[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] R. Anderson: Citibank tries to gag crypto bug disclosure

-> http://cryptome.org/

--- snip ---

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public 
disclosure of crypto vulnerabilities:


I have written to the judge opposing the order:


The background is that my student Mike Bond has discovered some really 
horrendous vulnerabilities in the cryptographic equipment commonly used to 
protect the PINs used to identify customers to cash machines:


These vulnerabilities mean that bank insiders can almost trivially find out 
the PINs of any or all customers. The discoveries happened while Mike and I 
were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:


For the last couple of years or so there has been a rising tide of 
phantoms. I get emails with increasing frequency from people all over the 
world whose banks have debited them for ATM withdrawals that they deny 
making. Banks in many countries simply claim that their systems are secure 
and so the customers must be responsible. It now looks like some of these 
vulnerabilities have also been discovered by the bad guys. Our courts and 
regulators should make the banks fix their systems, rather than just lying 
about security and dumping the costs  on the customers.

Curiously enough, Citi was also the bank in the case that set US law on 
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's 
an omen, if not a precedent ...



We present an attack on hardware security modules used by retail banks for 
the secure storage and verification of customer PINs in ATM (cash machine) 
infrastructures. By using adaptive decimalisation tables and guesses, the 
maximum amount of information is learnt about the true PIN upon each guess. 
It takes an average of 15 guesses to determine a four digit PIN using this 
technique, instead of the 5000 guesses intended. In a single 30 minute 
lunch-break, an attacker can thus discover approximately 7000 PINs rather 
than 24 with the brute force method. With a $300 withdrawal limit per card, 
the potential bounty is raised from $7200 to $2.1 million and a single 
motivated attacker could withdraw $30{50 thousand of this each day. This 
attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski, Decimalisation table attacks for PIN 
cracking, February 2003

--- snap ---

To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de