Thursday, October 19, 2006

Bob Average, PowerSeller39 and Identity Theft

Today, I'll be telling you a story about Bob. If you don't want to read about Bob, skip to the "Tips for the Paranoid" section.

Bob used to be an average guy, working at an average job. He had an average girlfriend, and earned an average wage. He broke the law, on average, about as many times as any other guy on his block; when he did, it was only average, everyday stuff: jaywalking, speeding, and lying to his bank about his (sadly average) income.

Today, Bob Average became a wanted man.

DISCLAIMER: This whole story is hypothetical. It may have inconsistencies. I have done my best to keep everything within the role of the possible, but you may find a leap of logic here or there. What I'm trying to get across is a general idea, not a specific set of events. There are more variations on this scenario than I could hope to enumerate, be aware that this is a very specific example of a very general problem.

Also, be aware that this is COPYRIGHTED MATERIAL. You are welcome to link to, excerpt, criticise, or otherwise deal with this article in any manner permitted by fair use, but you may not re-distribute it, create derivative works from it, or otherwise profit from it without my written permission. Keep it here, where I can maintain, update and correct it, and keep all of the discussion (if it ever occurs) in one place. Thanks, and enjoy.

How does an average guy like Bob become wanted? It's surprisingly easy, and you can accomplish the same in only a few simple steps. Bob started out by buying a CD player off a guy on eBay. The vendor had a reasonable eSeller rating (or whatever they call it), and so Bob felt comfortable buying from him. What Bob DIDN'T feel comfortable doing was using his creditcard online, and so he elected to pay using direct deposit (ACH transfer, pay anyone, direct entry...) from his bank account. He signed on to his internet banking, made the transfer ($39, if you're interested) to PowerSeller39's account, and signed off again.

Bob felt quite comfortable doing this, because his computer is surprisingly secure, for an average computer user. This is because his brother, who lives just up the road, works as a security consultant, protecting end-user computers from viruses, trojans and root-kits. He knows exactly what he's doing, and Bob's computer is VERY safe.

Anyway, Bob sent off a quick email to PowerSeller39 telling him where to deliver the product, and sat back to await his new CD player.

Two days later, Bob's bank receives a phone call. The caller states that he's just moving house, and he'd like to change his address. He gives Bob's bank account number, but can't remember his phone-banking password. When the phone operator asks him his current mailing address, he rattles it off like he lives there. The phone operator isn't satisfied yet, however, and asks for his date of birth, and a recent transaction. These details match up as well, and the caller gives the new mailing address and asks for a new statement to be sent out. Three hours later, the same caller speaks with a different operator, and asks to open a new linked savings account, with card access. Two calls on the same day, doing three different things, trips the bank's security alert level, and the operator asks for the name of Bob's dog, and his mother's maiden name. The caller rattles these off, and the new card is dispatched. The operator is able to give the caller the new account number on the spot. Isn't it amazing how convenient it is to deal with the bank these days? The caller asks for a nice high daily limit on the account. The operator tells him it's a risk, but the caller says he isn't too concerned.

You've already guessed that the caller isn't Bob. But how does he know so much about Bob? How could he know his mother's maiden name? How did he know his account number, or which bank he uses?

Let's start with his banking details. Just how much does Bob reveal when he sends a deposit to PowerSeller39? Well, if PowerSeller39 is prepared to pay a small search fee, his bank will happily help him identify the source of the $39 payment. After all, PowerSeller39 is only trying to keep his customer happy; he's had several people win auctions, and he can't tell from the usual information which one has actually paid (and so should receive the goods). After a brief wait, PowerSeller scribbles down the account details. After picking up the email Bob sent him containing his mailing address, PowerSeller39 now has the following information about Bob:
eBay Username: BobAvg
Bank BSB: xxx-xxx
Account number: yyyyyyyyy
Full Account Name: Bob J Average
Email Address: bobjaverage@serviceprovider.com
Full Mailing Address: 22 Average St, Averagetown CA
Recent Transaction: $39

PowerSeller39 makes a quick call to another bank, with a question. He's been given payment details for an online purchase, but thinks it might be a scam. He just wants to make sure that the BSB he's got matches a branch near the merchant's online address. After being transferred once or twice, he finds someone to look the information up for him, and is told that the BSB is, in fact, for Bank X, and is given the branch address. A quick visit to BankX.com reveals a customer service phone number, which is added to the dosier.

PowerSeller39 next turns to Google in his information search. He quickly finds that there are quite a few people out there blogging out there under the name "Bob Average", but only six list their location as "CA, USA". Four of them list their middle names, but none of them start with 'J'. Of the remaining two, one is a sound engineer who blogs regularly about his latest piece of expensive hi-tech sound gear. That one definitely isn't buying a $39 CD player from eBay. PowerSeller39's confidence is boosted further when he sees that Bob's latest entry talks about the CD player he's just bought off eBay.

At this point, PowerSeller39 takes a break from his sleuthing to run down to the post office and send off the CD player he picked up from a local pawn shop for $25. After all, he has to protect his eBay Seller Rating.

Afterwards, reading through Bob's blog, PowerSeller39 writes down a list of interesting information about Bob. Bob has written about all sorts of things. His girlfriend, his pet dog, his car (a 1990 Toyota Camry), his family (he has a brother, Joe, and his parents' names are Kim and Max). He saves a couple of photos which Bob has posted over the last few months. The most interesting one proudly shows off Bob's girlfriend, his car, and his licence plate number. Bob's profile mentions his birth date (no year), and he mentions proudly that he was lucky enough to be given a nice set of whiskey glasses for his 21st last year.

Okay, smarty. That explains everything but his mother's maiden name. How could he know that?

Well, Bob's blog mentions that he heads off to Normalville, TX at least once a year to visit his grandparents. PowerSeller39 has a quick look through some on-line texan country marriage records, figuring that Bob's parents probably got married near where THEIR parents lived. He quickly discovers that in 1971, Kim Usual married Max Average. PowerSeller got lucky with this one; it can sometimes take HOURS to find maiden names through marriage records. County birth records confirm Bob's date of birth.

With all these details, PowerSeller39 makes his calls to the bank.

But why, do you ask, did he go to the effort of changing Bob's address? Why get a new account and card? Well, you see, Bob isn't PowerSeller39's ONLY victim. PowerSeller39 has short-term access to dozens of people's accounts; instead of opening new accounts on these, he resets their web-banking passwords. Sure, the account's owners will notice in a few days that they can't log in, and call the bank to find out why. How often do you log in to internet banking, though? Often enough to catch PowerSeller39 within a day or two? Chances are, plenty of people won't catch the breach in time. Remember, PowerSeller39 can collect many sets of details over time, and make all the calls on the one day. He transfers a great deal of money from his numerous victims (some of which he's gotten with the above method, others through phishing, and yet others by simply stealing wallets) into Bob's new account. When Bob's new card arrives a few days later (most likely to a house whose owners have gone on holiday), PowerSeller39 picks it up, activates it, and pulls lots of cash from it. He's probably set up several of these 'mule' accounts to move cash into, and then pull it out of ATMs. All PowerSeller39 has to hope is that Bob won't notice a new account being opened under his name.

Of course, when the police begin investigating all of the theft complaints, they will notice that all of this stolen money was transferred to Bob's account. If Bob's really unlucky, PowerSeller39 will be in the local area, so the ATM withdrawal locations won't prove that it wasn't Bob. Hopefully the ATM photos will help, but PowerSeller39 went around late at night wearing a mask. Hopefully Bob has a very different body shape to PowerSeller39. Phone records are of little help, because our perpetrator used public phone booths.

Two or three days later, PowerSeller39 sends Bob an email asking if he got the CD player, and why he hasn't left feedback. Bob is busy explaining to the police that he hadn't opened any new accounts recently, and he definitely hadn't transfered money from other people's accounts into his, nor had he made those ATM withdrawals. In spite of this, he does manage to fit in a few minutes to leave positive feedback for PowerSeller39. The CD player had, after all, arrived quickly and easily, and PowerSeller39 had been easy to deal with.

So, moral of the story. What did Bob do wrong? Well, probably nothing. He did have a blog with some personal information. He left some links which could be followed between his financial dealings and his personal life. But really, he didn't do anything wrong. He was victimised by somebody who was prepared to do a lot of research. If somebody like this is really out to get you, there probably isn't a lot you can do about it. That said, here are some tips for the paranoid (I follow every one of these tips myself).

1. Have a separate account for transferring money to strangers. Never send payments to strangers from an account which you operate regularly. Even better, get yourself a stored value card with access to your national ACH/DE/whatever scheme. Many countries now have low-value SVCs with this feature, and you often won't even need to identify yourself.

2. Check with your financial institution about how they identify you over the phone. If you aren't satisfied, move your accounts somewhere else. Look for a bank which allows you to write your own security questions. If you are stuck using your mother's maiden name and your favourite pet, lie. Make up stuff that you can remember, but that nobody else will be able to research.

3. Avoid links between your online 'financial' self and your online 'personal' self. Think like an attacker. Don't let somebody you deal with on eBay find out your real name. If your bank allows you to choose the "Originating Account Name" when you do a transfer, make use of this feature and send your eBay ID. Make sure you don't choose an eBay name which could be linked to your blog.

4. Keep your anti-virus/anti-malware/anti-rootkit/anti-STD/whatever protection up to date. Run scans regularly. Bob in our story wasn't hit by a password-stealing trojan, but there are plenty of them out there.

5. Practice Safe Hex. Don't download things from untrusted sites. Don't trust sites which display lots of porn ads. Never click "yes" OR "no" on a browser popup if you can avoid it (close the window with the 'X' where possible). Never install browser plugins suggested by a site (download the plugin directly from the manufacturer, if you must download it at all; don't just click "Yes, install this plugin automatically for me"). There are plenty of sites out there that will give you more tips along these lines.

6. Don't use Internet Explorer. It's got huge market share, and is the current "low-hanging fruit" for hackers. Think carefully about using Firefox, because it's number two. Even if you do use one of the above, keep all of your patches up to date.

7. Back to your bank; if it offers email notifications of things like payments to new accounts, change of details, etc., sign up for this service. Get these notifications sent straight to your email-enabled mobile phone, if possible.

8. Get yourself a low-limit (or even better, debit) Visa or Mastercard for use on the internet. Even if you do get hit, it won't be for much. Credit cards have much better consumer protection that debit cards, anyway, so use them whenever possible, even when a direct deposit or similar is also an option. If you have a major credit card, you will often get additional benefits like extended warranties on electronic goods. Familiarise yourself with your card issuer's chargeback procedures, and check your account regularly for any unauthorised transactions.

9. Think about the points I've made in here, and come up with ideas of your own about what you can do to protect yourself. Then post your ideas as comments here, and we can generate some discussion.

Yours Curiously,

Kuurnaal.
Read more...

Tuesday, September 26, 2006

On Debit Cards

What follows is a technical spiel on debit cards. Not financial networks, not mag stripe technology, not encryption, not ATMs. The cards themselves. Even more specifically, the data on them. Keep in mind there are many standards out there, many different networks. A file dealing with them all would be massive. This is the tale of a Maestro/Cirrus debit card...

This is a brain dump. I've produced it in a couple of hours. There may be a handful of errors and probably plenty of omissions. I certainly haven't edited it carefully. This file is for the curious among you. Don't use it for bad stuff. You will get caught. You will end up with a guilty conscience. You will... Whatever. It isn't up to me to threaten you. This is for the curious, and if you're looking for a fraud how-to, you'll be disappointed. Read and learn.

There are a few security tips you might be interested in throughout. There is certainly plenty of interesting information (at least, I think so). Read on, enjoy, and discuss. PLEASE DISCUSS. I will try to answer your questions, and you might be able to answer mine. Or correct me. Or add to this... Whatever.

Oh, yeah. I should give you this spiel.

PLEASE don't re-publish this. Let me hang onto control of it. I shall always do my best to keep it online. Keep yourself a private copy if you wish, but much of the value here will be the discussion afterwards (if people read it, and bother). I shall attempt to make corrections where necessary, and answer questions. If you are reading this anywhere other than http://kuurnaal.blogspot.com then you should go there to read it.

I do maintain COPYRIGHT over all my work. You may not re-publish it, earn an income from it, or create derivative works from it (or anything else) without my express, in-writing permission. I don't do this to restrict the information; if I wanted to do that, I wouldn't have published it in the first place. I do this to maintain the integrity of the information and keep it up to date. IANAL; this is not all-encompassing. If you're not sure, ask me first. You may exercise all the usual fair-use rights; critique, quote (brief) excerpts, make fun of, and link to this as you wish. Please link to it. Get the information out there; that's your job here. Maintaining the information, publishing, informing, answering questions... that's my job. You do yours, and I'll do mine. Okay? Here you go then.

*****

I've been hunting around the 'net looking for information on mag stripe formats, as commonly used in debit cards. I work in the debit card industry, and so have access to a fair amount of industry-specific information on actual data formats. What I was after, however, was information on reading and encoding hardware for some specific projects I've been working on. While I was poking around, I noticed there was a substantial amount of curiosity regarding the information actually stored on debit cards, and rather a dearth of information. So, here goes.

This information is specific information I have access to regarding the data we put on our cards. However, these cards are Maestro/Cirrus compliant cards, and so this information should apply to a broad range of cards which access the international M/C (most ATMs and EFTPOS terminals worldwide) network.

Just briefly: M/C is Maestro/Cirrus. M/C is a brand (and compliance program, and financial network) owned and operated by MasterCard (MC, without the slash).

Now, the important stuff is on Track 2 (ISO format magnetic stripe cards have 3 tracks). The data consists of a start sentinel (';' character), followed by a (usually 16-digit) card number, followed by an equals sign ('='), followed by a chunk of numeric data, followed by an end sentinel ('?'). Thus, if you swiped your M/C card (look on your bank card for the Maestro and/or Cirrus logos) through a track 2 card reader, you should see data like this:
;BBBBBBCCCCCCCCCN=XXXXXXXXXXXXXXXXXXX?

BBBBBBCCCCCCCCCN is your card number. The six-digit BBBBBB is referred to as the 'BIN'. This is a routing number which allows the M/C network to get the transaction to the Issuing Bank for processing. The nine digits marked 'C' are your actual card number, and the final digit 'N' is the check digit (calculated from the rest of the card number).

Let's look at the BIN for a minute. This can tell you a surprising amount of information about the card. The first digit is a loose 'Industry Code'. It isn't enforced, but is more a guideline which MC follows when issuing BINs to FIs (Financial Institutions).
0 - Reserved / For future assignment
1 - Airlines
2 - Airlines and future assignment
3 - Travel and entertainment
4/5 - Banking and Financial
6 - Merchandising and banking
7 - Petroleum
8 - Telecommunications and future assignment
9 - For assignment by national standards bodies (9 followed by 3-digit country code from ISO 3166)

I believe this list is used for assigning BINs in general, outside of the M/C network, so you will probably find that it applies to a wide range of cards you have.

There are a few 2-digit reservations as well. Of interest:
59 - National only. Numbers beginning with 59 are for local routing on a national system, and will not be routed internationally. If your card starts with this, you cannot use it overseas.

Okay, now for the card number itself. Up to 12 digits, in some rare cases where an issuer has a less-than-6-digit BIN, but generally up to 10 digits. The last digit of these 10 is the check digit. This is calculated using the Luhn formula:
1. Double the value of every second digit, starting with the right-most digit, followed by the 3rd-right-most, and so on. You will get some double-digit values.
2. Take each digit from these doubled values and add them up (if an original digit was, for example, 7, you will get a doubled value of 14, so 1+5). Add to this the sum of the unaffected original digits (the ones you didn't double).
3. Subtract this total from the next highest number ending in 0 to get the check digit (if your total was 66, subtract 66 from 70). If the total ended in 0, your check digit is 0.

So what about that big chunk of data labelled 'X'? That's where it gets interesting.

The first four digits are your expiry date, in 'YYMM' format.

The next digit is the Interchange Designator. A value of 1 indicates availability to International Interchange. A value of 5 indicates availability only in the country of issue, although this may be overriden in some cases. A value of 7 indicates availability for private interchange only (again, with some exceptions) and a value of 9 indicates that the card is a test card only.

Following this is a 2-digit Service Code (this service code is nationally controlled, so the following information may not be accurate for all countries).

The first digit indicates the Authorisation Processing available. This is interesting, because it indicates whether offline transactions are allowed. A value of 0 indicates normal processing (merchant-dependant), while a value of 2 indicates that authorisation must be through the card issuer (no off-line transactions, in theory, although many transactions acquirers ignore this restriction in practice). A value of 4 indicates that off-line transactions may only occur in special circumstances.

A brief note: by 'off-line', I mean that the transaction is not approved on-the-spot by the card issuer. The merchant, the transaction acquirer (the bank who provides the merchant facility), or someone else in between approves the transaction, usually only for low amounts, and the transaction will be routed to the card issuer later.

The second digit of the service code can place certain restrictions on the card. I have listed the available values below.
0 - No restrictions, PIN required
1 - No restrictions
2 - Goods and services only
3 - ATM only, PIN required
4 - Cash only
5 - Goods and services only, PIN required
6 - No restrictions, prompt for PIN if PIN terminal available
7 - Goods and services only, prompt for PIN if PIN terminal available

The remainder of the card data (up to the end sentinel, '?') relates to the PIN number, and this is where things get complicated. If you've been struggling up to this point, stop. Take a break. Read it again. Try to find a card reader and swipe some of your cards through it, and check to see whether it varies anywhere. It might, as there are a lot of different standards out there, lots of different financial networks. Digest. Percolate. Come back later.

Refreshed? Good.

There are a number of schemes for storing the actual PIN data on a card. The one I'm describing here is the VISA PVV (Pin Verification Value) scheme. There are others.

After the service code is the PVKI. The PVK Indicator. The PIN Verification Key Indicator. The Personal Identification Number Verification Key Indicator.

See? I told you to take a break.

This is a number between 0 and 6. The PVK (Pin Verification Key) is an encryption key which your card issuer keeps VERY secret (or at least SHOULD keep very secret). However, because they DON'T always keep them secret enough, they rotate them, and cancel the old ones. When they issue a card, they use one of their current keys, and this number lets them keep track of which one they used for this card.

Then we get four digits. Four measly little digits. You're a privacy nut with a 12-digit PIN? Doesn't matter. Four digits. This number is your PVV, or PIN Verification Value. Yes, another compound acronym.

So, what I foresee is absolute stackloads of comments a la:
1. Plz xplane how do I get the PIN from this number, I lost my PIN and my baby daughter cant get mlik coz I lost my PIN.
2. I am diplomat from forin govment with acess to big bank acount. Is overbil on govment acount. If you being trustworthy businesman can help with changing PIN (make new PVV?) is can give you comission. We are being legal and this is ok in my cuntry. Plz respond asap.

These things are just not feasible. Don't ask. Even if I knew how to, I wouldn't be letting on. It would be the ultimate 0-day... I could make cards to access any bank account I wanted. Heh. Keep dreaming, you little wannabe crims.

So, let's take a good look at the components used to generate the PVV.
1. PIN. If the PIN the user enters at a terminal matches the PIN used to generate the PVV, the PIN check is valid.
2. The rightmost 12 digits of the card number, excluding the check digit. The astute reader will note that this includes PART OF the BIN.
3. The PVK being used to generate this PVV.

These three values are run through a one-way encryption scheme to generate the PVV. The PIN must obviously be a part of it. The PVK is there to ensure security of a card issuer's card base (otherwise anyone could generate this PVV, and thus make a card to access any account in the system). The reason the card number is used is a little more interesting, and not so obvious.

Historically, the card number wasn't used. The PVV (or historical equivalent) was based off a key, and the PIN. The problem? People copied the PVV from THEIR CARD (to which they knew the PIN) over the top of SOMEONE ELSE'S card. Presto. A card which links up to somebody else's account, using your PIN. Game over.

This was a major problem in England and the US in the early days of debit cards.

Okay, so what can we do with this PVV? Pretty much bugger all. The PVK introduces plenty of entropy into the scheme, so don't bother taking your card along to an ATM, changing the PIN a few times, and comparing your PIN and resulting PVV. You won't find a pattern. The card number prevents the above-mentioned exploit. Recovering the key (a double-length DES key) is computationally too intensive for anybody who has to ask about it (I don't care HOW big your botnet is); don't ask. Please.

Okay, I can see the cogs turning. What you do, then, is rotate the PVV on the card, trying all possible PVVs until you match a PIN. Sure, genius. Sit there in front of an ATM with a card reader re-encoding the card until the PIN you're trying works. Except that the account you're trying to access will be blocked after 3 incorrect PIN attempts. So no, this doesn't help you either. Next step? Well, you know how to generate the Luhn check value on card numbers. Pick a fixed PVV, pick a PIN (or two) to try, walk through the valid card numbers in a system until you get a match. Wrong again. Unless you're ATM hopping like crazy, the cops will turn up and arrest you AND your card encoder.

The long and short of debit card fraud is: Don't. Don't bother. Don't risk it. 'Cause it Don't Work. If all you were after is a fraud how-to, thanks for coming. I'm glad I wasted your time. This file is about the search for knowledge.

Speaking of knowledge, here's an interesting little tid-bit about this whole scheme. Your PIN is probably NOT the only one which can access your card. There is not a 1-1 mapping between these 4-digit PVVs and the (usually) 4-digit PIN used to generate it. It's quite possible that there are several PINs which would generate the same PVV. Any of these PINs can be used to access the account. This is not just a theoretical possibility; I have had the opportunity to test it on a live card, and seen two different PINs access the same card account.

Further from that, if you have selected a PIN longer than 4 digits, you may not have made it any harder for somebody to guess your PIN. Why? Because there's a pretty damn good chance that there is a 4-digit PIN which would generate the same PVV as your 12-digit one. There are a good number of PVVs which could not be generated by any 4-digit PIN (10000 possible PVVs, 10000 possible 4-digit PINs, more than one PIN for most PVVs, so roughly half the possible PVVs have no matching 4-digit PIN). However, when you select a longer PIN, there's a good chance you'll get a PVV which can be reached from a 4-digit PIN anyway. That said, there's also a pretty decent chance that you'll need a 5-digit PIN to reach it, and a virtually non-existant chance you'll need a 6-digit PIN. So there's not point having more than 5 digits from a PIN-guessing point of view.

Of course, if somebody is looking over your shoulder, it's gonna be harder for them to see and remember 12 digits than 4, so there is some real benefit. Given my above point about how hard it is to mess with PVVs and PINs, you're almost infinitely more likely to be a victim of some variation of shoulder-surfing than a sophisticated PIN-PVV-Encryption attack, so by all means, go for the longer PIN.

Okay, that just about wraps up the card data. Card number, expiry, interchange, service code, PVKI, PVV. Not that complicated after all, is it?

Now, if this whole PVK-PVV thing is so secure, why do we keep hearing about debit card fraud? Should I be concerned? Is my cash better off under my pillow?

Well, there's plenty of info out there about this already, and it doesn't need rehashing. If you take the above to be mostly correct, though, you might think I'm some kinda experty-type and want my opinion anyway. If you don't, stop reading. If you do, here it is, in short (well, short-ish, maybe). I'll be sticking to card-based stuff; there are plenty of other threats to your electronic cash I won't go into here.

I'll repeat that. DON'T bitch and moan that I left out phishing attacks and 419 scams. I don't care. I'm sticking to card-based attacks, and if you're dumb enough to give out your card number and PIN to some random email guy (or even to your bank; they don't need your PIN for ANYTHING), that's an IQ attack, not a card attack. Plus, this is my file. I write about whatever I want to.

Types of attacks against YOUR debit card:
1. PVK of your FI (remember, Financial Institution) is leaked, somebody generates a valid PVV.
2. Somebody gets hold of your track 2 data and shoulder-surfs your PIN.
3. Somebody snoops on the data sent out by the EFT terminal/ATM and manages to get both the PIN you entered and your track 2 data.
4. An employee of your card issuer has access to enough parts of the system to create a working card.
5. Some guy holds a knife to your throat and makes you pull cash out of your account using your debit card.

Attack 1. Quite possible, happens all the time to smaller card issuers. They don't have the right security policies in place to safeguard their PVKs properly. It even happens to huge banks from time to time, through policy deficiencies or concerted attacks. There is absolutely nothing you can do to protect yourself from this, however the likelihood that YOUR card issuer is affected will be low. Your card uses one of the 7 available PVKIs, however this doesn't help, because the bank won't be checking that, however the fact that there are absolutely loads of cards in your issuer's system means that even if your issuer is affected, you probably shan't luck out and have YOUR account compromised.

Attack 2. This happens all the time. Most minor breaches are of this sort. Watch out for funny-looking attachments on the card slot of an ATM. Cover the PIN pad VERY well as you enter your PIN. Look out for anything camera-looking which points at the PIN pad (the ATM security camera should be interested in your face, not your fingers). There is a variant to this; there exists a device which will allow you to put your card into the ATM, but will prevent the ATM from ejecting your card. The thief watches you complete your transaction, notes your PIN, and then waits for you to walk away in disgust, thinking the ATM has swallowed your card. He then removes the device, hopes the ATM decides to eject your card now (and hasn't just given up and swallowed it for good), and drains your account. IF AN ATM EVER SWALLOWS YOUR CARD, CALL YOUR CARD ISSUER IMMEDIATELY AND HAVE THE CARD CANCELLED. Do not pass go, do not collect $200, do NOT go have lunch. Cancel the card while you're standing in front of the ATM. Use your mobile, use a payphone, whatever. Your next best option is to stand there for a couple of minutes looking unobtrusive and make sure nobody comes up to collect your hard-earned dosh.

Attack 3. Also worryingly common. Most at risk are franchised chains, because they have a big infrastructure with many stores and a complicated network, but individual franchisees don't have the funds to deal with security properly. They have cheap, under-scrutinised systems passing your transaction at the counter through to a back-end server. This server collates the transactions and passes them through to head office, who has a great bulk-processing deal to get cheap transactions, which you wouldn't get if the bank ran each of your terminals at each site. Sadly, and all too often, PINs are passed in the clear, easily related to the track 2 data of that transaction. Log files are kept on low-security servers. Somebody, somewhere, sees all this data, and helps themselves. What can you do? Keep an eye on your bank balance, and keep your fingers crossed.

Attack 4. I find myself close to this scenario myself. Hey, somebody has to run the servers which run the encryption which runs the debit card platform, and if that guy's too good, he works out how to generate cards for himself, as well as for the customers. Then again, if he's not good enough, he misses a security issue and some other bad guy does it anyway. Sure, PINs and physical cards are meant to be separated, so they arrive separately, through separate systems. Who makes sure they're really separate? How good are your bank's policies? Again, watch your balance. Not much you can do.

Attack 5. Mundane, low-tech, but also, depending on where you live, the greatest risk you face with accessing your money with a card. Doesn't really belong here, but hey. I'm the author, you're my reader. Siddown, Shuddup, and listen. Don't use your card in a poorly-lit back alley late at night when there are three dodgy-looking fellas leaning next to a nearby dumpster (skip, whatever you want to call them) adjusting their weapons-belts. Look for good, well-lit, not-too-quiet ATMs. Have a good look around BEFORE you walk up to it (not after you've wandered up to it and the bad guy knows you have a card you expect to pull cash off). Don't stand there like a dumb-ass, carefully counting your bills, and not paying any attention to your surroundings. Be alert. The world needs more lerts.

Attack 6. Yeah, I know. I said there were 5. Actually, there are plenty more, including all sorts of variants of the above, and I think this one's worth mentioning. Fake ATMs. Yes, ladies and gentlemen, that ATM you stick your card in might not be owned by a bank. It could be owned by the Bad Guys (tm). There have been scams, sometimes involving hundreds of ATMs, in which the ATM has been busy recording PIN and track 2 data. Often the ATM will function for quite some time, without any signs of bad behaviour. You'll walk up, enter your PIN, get your cash. Suddenly, after the ATM has been out there for quite some time, its owner will take all the data they've collected, write it to blank cards, and start walking up to ATMs all over the place and withdrawing money. The ATM is abandoned (the fraud WILL be traced back to the machine), but he's covered the cost of the ATM with his first dozen or so cards, and he probably got hundreds of accounts per machine. What can you do? This leads me nicely into my GENERAL ATM CAUTION.

You know those dodgy little ATMs in the back of convenience stores? The ones which you don't insert your card into at all, but just swipe it through a reader? Don't use them. They aren't bank-owned. They are owned by companies which place all these ATMs out there, have all the transactions sent back to head office, and sell the transactions to banks. They provided a service to the card issuer's customer, so the card issuer pays them a fee. Why should you use them?

Answer me this. Why does the company do this? To provide a service to cardholders? Nope. To make money. To make the most money, they want nice cheap machines, so they get a good ROI. They want cheap links back to head office. They want cheap servers to do the collating, and send the transactions to the banks. Keeping costs down also keeps security down. In addition to being open to attack 6, the dodgy ATM (which is MUCH less likely from a real bank ATM, like the ones on the walls at branches, or the proper bank-branded ones in shopping centres / malls / whatever), you also open yourself up to attack 3. How good are the security policies of the company which placed the ATM? Are these cheap ATMs up to the same standard as the ones the banks shell out for? If the banks are after a profit, just like everyone else, why do they use the more expensive ATMs if the cheap ones are good enough?

There you go. Use your debit card; it's a cool technology, and makes life easier. Plus, you now know a whole bunch more about it. You know its strengths and weaknesses, and what attacks it may suffer. I hope you've found this file interesting and informative.

Yours Curiously,

Kuurnaal.
Read more...

Hello World!

Hello World! I am Kuurnaal, hear me roar. Whatever.

I miss the good ol' days. The days of the BBS; the days of the hacker and the phreaker, and the days when people really knew what those terms meant. That's not to say they're (we're?) still not about, but there's just so much more crap to sort through these days. So many more wannabes, so many 1337 h4x0rs. WhatEVER.

So this is me, deciding to contribute to the general whitenoise out there. I feel I have something to share. If you disagree, that's cool. Move on, I don't care. Or read, maybe learn, maybe teach me a bit too. I encourage commenting. If I've missed something, point it out. If you can add to what I've said, go for it. If you think I'm wrong, tell me WHY (don't just tell me SO).

Okay, I'll get this out of the way. Yes, I'm ad-supported. No, that won't change. I earn my living from my knowledge, and this is another way I will make money from that knowledge. It's how the world works, and it's better than me charging for access to my knowledge. I want the information out there, and advertising helps pay me for the time and effort I put into this. Question my motives all you want. Regardless of my reasons, I am getting this information out there, making it available to all comers, the world over, without charging or controlling access. That's my goal. Hopefully I'll make a few bucks along the way.

I'll endeavour to post not too infrequently. I'll try to avoid passing on interference; if everyone else out there is already saying it, I'll do my best to avoid repeating them. I work in an industry where I get access to knowledge which isn't so wide-spread, like most of the rest of you. No, really. Think about it. What do you know that I probably don't? What can you share that my next reader can't?

Well, I have something to share, and hopefully there are people out there interested enough to learn.

Happy hunting and all,


Kuurnaal.
Read more...