|
Computer Software Security - Computer security - desktop and server software, encryption and similar subjects
|
|
|
|
|
Posted by nemo_outis on December 1, 2006, 10:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
An interesting post on sci.crypt on attacks on bank PINs:
________
Possible Serious Security Flaw In ATMs
http://it.slashdot.org/it/06/11/30/2139235.shtml
ATM system called unsafe
http://redtape.msnbc.com/2006/11/researchers_who.html
from above:
A U.S. Secret Service memo obtained by MSNBC.com indicates that
organized criminals are systematically attempting to subvert the ATM
system and unscramble encrypted PIN codes.
_______
The underlying paper, which came out about 2 weeks ago, is at:
http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf
Regards,
|
|
Posted by Anne & Lynn Wheeler on December 2, 2006, 3:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> The underlying paper, which came out about 2 weeks ago, is at:
>
> http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf
re:
http://www.garlic.com/~lynn/2006v.html#33 New attacks on the financial PIN
processing
and some misc. older posts related to ATM and debit card issues,
vulnerabilities, exploits and threats:
http://www.garlic.com/~lynn/2005u.html#16 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#22 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006k.html#23 Value of an old IBM PS/2 CL57 SX Laptop
http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#22 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#25 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner
(USD10)
http://www.garlic.com/~lynn/aadsm23.htm#35 3 of the big 4 - all doing payment
systems
http://www.garlic.com/~lynn/aadsm23.htm#37 3 of the big 4 - all doing payment
systems
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm26.htm#1 Extended Validation - setting the
minimum liability, the CA trap, the market in browser governance
http://www.garlic.com/~lynn/aadsm26.htm#6 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#11 What is the point of encrypting
informati
on that is publicly visible?
http://www.garlic.com/~lynn/2006v.html#1 New attacks on the financial PIN
processing
in the mid-90s, the x9a10 financial standard working group was given
the requirement to protect the financial infrastructure for all retail
payments. the result was the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959
part of x9.59 standard was attempting to eliminate most of the known
exploits, threats and vulnerabilities in the infrastructure.
another part was being privacy agnostic ... i.e. name and/or other
identifying information would not be required at point-of-sale.
part of that was looking at promoting x9.59 to ISO (international)
level ... and in that period the EU had made some directive (in
conjunction with the EU-DPD) that all retail/pos electronic
transactions should be as anonymous as cash.
for some other drift ... as part of co-authoring the x9.99 financial
industry privacy standard ... did some work on trying to pull together
a merged privacy taxonomy and glossary from several sources
(including GLBA, EU-DPD, HIPAA, etc)
http://www.garlic.com/~lynn/index.html#glosnote
|
|
Posted by nemo_outis on December 2, 2006, 4:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> re:
> http://www.garlic.com/~lynn/2006v.html#33 New attacks on the financial
> PIN processing
...
Thanks for the comprehensive reference material and overview.
Regards,
|
|
Posted by Anne & Lynn Wheeler on December 2, 2006, 7:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
ref:
http://www.garlic.com/~lynn/2006v.html#39 On sci.crypt: New attacks on the
financial PIN processing
and some more background and related topics
Bank-card PINs 'wide open' to insider attack
http://www.theregister.co.uk/2006/11/20/bank_card_pin_fraud/
Researchers uncover PIN security flaw
http://www.finextra.com/fullstory.asp?id=16183
Banks face growing threat of identity theft from insiders
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=21817
Banks face growing threat of identity theft from insiders
http://news.com.com/Banks+face+growing+threat+of+identity+theft+from+insiders/2100-1029_3-6137940.html
and repeat about some PIN issues
http://www.garlic.com/~lynn/aadsm26.htm#6
as well as the insider issue
http://www.garlic.com/~lynn/aadsm26.htm#7
UK Leads Europe In Card Crime
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=116427718621320215354&block=
Britain card fraud hotspot of Europe
http://business.timesonline.co.uk/article/0,,9555-2463348,00.html
UK tops Europe for card fraud
http://www.finextra.com/fullstory.asp?id=16182
Britain branded 'card fraud capital'
http://www.itv.com/news/britain_f165620f56dccc8046e18397ebbdab8a.html
Britons are Europe's biggest victims of card fraud
http://today.reuters.co.uk/news/articleinvesting.aspx?type=personalFinanceNews&storyID=2006-11-21T131131Z_01_NOA147403_RTRUKOC_0_FINANCIAL-FRAUD.xml&WTmodLoc=Business-C9-PF-2
UK banks face phishing chaos
http://www.computerweekly.com/Articles/2006/11/20/220024/UK+banks+face+phishing+chaos.htm
Phishing still hits banks and customers
http://www.crime-research.org/news/21.11.2006/2361/
then there is the old "yes cards" discussions and the generic issue
with "replay attacks" when static authentication data is being used
http://www.garlic.com/~lynn/subintegrity.html#yescard
and related issue is that if there is authentication separate from the
transaction ... the infrastructure can be exposed to man-in-the-middle
attacks ... something that x9a10 financial standard working group
spent some amount of time studying
shows up relatively recently in these posts
http://www.garlic.com/~lynn/2006v.html#26 Fighting Fraudulent Transactions
http://www.garlic.com/~lynn/2006v.html#27 Federal Rules May Not Fully Secure
Online Banking Sites
|
|
Posted by Anne & Lynn Wheeler on December 4, 2006, 10:30 am
If you were Registered and logged in, you could reply and use other advanced thread options > then there is the old "yes cards" discussions and the generic issue
> with "replay attacks" when static authentication data is being used
> http://www.garlic.com/~lynn/subintegrity.html#yescard
re:
http://www.garlic.com/~lynn/2006v.html#39 On sci.crypt: New attacks on the
financial PIN processing
general class of harvesting/skimming authentication static data for various
forms of replay attacks.
http://www.garlic.com/~lynn/subintegrity.html#secrets
http://www.garlic.com/~lynn/subintegrity.html#harvest
in the "yes card" scenario, some considered the chip worse than the
magstripe cards that it replaced. a countermeasure in the standard
financial account transaction is to flag the account and negate future
(online) transactions. in the "yes card" scenario ... once the
(counterfeit) "yes card" replayed the authentication static data, it
was allowed to instruct the terminal to do an "offline"
transaction. by the time the terminal finds out the account has been
flagged, it is way too late. also when the "terminal" asked the
(counterfeit) "yes card" if the entered PIN was correct, the "yes
card" would always reply "YES" (part of the where the counterfeit card
got its label "yes card"). As a result, the attacker doesn't even need
to know the PIN.
in three-factor authentication model
http://www.garlic.com/~lynn/subintegrity.html#3factor
* something you have
* something you know
* something you are
normally in multi-factor authentication, the different factors are
assumed to have independent vulnerabilities. A ("something you know")
PIN is countermeasure to lost/stolen ("something you have") card. In
the "yes card" scenario, an attacker just needs to harvest/skim the
card "authentication" information (and/or trick a lost/stolen card
into divulging the information). That information then can be loaded
into a (counterfeit) "yes card". Futhermore, while the account for a
lost/stolen card can be reported and have the corresponding account
flagged, since a (counterfeit) "yes card" can instruct the terminal to
do an offline transactions, it defeats the effect of flagging the
account.
some other recent items related to static data authentication and
replay attacks
http://www.garlic.com/~lynn/2006v.html#29 User Authentication
http://www.garlic.com/~lynn/2006v.html#44 User Authentication
and
User agency warns of online security risks
http://news.ninemsn.com.au/article.aspx?id=168199
Warning over use of repeat passwords
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=21901
Warning over use of repeat passwords
http://www.theage.com.au/news/security/warning-over-use-of-repeat-passwords/2006/12/03/1165080812161.html
Schumer warns on no-swipe credit cards
http://news.yahoo.com/s/ap/schumer_id_theft
now one of the countermeasures to the static data authentication and
"yes card" vulnerability is to convert to some form of dynamic data
authentication (like digital signatures). note however, that even
"dynamic data authentication" may be vulnerable to a "yes card"
man-in-the-middle attack if it is used for card authentication as
opposed to transaction authentication, i.e. pair a counterfeit "yes
card" with a valid lost/stolen card ... where the counterfeit "yes
card" transparently passes the card authentication messages and then
controls the rest of the session (when the terminal asks if the
correct PIN was entered the "yes card" responds "YES" and when the
terminal asks if it should do an offline transactions, the "yes card"
also responds "YES").
recent related item
http://www.garlic.com/~lynn/2006v.html#26 Fighting Fraudulent Transactions
other posts related to man-in-the-middle attacks
http://www.garlic.com/~lynn/subintegrity.html#mitm
|
| Similar Threads | Posted | | Online Financial E-commerce: International Pension Share | July 28, 2008, 5:43 am |
| Websense Reports Organized Phishing Attack on More Than 100 Financial Institutions | March 20, 2006, 12:44 pm |
| DJ euro adhoc: ComputerLinks AG / Mergers - Acquisitions - Takeovers / CSS Computer Security Solutions Erwerbs GmbH ... (Financial.de) | September 6, 2008, 1:09 pm |
| Drive Crypt | November 23, 2008, 6:07 am |
| Crypt ascii text in file | February 15, 2010, 9:27 am |
| Patches and attacks | October 6, 2005, 2:33 pm |
| article on cyber attacks | March 20, 2007, 10:57 am |
| Types of Attacks possible on a home computer.. | April 8, 2007, 12:47 am |
| Measured Features for Detecting Attacks | June 19, 2008, 1:03 pm |
| Re: Targeted trojan attacks via Word flaw | May 24, 2006, 1:55 am |
|
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map