Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service 

 12.1012001 SecurityATM/Credit Card SystemCracked
Two post-graduate students from Cambridge University say they have cracked the personal identification number (PIN) system used by banks and credit card issuers to protect users' accounts. The students - Michael Bond and Richard Clayton - appeared on BBC TV's Newsnight program Thursday night, and say they will post their findings on the Internet to ensure that banks and financial institutions make their security systems more secur

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
English version
The students claim to have created a program that runs on IBM's 4758 series of cryptographic computers - used on banking networks to verify the validity of a PIN used in a transaction - that can help extract a valid PIN from the card's 16- or 18-digit number alone.

Bond said banks rely too heavily on outdated security technology for the PIN protection systems, although he admitted that the crack could only be performed by staff operating within a bank or financial institution's computer center.

The crack appears to rely on programming the IBM 4758 to do a reverse calculation on the card number to produce a valid PIN for the card concerned in under two days.

Résumé en français

Deux étudiants prétendent avoir creé un programme permettant de déterminer les codes PIN utilisés sur les cartes bancaires.

 

 

 

 

 

While most customers elect to choose their own card PINs, this is only achieved by recording the difference - known as a "PIN offset" - between the original and the new PIN on a card's magnetic stripe.

By using the original PIN and, if appropriate, the PIN offset value, the two students claim they can draw cash from almost any user's account.

Terry Gibbons, a spokesperson for Visa International, told Newsbytes that Bond and Clayton's crack is nothing new, although the relatively short time taken for the process is.

"Card issuers are moving over to smart cards, and away from the magnetic stripe technology that can be cracked given enough processing power and computer time," he said, adding that no security system - even smart cards - can ever be totally secure against fraudsters.

"Smart cards can beat this type of security problem. It takes a lot of time to beat the protection system on a smart card, but the system has been designed to be secure enough to make it not worth the criminal's while to crack it," he said.

In Europe, he added, Visa is in the final stages of working with its financial card-issuing institutions to switch their customers from magnetic stripe to smart card-based systems.

"Most (Visa) card issuers in the U.K. have moved over to smart cards, while France is almost 100 percent smart cards. The slowest countries are Germany and Turkey, mainly because of the low penetration rates that cards have in these countries," he said.

By the end of 2006, he added, all Visa card issuers in Europe should have switched over to smart card-based credit and debit cards.

A copy of Bond and Clayton's methodology has been posted on Clayton's Web pages at http://www.cl.cam.ac.uk/~rnc1/descrack/index.html .

Visa's Web site is at http://www.visa.com .

Extracting a 3DES key from an IBM 4758

Summary

The IBM 4758 is an extremely secure crytographic co-processor. It is used by banking systems and in other security conscious applications to hold keying material. It is designed to make it impossible to extract this keying material unless you have the correct permissions and can involve others in a conspiracy.

We are able, by a mixture of sleight-of-hand and raw processing power, to persuade an IBM 4758 running IBM's ATM (cash machine) support software called the "Common Cryptographic Architecture" (CCA) to export any and this program's DES and 3DES keys to us. All we need is:

The attack can only be performed by an insider with physical access to the cryptographic co-processor, but they can act alone. The FPGA evaluation board is used as a "brute force key cracking" machine. Programming this is a reasonably straightforward task that does not require specialist hardware design knowledge. Since the board is pre-built and comes with all the necessary connectors and tools, it is entirely suitable for amateur use.

Besides being the first documented attack on the IBM 4758 to be run "in anger", we believe that this is only the second DES cracking machine in the open community that has actually been built and then used to find an unknown key!

Until IBM fix the CCA software to prevent our attack, banks are vulnerable to a dishonest branch manager whose teenager has $995 and a few hours to spend in duplicating our work.

Contents

What is an IBM 4758 ?
What is an FPGA ?
What are DES and 3DES ?
How the DES cracker works
Some relevant sums
How the attack works
Some real results
Who are we ?
Do It Yourself

Frequently Asked Questions

What does an IBM 4758 look like?
Who uses IBM 4758s?
Are all IBM 4758s susceptible to the attack?
What is the CCA?
Are the IBM 4758 and the CCA the same thing?
How hard is it to physically attack a IBM 4758?
I heard that the IBM 4758 is FIPS Level 4 validated. Have you broken the validation?
So what does FIPS Level 4 validation mean?
Are other cryptoprocessors susceptible as well as the IBM 4758?
What is DES?
What is Triple-DES (3DES)?
How much stronger is Triple-DES than DES?
What privileges do you need to run this attack?
What information does this attack steal from the bank?
How do PIN numbers work?
Why is PIN number theft so dangerous?
How would a bank respond if someone did this attack?
Is all banking security this bad?
So can anyone who downloads this rip off a bank?
Who could rip off a bank then?
If this attack is so dangerous, why are you telling everyone?
Where can I go to book tickets to Bermuda?

Other links

Michael Bond. "Attacks on Cryptoprocessor Transaction Sets" Proceedings of the CHES 2001 Workshop, Paris 2001. Springer Verlag LNCS 2162, pp 220-234.
Available on the web as: http://www.cl.cam.ac.uk/~mkb23/research/Attacks-on-Crypto-TS.pdf

Michael Bond & Ross Anderson. "API-Level Attacks on Embedded Systems" IEEE Computer 34(10), October 2001, pp 67-75.

"Brute force attacks on crytographic keys" a web-based survey of results, plus an annotated bibliography concentrating on DES crackers. http://www.cl.cam.ac.uk/~rnc1/brute.html

"IBM PCI Cryptographic Coprocessor CCA Basic Services Reference and Guide for IBM 4758 Models 002 and 023 with Release 2.40", Seventh Edition, September 2001. Available from: ftp://www6.software.ibm.com/software/cryptocards/CCA_Basic_Services_Reference_240.pdf

 

 

 

Related information:

 


more security information with TLAnews ...

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: November 11, 2001 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.