Event
Summary
According
to the Moscow Times, hundreds of ATM Pin codes have been stolen in the last
few weeks from Moscow's ATM network. These cybercriminals have then used these
codes to empty bank accounts down to the last dollar or Deutschemark from other
ATMs around the world. Russian and German law-enforcement agencies are in the
midst of a joint investigation in what is believed to be a single crime ring.
In confirmation to the Moscow Times, Marcel Hoffman, a spokesman for the Federal
Association of German Banks, confirmed that hundreds of letters of warning had
been sent to expatriates alerting them that their ATM pins had been hacked.
An
editorial in the Moscow Times called for the banks to stand up to ATM fraud.
Russian bank officials are brushing off the accusations with denials and much
verbiage about "first-class security systems." The lack of a concerned response
from Russian Banking officials is sure to affect the revenue coming into Moscow.
Methodologies
of ATM Hacking
This is not the first case of ATM fraud. In October of '96, a gang of seven
businessmen, two from Tel Aviv, and five from Poland, were found guilty of withdrawing
a total of 600,000 Israeli Sheqels, equivalent to U.S. $200,000. The businessmen
had purchased tens of thousands of blank plastic ATM cards in Greece, and later
recorded the magnetic codes on the back of the card. An Israeli computer expert,
Daniel Cohen, had obtained the codes and assisted with the magnetic stripe manufacturing.
Magnetic stripe writers, and readers, can be purchased for about $300.00.
There
are sometimes three, but usually two tracks on a magnetic stripe and many fields
within each track. Though most banks typically ignore track one, they sometimes
put the card holder's name in the fifth field. The account number is usually
stored in the second field of track two. The PIN verification field is usually
held in field nine on track one or field six on track two. With a magnetic stripe
reader, a stolen card's stripe can be read and recorded, and later put on a
new card with a magnetic stripe writer. Or if you know what numbers you want
to put in what fields, you can write another person's account number on your
own card, and use your own pin to loot their account. Encrypted account numbers
can be unencrypted by savvy cryptographers.
There
are multiple ways that ATM systems can be compromised. In a paper entitled "Why
Cryptosystems Fail," by Nikos Drakos of the Computer Based Learning Unit at
the University of Leeds, Drakos describes multiple ways that ATM systems can
be hacked. Drakos states that one method for hacking ATM financial networks
relies on the fact that many banks do not encrypt or authenticate the authorization
response to the ATM. This means that if an attacker finds a way to record a
"pay" response from the bank to the machine, a feat that can be accomplished
by protocol sniffing on compromised network wires, the attacker could then keep
on replaying the "pay" response until the machine is empty. This technique is
known as "jackpotting."
Several
years ago, ATM fraud occurred at a bank in New York in which a disgruntled ex-employee
stole over $80,000. After shoulder surfing for customer PINs, he used discarded
bank receipts to associate the PIN with an account number, and was able to later
enter these numbers into the ATM, and use his own PIN to withdraw money. Presumably
he did this by using a magnetic striper writer.
Some
bank ATMs can be hacked by observing a person's PIN number, then inserting a
phone card. The ATM machine believes that the previous card has been inserted
again, and when the PIN is entered, money is then made available for withdrawal.
The
fastest growing modus operandi for hacking ATM terminals is to use false decoy
terminals to collect customer card and PIN data. Attacks of this kind were first
reported in the United States as early as 1988. With a bit of engineering, criminals
can build vending machines which accept any card and PIN, and dispense say a
packet of cigarettes. They put their invention in a shopping mall, and harvest
PINs and magnetic strip data through a modem built into the vending machine.
There
have even been cases of people installing second-hand ATMs purchased from banks.
These ATMs are installed in public places such as new shopping malls. Unsuspecting
consumers insert their cards, punch in their PINs and get a message saying,
"Sorry, unable to dispense cash at this time." In the meantime, criminals have
used the ATM log files to get a list of card numbers and PIN codes, which they
can then use to create bogus cards and withdraw money.
Recommendations
How
prevalent is ATM fraud? If we weren't seeing a significant amount of reports
on it, the FBI wouldn't have so many ATM fraud warnings on its website. Here
are some ways that ATM fraud can be reduced:
-
As
banks become aware of weaknesses in traditional ATM technologies, new security
paradigms need to be put into place. Non reusable authentication systems,
such as time based token authentication systems, or non-reuseable passwords
would be an improvement over most current ATM systems.
-
When
using an ATM card, anywhere, do not leave your receipt behind, especially
if your bank prints your entire account number on the receipt.