I thought we were removing the need for the cheque in the electronic age.
Apparently not, ‘check’ out this link on Engadget.
This is our place on the Internet.
I thought we were removing the need for the cheque in the electronic age.
Apparently not, ‘check’ out this link on Engadget.
This is Great, I want one of these cards and a list of ATM’s.
http://www.sophos.com/blogs/gc/g/2009/03/18/details-diebold-atm-trojan-horse-case/
http://www.theregister.co.uk/2009/03/17/trojan_targets_diebold_atms/
From the Security Now Podcast http://www.grc.com/sn/sn-200.htm
Steve: It’s like, oh, goodness, yeah. It’s quite something. So the big news, though, I just sort of had to kind of smile because I told all of our listeners this was going to happen. I said just wait, this is a bad idea, we’re going to see how bad it is. Trojans have – Trojan software has been found in ATMs located in Eastern Europe. |
Leo: Oh. Oh. |
Steve: From many different vendors. |
Leo: Oh, dear. |
Steve: But what one thing do all of the trojan-infected ATMs have in common, Leo? |
Leo: Let me guess. |
Steve: Mm-hmm. |
Leo: Windows? |
Steve: Windows XP. |
Leo: Ai yi yi. |
Steve: The LSASS service is the manager of protected content in the system. It’s not quite the right acronym. I can’t think of what it is right now. But it’s like the main security service. And fake ones have been found in the Windows directory. The LSASS EXE normally lives in the Windows System32 directory. They were written in Borland’s Delphi. |
Leo: You’re kidding. |
Steve: No. |
Leo: Well, that’s kind of sophisticated for a hacker. Wow. |
Steve: And it’s considered, I mean, it’s commercial-grade code. It’s good code. |
Leo: Oh, boy. |
Steve: These are not remote installation Trojans. It’s believed that somebody had to have access to the machines. |
Leo: Oh, even worse. |
Steve: But they have special credit cards. When they swipe the special credit card in the infected machine, it accesses the trojan software, which among other things allows them to dump out all the cash from the machine. But in the meantime it’s logging all of the users’ information and PINs, which it’s able to dump out encrypted with DES encryption from the printer, from the ATM printer in the front of the machine. |
Leo: Wow. |
Steve: So the – and anyway, so it’s interesting to me. Again, it’s, you know, people defended the idea of implementing these things that I contend should never have been written in Windows. They say, well, but it’s easier to write them. And it’s like, yes. |
Hi,
I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link
I will come back at some stage and expand on this when I get time.
Transaction Process narrative:
The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805’) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).
A good explanation of DUKPT can also be found at Wikipedia.
Background notes:
The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.
When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).
When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.
I was asked some time ago to provide a list of things which may be considered when looking at Internet Banking.
Below is the list. It was just a brain dump and as such may not be complete.
Don’t underestimate the value of standards for your infrastructure, website configuration, database engine configuration/architecture,staging environment and development/QA environments.
Some thoughts:
– And all the other things expected for a remote login session (forced password changes, aging, etc))
– Tools such as Brutus may be use to brute force hack authenticated sessions.
– These may be server side, client side, cookie based, etc.
– Get someone to check the development methodologies and the code being used.
– Database query strings can be placed into test entry fields, allowing table dumps to browser.
– Check all pages served are secure and contain user authentication flags.
– A different segment to the main banking system.
– Separate private and public network cards, monitoring/backup/administration
– Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the network.
– This may be a staging environment. i.e. no the main banking system.
– This usually allows for transactions to appear real time to the customer.
– Many transactions may be batched in reality. (internal or external to the bank)
– There should be inbound and outbound rules on firewalls and filtering routers.
– Use the serial console port to connect to a server or back-end terminal server.
– These should be disabled.
– Investigate the reasons for all open ports.
– Look for real-time monitoring and alerting.
– Look for responsibility matrix.
– Look for ownership of issues.
– Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).
– Digital cert, IP address locked to account, etc.
– Consider use of CVV or CVN for bank issued cards.
– Plain text email, telephone, etc.
– Can passwords be changed online?
– Look at SWIFT, RTGS, inter-bank transfers, access to credit cards, etc.
– If an attacker does get in, what can the do?
– These are flags that can be set within pages.
– Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
– Caching of SSL pages on the client system can be turned on on some browsers.
– May banks use a Java (or similar) applet for all customer interaction, restricting all caching issues.
– I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
– Not very customer focused, but that’s what their legal department recommended.
All of the above can effect the security and/or operation of an on-line banking system.
Other things to consider:
When considering Mobile Banking security and the associated risks, an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered standards, supporting and surrounding the technologies and techniques used.
Here are some things to consider.
Security assessments generally focuses on two main things.
1/ Sensitivity of the data
What is being sent. eg. Pin, credit card numbers, account balance, home address, bank account number, etc.
Data may not be sensitive to the bank, but may be considered by the client as sensitive.
etc……….
2/ Opportunity to access the data.
What medium is being used?
Is it technology/technique easy or trivial to hack?
What encryption is being used?
Are all data paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………
Things to consider:
I have been recently working inside one of the larger Banks in Australia.
Through this work, I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.
I get to perform many security architecture and payment systems assessments.
Over the years I have always considered the protection of the card data as one of the key considerations.
Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com
Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.
As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.
One of the more extraordinary files is the Atalla Hardware Security Module (HSM) and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. 😉
——– ziggurat29 Text ———
These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.
DUKPT Decrypt (<- the actual file to download)
This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method. I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.
VISA PVV Calculator (<- the actual
file to download)
This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique. It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.
VISA CVV Calculator (<- the actual file to download)
This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique. MasterCard CVC uses the CVV algorithm, so it will work for that as well. It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date. Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.
Atalla AKB Calculator (<- the actual file to download)
This is a utility that will both generate and decrypt Atalla AKB cryptograms. You will need the plaintext MFK to perform these operations. When decrypting, the MAC will also be checked and the results shown.
BogoAtalla (<- the actual file to
download)
This is an Atalla emulator (or simulator). This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes. This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed. That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.
This runs as a listening socket server and handles the native Atalla command set. I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
responses. Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available. Examples are generating PVV values and encrypting/decrypting plaintext PIN values.
BogoAtalla for Linksys (<- the actual file to download)
This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system. Makes for a really cheap ($60 USD) development/test device.
Local Files
bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc
Guardian Technology Pages
28 September 2006
The Guardian
“Your card has been declined.”
“What? No way, there’s plenty of money in that account!”
“I’m sorry, madam, but it’s refusing the transaction.”
“It’s your card reader, that card worked fine in Boots five minutes ago.”
“The card has been declined. Do you have another one?”
The casual eavesdropper might infer that I – the protesting woman in that dialogue – am financially irresponsible, that my credit card is maxed out or my debit card has reached its overdraft limit. In fact, it’s far more likely that the reader on the chip and pin machine is throwing a strop. There is a machine at WH Smith in North End Road, Fulham, that hates my debit card and never accepts it. I’ve given up trying there. But it’s not the only one.
Self-service machines have sprung up everywhere, sprouting card readers and keypads. But watch closely and you will find that more often than not, there is an angry person muttering and swearing at the machine while a queue forms. Watch a little longer and you’ll see that queue evaporate – and reform at the counter in front of a human being.
This happened to me and my partner in France recently when we pulled into a petrol station in Epernay. In our desperation, we pulled up at an empty pump, wondering vaguely why it had no queue while others did.
Why? Because before it would dispense petrol, it wanted a credit card and pin. We fed it mine and I keyed in the number, only for it to be spat out with terrifying admonitions in French about the card being refused. I wiped the strip and tried again. Same reaction, causing a moment’s panic: we’d spent a bit on that card – did my bank think it was stolen? Was it blocked?
So we tried my partner’s card. Same thing. And then the penny dropped that the pumps with the queues were the old-fashioned ones where you fill the car up and then pay at the till. Clearly the locals knew all about these pumps.
Mind you, it was a miracle we got to France at all. When we arrived at the Eurotunnel terminus we joined a queue of cars for the automatic check-in. I am not the most patient of queuers and within a short time I was railing about how slowly it was moving. A man in a bright yellow jacket was buzzing about from car to car. Finally we got to the head of the queue and fed in the card that was used to book the shuttle online.
It didn’t want to know. It spat the card out. We tried again and got as far as tapping in our reservation number. It spat it out again. The chap in the high-visibility jacket buzzed over to us and rolled his eyes, saying: “It’s been playing up all day.” He went into the booth with the card – and then we heard him saying over his radio that the whole system had gone down in protest.
As an idea, the technology is great. In practice, we have a long way to go before we can dispense with human beings who can override systems when good card readers go bad. Kate Bevan
© Copyright 2006. The Guardian. All rights reserved.