html#26 Fighting Fraudulent Transactions

other posts related to man-in-the-middle attacks
http://www.garlic.com/~lynn/subintegrity.html#mitm

Reply With Quote
Reply


« Halarious | Is it safe? »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Call for Papers with Extended Deadline: 2007 International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA'07), June 25-28, 2007, USA A. M. G. Solo comp.security.misc 0 02-25-2007 10:50 AM
Patent buster for a method that increases password security Juuso Hukkanen alt.computer.security 15 12-07-2006 03:45 PM
Patent buster for a method that increases password security Juuso Hukkanen comp.security.misc 17 12-07-2006 03:45 PM
Attacks prompt third parties to fix flaw imhotep comp.security.misc 0 10-03-2006 06:02 AM
More zero-day attacks plague Microsoft users imhotep comp.security.misc 0 10-01-2006 05:34 AM


All times are GMT. The time now is 06:09 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45