Weekly Edition
Return to the Front page
| |||||||||||||
|
| |||||||||||||
Full disclosure and the banking industry
Back in 1992, an English police officer named John Munden returned from a
vacation to find that a series of ATM withdrawals had cleaned out his bank
account. His complaints to the bank were not received well; they responded
that their systems were secure and only Mr. Munden could have made those
withdrawals. When he persisted, the bank (the Halifax Building Society)
had him prosecuted (and convicted) for fraud. It took four years, and
a great deal of effort by a researcher named Ross Anderson, to shine a
light on Halifax's poor security, and to get Mr. Munden freed on appeal.
Even so, the attitude of the banking industry has changed little;
complaints of "phantom withdrawals" are given little credence, and account
holders often end up footing the bill. (Some countries, including the
U.S., give consumers more protection than others, such as Britain, in this
area).
Given that peoples' money - and freedom - are being staked on the security of the ATM system, it would be nice to know that this system is truly secure. But banks, unsurprisingly, are unenthusiastic about opening up their systems to external review. Mr. Anderson and colleagues have continued their research into the phantom withdrawal problem, and have served as expert witnesses in associated court cases. Recently they turned up something interesting. The personal ID numbers (PINs) used to verify the person using an ATM card are kept in a carefully-guarded database. It is not generally possible to extract a specific PIN directly. Instead, the ATM system operates through a set of hardware security modules that can give "yes or no" answers for a given account number and PIN. Thus, it is claimed, even a corrupt insider would be reduced to guessing to obtain a specific PIN number. The search space is not that large (10,000 numbers), but it still requires an average of 5,000 guesses to obtain a single PIN. Mike Bond and Piotr Zielinski, working with Mr. Anderson, found a vulnerability in this system; their writeup is available (for now) on the web in PDF format (also available here while Cryptome, which apparently has been broken into, gets back on its feet). By manipulating a simple "decimalization table" used in the generation of the PIN from the account number, an attacker can quickly determine which digits are present in the PIN. Using that information and some additional tricks, the researchers were able to extract PIN numbers using an average of 15 guesses. An attacker, they conclude, would be able to extract about 7,000 PINs over the course of a half-hour lunch break. Citibank has responded to this discovery by seeking a gag order to suppress the disclosure of the vulnerability information. The information, says Citibank, is confidential and should not be released publicly. This action immediately had the obvious effect: once word got out, the paper describing the vulnerability was copied far and wide across the net, beyond any feasible recall. Even in the modern world, once information gets out, it is out. Citibank could certainly argue that it does not want to provide useful information to those who would attack its systems. On the other hand, the rising tide of phantom withdrawal cases suggests that some of this information is in the hands of the Bad Guys already. Could it be that the banks are really trying to avoid (1) admitting that phantom withdrawals are a real problem, and (2) undertaking the expensive task of fixing their systems? Evidence in the software field consistently suggests that vendors do not rush out to fix their security problems in the absence of considerable external pressure to do so. This is especially true if the costs of the problems can be pushed onto somebody else. The banking industry needs disclosure of its problems if we are to have any confidence in its security at all. As with vulnerabilities in the software industry, banking vulnerabilities should be handled with some care. But the information has to get out, or the problems will not be fixed in any sort of timely way. Consider, for example, the uproar the resulted when Matt Blaze exposed a vulnerability in master-keyed door locks which, apparently, had been known to locksmiths (but not fixed) for decades. The lessons we have learned in the software world are applicable in a much wider context. Continued defense of our ways of working, including disclosure of security problems and open review of security-related systems, is important for our security and freedom. This is true with regard to our computing systems, and far beyond. (Log in to post comments)
Wrong link to Matt Blaze's paper Posted Feb 27, 2003 10:02 UTC (Thu) by mmutz (subscriber, #5642) [Link] I guess you meant http://www.crypto.com/masterkey.html instead of the 1996 paper
Full disclosure and the banking industry Posted Feb 27, 2003 10:51 UTC (Thu) by arcticwolf (guest, #8341) [Link] That's interesting, and it may well explain the phantom withdrawals a friend of mine has been seeing to his account. They have happened again and again over the years, and, of course, his bank was not helpful in the slightest - rather, they, too, showed a hostile attitude and less-than-politely informed him that it must have been him or his wive who had made those withdrawals.These days, his wive and he have decided to disable electronic cash for their accoount - when they want to withdraw money, they have to go to an actual teller now and sign a form. It works, but it's quite a hassle, of course, and one wonders how long the bank will still offer the choice to not use ATMs, too. All in all, it doesn't leave me wondering about whether (most) banks really are concerned about their customers (they are not), but it makes me wonder whether there isn't an exception to the rule. Has anyone ever made positive experiences with his bank when it came to things like this?
Phantom withdrawals not a risk to account holder Posted Feb 27, 2003 18:02 UTC (Thu) by giraffedata (subscriber, #1954) [Link] >All in all, it doesn't leave me wondering about whether (most) banks>really are concerned about their customers (they are not), Banks are obviously concerned about their customers. Without reasonably satisfied customers, they wouldn't be in business. Just as obviously, the concern for customers stops where it costs money. Screwing some customers may be what is necessary to satisfy a lot of others (with e.g. low prices) and make a profit. >they have to go to an actual teller now and sign a form I would think a better course of action would be to switch banks. There's a good chance another bank has a more secure system or a more friendly policy. By making it free to the offending bank to operate like that, he his shirking his duty as a consumer in a capitalist society.
I have a friend with an account at a large US bank that had a series of phantom withdrawals about two years ago. The bank reimbursed him for all of them, but closed the account and made him open a new one. The bank apologized for the inconvenience. My friend has no idea how this theft happened, but I know him well enough to know that there is virtually no chance he let someone find out his PIN. Also, I think the bank noticed the problem before my friend did, based on the unusual pattern of withdrawals.
Full disclosure and the banking industry Posted Mar 5, 2003 18:58 UTC (Wed) by sethml (subscriber, #8471) [Link] In '96 I had an account at a semi-local bank in Santa Barbara CA (I don't remember the name of the bank, but I think they had half a dozen branches total). One day when withdrawing money with my ATM card I noticed that the balance seemed low, and decided to check my records when I got home. When I got back to my office, a person from the bank called, explaining the situation. Apparently the bank had a policy that account numbers couldn't be reused for at least 5 years, but when my account was created they accidently violated that rule and gave me the account number of somebody who had died (and had his account closed) recently. A while later his daughter found his checkbook, went to her local branch (different from mine), and asked to have herself added to the account. They happily added her to my account, even though they presumably noticed that my name and address weren't even remotely similar to the ones on his checks. She promptly started spending money from the account, so that it went from ~$1500 to a few hundred over a few days.Anyhow, the bank had just figured out their mistake (before I did). They created a new account for me and deposited my former balance into it, and took the hit for the mistake themselves. I was impressed with their incompetence, but also impressed with their customer service. I received two statements for that month; the one for the old account included a few dozen slips that said "we have lost this check in processing" - one for each of the checks the woman had written. Fast-forward to a year later. Six months before I'd closed the new account. Out of the blue I got an envelope with the last statement from my old account, and the dozens of checks that the woman had written on my account - including her address, phone number, and signature. Then I got a notice that my account (the old one!) was $500 overdrawn and would I please pay up. I called their rep and explained the whole situation, and he couldn't find any reference to it! But I eventually convinced him, and I never heard from them again. The moral: banks are astonishingly incompetent. And by and large the individuals working at banks are nice people and want to help you, and often don't let litte things like other people's privacy and accounts get in the way.
Full disclosure and the banking industry: Burden of proof must be on bank Posted Feb 27, 2003 14:30 UTC (Thu) by dwheeler (guest, #1216) [Link] This is a case where the basic laws have critical consequences. In particular, in this case the U.S. system is sensible, and the U.K. system is completely broken.The fundamental problem is that in the U.K. the burden of proof is in the wrong place. In the U.S., if there is a "phantom withdrawal", the bank has the burden of proving that it was the customer. This is reasonable, because the bank controls its facilities and can arrange its processes to acquire that evidence. Thus, for example, bank automated telemarketers (ATMs) have video cameras installed in them, so that the bank can show who was at a given ATM at any time. Banks can also arrange for all sorts of internal checks and balances, reviews, and evidence collection so that they can provide evidence to law enforcement. In the U.K., the burden of proof is on the customer. But the customer has no way to provide useful evidence; they cannot spend their lives honing evidence collection techniques! Since the banks have little financial risk from fraud, they have no incentive to actually make their systems secure. Thus, if you want banks to be secure, you need to make them financially at risk to be secure. U.S. banks aren't perfect, but I think the U.S. banks are far more secure than the U.K. banks... because the burden of proof is in the right place.
Full disclosure and the banking industry: Burden of proof must be on bank Posted Feb 27, 2003 16:59 UTC (Thu) by Baylink (guest, #755) [Link] A very well taken observation. I had a related problem many years ago with a videotape rental house and a collection agency: when I pointed out to the credit people that the rental house had no procedure for checking tapes *in* reliably... they stood down on their own.Note: the common derivation of ATM (at least amongst us USAdians) is "Automat{ed,ic} Teller Machine".
Full disclosure and the banking industry: Burden of proof must be on bank Posted Feb 28, 2003 10:26 UTC (Fri) by beejaybee (guest, #1581) [Link] Sorry but the problem is that the PIN system is _technically_ broken. It simply doesn't matter what administrative safeguards are in place (though I accept that it is probably easier to get a bank to own up to a mistake, either honest or fradulent, in the US than it is in the UK).In fact the situation is even worse than the decimalization table exploit that was the result of the Citibank gagging order. Jolyon Clulow, a graduate student at the University of Natal in South Africa, has published his thesis containing _no less than six_ discrete attacks which could obtain authorization information which could then be used to fraudulently obtain cash. The decimalization table exploit is but one of these. The paper has been replicated to help prevent overload or closure of the student's web site. There are probably enough other copies around already to make it quite certain that stuffing the cat back into the bag isn't going to be possible. Whole paper: http://home.icon.co.za/~clulow/dissertation.pdf Chapter 3 only (this is the strictly relevant stuff) With acknowledgements to the ukcrypto list, from where I obtained this information.
Failure of bank's proof Posted Feb 28, 2003 17:18 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link] Even when the bank has the burden of proof, things are not so rosy for the victim^U customer. Some years ago (a decade and a half, more or less?) a bank had a thief dead to rights---including the photo from the surveillance camera. Problem? The guy in the photo was innocent. It seems whoever set the timestamp on the camera blew it, and even though the fraud occurred at (say) 9:27, the frame stamped `9:27' had been taken at an entirely different time. I'll leave it to the reader to envision what the poor guy went through to disprove the `proof'. I almost certainly saw this in the Forum On Risks To The Public In Computers And Related Systems mailing list (a sobering read if ever there was one), but I just as certainly can't find the combination of search words which will extract it from their archives.
|
|
||||||||||||