I thought we were removing the need for the cheque in the electronic age.
Apparently not, ‘check’ out this link on Engadget.
This is our place on the Internet.
I thought we were removing the need for the cheque in the electronic age.
Apparently not, ‘check’ out this link on Engadget.
This is Great, I want one of these cards and a list of ATM’s.
http://www.sophos.com/blogs/gc/g/2009/03/18/details-diebold-atm-trojan-horse-case/
http://www.theregister.co.uk/2009/03/17/trojan_targets_diebold_atms/
From the Security Now Podcast http://www.grc.com/sn/sn-200.htm
Steve: It’s like, oh, goodness, yeah. It’s quite something. So the big news, though, I just sort of had to kind of smile because I told all of our listeners this was going to happen. I said just wait, this is a bad idea, we’re going to see how bad it is. Trojans have – Trojan software has been found in ATMs located in Eastern Europe. |
Leo: Oh. Oh. |
Steve: From many different vendors. |
Leo: Oh, dear. |
Steve: But what one thing do all of the trojan-infected ATMs have in common, Leo? |
Leo: Let me guess. |
Steve: Mm-hmm. |
Leo: Windows? |
Steve: Windows XP. |
Leo: Ai yi yi. |
Steve: The LSASS service is the manager of protected content in the system. It’s not quite the right acronym. I can’t think of what it is right now. But it’s like the main security service. And fake ones have been found in the Windows directory. The LSASS EXE normally lives in the Windows System32 directory. They were written in Borland’s Delphi. |
Leo: You’re kidding. |
Steve: No. |
Leo: Well, that’s kind of sophisticated for a hacker. Wow. |
Steve: And it’s considered, I mean, it’s commercial-grade code. It’s good code. |
Leo: Oh, boy. |
Steve: These are not remote installation Trojans. It’s believed that somebody had to have access to the machines. |
Leo: Oh, even worse. |
Steve: But they have special credit cards. When they swipe the special credit card in the infected machine, it accesses the trojan software, which among other things allows them to dump out all the cash from the machine. But in the meantime it’s logging all of the users’ information and PINs, which it’s able to dump out encrypted with DES encryption from the printer, from the ATM printer in the front of the machine. |
Leo: Wow. |
Steve: So the – and anyway, so it’s interesting to me. Again, it’s, you know, people defended the idea of implementing these things that I contend should never have been written in Windows. They say, well, but it’s easier to write them. And it’s like, yes. |
Hi,
I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link
I will come back at some stage and expand on this when I get time.
Transaction Process narrative:
The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).
A good explanation of DUKPT can also be found at Wikipedia.
Background notes:
The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.
When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).
When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.
I was asked some time ago to provide a list of things which may be considered when looking at Internet Banking.
Below is the list. It was just a brain dump and as such may not be complete.
Don’t underestimate the value of standards for your infrastructure, website configuration, database engine configuration/architecture,staging environment and development/QA environments.
Some thoughts:
– And all the other things expected for a remote login session (forced password changes, aging, etc))
– Tools such as Brutus may be use to brute force hack authenticated sessions.
– These may be server side, client side, cookie based, etc.
– Get someone to check the development methodologies and the code being used.
– Database query strings can be placed into test entry fields, allowing table dumps to browser.
– Check all pages served are secure and contain user authentication flags.
– A different segment to the main banking system.
– Separate private and public network cards, monitoring/backup/administration
– Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the network.
– This may be a staging environment. i.e. no the main banking system.
– This usually allows for transactions to appear real time to the customer.
– Many transactions may be batched in reality. (internal or external to the bank)
– There should be inbound and outbound rules on firewalls and filtering routers.
– Use the serial console port to connect to a server or back-end terminal server.
– These should be disabled.
– Investigate the reasons for all open ports.
– Look for real-time monitoring and alerting.
– Look for responsibility matrix.
– Look for ownership of issues.
– Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).
– Digital cert, IP address locked to account, etc.
– Consider use of CVV or CVN for bank issued cards.
– Plain text email, telephone, etc.
– Can passwords be changed online?
– Look at SWIFT, RTGS, inter-bank transfers, access to credit cards, etc.
– If an attacker does get in, what can the do?
– These are flags that can be set within pages.
– Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
– Caching of SSL pages on the client system can be turned on on some browsers.
– May banks use a Java (or similar) applet for all customer interaction, restricting all caching issues.
– I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
– Not very customer focused, but that’s what their legal department recommended.
All of the above can effect the security and/or operation of an on-line banking system.
Other things to consider:
When considering Mobile Banking security and the associated risks, an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered standards, supporting and surrounding the technologies and techniques used.
Here are some things to consider.
Security assessments generally focuses on two main things.
1/ Sensitivity of the data
What is being sent. eg. Pin, credit card numbers, account balance, home address, bank account number, etc.
Data may not be sensitive to the bank, but may be considered by the client as sensitive.
etc……….
2/ Opportunity to access the data.
What medium is being used?
Is it technology/technique easy or trivial to hack?
What encryption is being used?
Are all data paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………
Things to consider:
I have been recently working inside one of the larger Banks in Australia.
Through this work, I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.
I get to perform many security architecture and payment systems assessments.
Over the years I have always considered the protection of the card data as one of the key considerations.
Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com
Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.
As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.
One of the more extraordinary files is the Atalla Hardware Security Module (HSM) and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. 😉
——– ziggurat29 Text ———
These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.
DUKPT Decrypt (<- the actual file to download)
This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method. I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.
VISA PVV Calculator (<- the actual
file to download)
This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique. It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.
VISA CVV Calculator (<- the actual file to download)
This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique. MasterCard CVC uses the CVV algorithm, so it will work for that as well. It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date. Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.
Atalla AKB Calculator (<- the actual file to download)
This is a utility that will both generate and decrypt Atalla AKB cryptograms. You will need the plaintext MFK to perform these operations. When decrypting, the MAC will also be checked and the results shown.
BogoAtalla (<- the actual file to
download)
This is an Atalla emulator (or simulator). This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes. This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed. That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.
This runs as a listening socket server and handles the native Atalla command set. I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
responses. Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available. Examples are generating PVV values and encrypting/decrypting plaintext PIN values.
BogoAtalla for Linksys (<- the actual file to download)
This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system. Makes for a really cheap ($60 USD) development/test device.
Local Files
bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc
A blog posting on BoingBoing provides further discussion as to the
inappropriate deployment and of RFID chips within the existing payment
marketplace.
http://www.boingboing.net/2006/10/23/report_contactless_c.html
The underlying point of this article is, the card schemes and banks said they are using key rotating encryption of all data between the card and the acquirer/issuer, but this is clearly not the case in many situations.
Another interesting paper is ‘RFID Payment Card Vulnerabilities Technical Report’ located at:
http://www.nytimes.com/packages/pdf/business/20061023_CARD/techreport.pdf