Automatic Teller Machines Chapter 10 ATM 1 Automatic

  • Slides: 13
Download presentation
Automatic Teller Machines Chapter 10 ATM 1

Automatic Teller Machines Chapter 10 ATM 1

Automatic Teller Machines “…one of the most influential technological innovations of the 20 th

Automatic Teller Machines “…one of the most influential technological innovations of the 20 th century” q Began in 1968, more than 500, 000 today q One of the first commercial use of crypto (block ciphers), tamper resistant hardware, security protocols, etc. q The “killer app” for commercial crypto q Chapter 10 ATM 2

ATMs q An interesting case study o What was done correctly o What was

ATMs q An interesting case study o What was done correctly o What was done incorrectly Chapter 10 ATM 3

ATM Security Module q Security module implemented in tamper-resistant hardware o IBM 4758 crypto

ATM Security Module q Security module implemented in tamper-resistant hardware o IBM 4758 crypto processor o Security module is at bank o All crypto computations done in security module, such as PIN verification Chapter 10 ATM 4

ATM Security Module q IBM PIN generation o Acct number N on magnetic stripe

ATM Security Module q IBM PIN generation o Acct number N on magnetic stripe o PIN key K (in tamper-resistant hardware) o “Natural PIN” is F(E(N, K)), where encryption E is DES, and F is a function o PIN = natural PIN + offset (so customers can choose their own PIN) q Note: PIN verification relies on N and secret K, and is done in security module Chapter 10 ATM 5

IBM PIN Gen Example Account number: q PIN key K: q DES encrypt E(N,

IBM PIN Gen Example Account number: q PIN key K: q DES encrypt E(N, K): q Decimalize: q Natural PIN: q Offset: q Customer PIN: q Chapter 10 ATM 8807012345691715 FEFEFEFE A 2 CE 126 C 69 AEC 82 D 0224126269042823 0224 6565 6789 6

More ATM Security q PIN encrypted with “terminal master key” and sent to security

More ATM Security q PIN encrypted with “terminal master key” and sent to security module q ‘Dual controls” --- terminal master key entered in 2 parts (2 people) q PIN “translation” (from one ATM network to another) done in security module Chapter 10 ATM 7

Problems Early on, encryption done in software q Not feasible for all pairs of

Problems Early on, encryption done in software q Not feasible for all pairs of banks to share keys, so KDC used (VISA) q Large number of trans, so corners cut q o “Optimization is the process of taking something that works and replacing it with something that doesn’t quite, but is cheaper” q Most ATMs use 56 -bit DES Chapter 10 ATM 8

What goes wrong ATM system designed to stop sophisticated attacks q In practice, the

What goes wrong ATM system designed to stop sophisticated attacks q In practice, the real issues are q o Processing errors --- e. g. , computer crashes o Only 0. 001% probability, but 5 billion ATM trans Card theft from mail q Fraud by bank staff q o Laptop inside ATM to record PIN’s o Key for test system used for real system Chapter 10 ATM 9

Unexpected Attacks Shoulder surfing to get PIN, copy acct number from receipt q One

Unexpected Attacks Shoulder surfing to get PIN, copy acct number from receipt q One system --- telephone calling card, ATM thought previous card inserted q One system --- output 10 bills when 14 -digit test sequence entered q One bank issued same PIN to everybody q Fake ATM to collect PINs q Steal the ATM (camera is inside ATM) q Chapter 10 ATM 10

ATMs q Biggest mistake in design of ATM system: “… worried to much about

ATMs q Biggest mistake in design of ATM system: “… worried to much about criminals being clever instead of worrying about customers and banks being stupid” Chapter 10 ATM 11

ATM legal issues q In US, banks carry risk of ATM technology o must

ATM legal issues q In US, banks carry risk of ATM technology o must refund most disputed transaction o costs average bank $15 K/year in fraud q In much of Europe, customer bore cost o Banks claimed ATMs infallible o John Munden case § § British policeman, found his acct $700 short Bank: no bugs in code since written in assembler Munden convicted and fired Overturned on appeal: bank would not release its code Chapter 10 ATM 12

ATM legal issues If Munden case had occurred in California, “he would have won

ATM legal issues If Munden case had occurred in California, “he would have won enormous punitive damages” q Lessons q o Non-repudiation is critical --- camera in ATM would have solved Munden case immediately o In general, security system must be able to withstand examination by hostile experts Chapter 10 ATM 13

JUERGEN TELLER Juergen Teller Fineart Fashion photographer BIOGRAPHYJUERGEN TELLER Juergen Teller Fineart Fashion photographer BIOGRAPHY
Chapter 18 ATM Design Goal ATM Topology ATMChapter 18 ATM Design Goal ATM Topology ATM
ATM Capa ATM Uciel Fragoso Rodrguez ITAM ATMATM Capa ATM Uciel Fragoso Rodrguez ITAM ATM
WRET 2104 Protokol ATM Protokol ATM n ATMWRET 2104 Protokol ATM Protokol ATM n ATM
USE CASE ATM EXAMPLE Actors ATM Customer ATMUSE CASE ATM EXAMPLE Actors ATM Customer ATM
ComputerAided Manufacturing CAM 1 Automatic Machines Automatic machinesComputerAided Manufacturing CAM 1 Automatic Machines Automatic machines
ATM MACHINE SOFTWARE INTRODUCTION An Automated Teller MachineATM MACHINE SOFTWARE INTRODUCTION An Automated Teller Machine
PENERAPAN INDUKSI MATEMATIK DALAM ATM AUTOMATED TELLER MACHINEPENERAPAN INDUKSI MATEMATIK DALAM ATM AUTOMATED TELLER MACHINE
ECOMMERCE Pertumbuhan penggunaan kartu kredit Automated Teller MachinesECOMMERCE Pertumbuhan penggunaan kartu kredit Automated Teller Machines
Automated Teller Machines as a Principal Use inAutomated Teller Machines as a Principal Use in
Automatic Teller Machine Mid Term Presentation 11 OctoberAutomatic Teller Machine Mid Term Presentation 11 October
Simple Machines Simple machines are basic machines thatSimple Machines Simple machines are basic machines that