Automatic Teller Machines Chapter 10 ATM 1 Automatic

Automatic Teller Machines Chapter 10 ATM 1

Automatic Teller Machines “…one of the most influential technological innovations of the 20 th century” q Began in 1968, more than 500, 000 today q One of the first commercial use of crypto (block ciphers), tamper resistant hardware, security protocols, etc. q The “killer app” for commercial crypto q Chapter 10 ATM 2

ATMs q An interesting case study o What was done correctly o What was done incorrectly Chapter 10 ATM 3

ATM Security Module q Security module implemented in tamper-resistant hardware o IBM 4758 crypto processor o Security module is at bank o All crypto computations done in security module, such as PIN verification Chapter 10 ATM 4

ATM Security Module q IBM PIN generation o Acct number N on magnetic stripe o PIN key K (in tamper-resistant hardware) o “Natural PIN” is F(E(N, K)), where encryption E is DES, and F is a function o PIN = natural PIN + offset (so customers can choose their own PIN) q Note: PIN verification relies on N and secret K, and is done in security module Chapter 10 ATM 5

IBM PIN Gen Example Account number: q PIN key K: q DES encrypt E(N, K): q Decimalize: q Natural PIN: q Offset: q Customer PIN: q Chapter 10 ATM 8807012345691715 FEFEFEFE A 2 CE 126 C 69 AEC 82 D 0224126269042823 0224 6565 6789 6

More ATM Security q PIN encrypted with “terminal master key” and sent to security module q ‘Dual controls” --- terminal master key entered in 2 parts (2 people) q PIN “translation” (from one ATM network to another) done in security module Chapter 10 ATM 7

Problems Early on, encryption done in software q Not feasible for all pairs of banks to share keys, so KDC used (VISA) q Large number of trans, so corners cut q o “Optimization is the process of taking something that works and replacing it with something that doesn’t quite, but is cheaper” q Most ATMs use 56 -bit DES Chapter 10 ATM 8

What goes wrong ATM system designed to stop sophisticated attacks q In practice, the real issues are q o Processing errors --- e. g. , computer crashes o Only 0. 001% probability, but 5 billion ATM trans Card theft from mail q Fraud by bank staff q o Laptop inside ATM to record PIN’s o Key for test system used for real system Chapter 10 ATM 9

Unexpected Attacks Shoulder surfing to get PIN, copy acct number from receipt q One system --- telephone calling card, ATM thought previous card inserted q One system --- output 10 bills when 14 -digit test sequence entered q One bank issued same PIN to everybody q Fake ATM to collect PINs q Steal the ATM (camera is inside ATM) q Chapter 10 ATM 10

ATMs q Biggest mistake in design of ATM system: “… worried to much about criminals being clever instead of worrying about customers and banks being stupid” Chapter 10 ATM 11

ATM legal issues q In US, banks carry risk of ATM technology o must refund most disputed transaction o costs average bank $15 K/year in fraud q In much of Europe, customer bore cost o Banks claimed ATMs infallible o John Munden case § § British policeman, found his acct $700 short Bank: no bugs in code since written in assembler Munden convicted and fired Overturned on appeal: bank would not release its code Chapter 10 ATM 12

ATM legal issues If Munden case had occurred in California, “he would have won enormous punitive damages” q Lessons q o Non-repudiation is critical --- camera in ATM would have solved Munden case immediately o In general, security system must be able to withstand examination by hostile experts Chapter 10 ATM 13