Presentation on theme: "I Know your PIN I Know Your PIN Jolyon Clulow Prism"— Presentation transcript:
1I Know your PIN I Know Your PIN Jolyon Clulow Prism
2What this talk is not about: What this talk is about: IntroductionWhat this talk is not about:The Internet, SSL, VPNsWhat this talk is about:Bank, Credit and Debit cardsBanks, Financial Networks and SwitchesPINs, PANs, ATMs, TRSMs, POS, MobileAnd……(some of the) ways that one can recover PINs from such supposedly secure systems!
3So why are we interested? JustificationDriver for modern cryptography – the so called ‘killer app’ of cryptographyThe concept of a ‘PIN’ is internationally understood and acceptedScale of useBank, Credit and Debit CardsCard issuing banksCard Associations (Visa, MasterCard,etc)Amount of money protected by these operationsGuaranteed that (almost) everyone who reads this, relies on the security thereof to protect their own personal finances.
4Talk OutlineIntroductionBackground info: What is PIN security?The attacksSome remediesReal world scenariosThe road ahead?Conclusion
5An Introduction to PINS Background infoFinancial Security 101:An Introduction to PINS
6TerminologyPIN: Personal Identification NumberPAN: Personal Account NumberATM: Automatic Teller Machine (cash machine)API: Application Programming Interface (the set of functions exposed/available)API attack: an attack which uses(or abuses) the existing/available functions to compromise the security of the system
7What is a TRSM? Tamper Resistant/Responding Security Module (TRSM) Host Security Module (HSM)Hardware Security Module (HSM)Crypto CoprocessorProvides a secure, trusted environment to perform sensitive operationsDetects and responds to physical, electronic (or other) attempts to recover key material or sensitive data. Typical measures include:physical tamper envelope/membranetemperature, radiation sensorspower supply monitoring and filteringTrigger causes erasure of protected data
9Key ZonesEach connected pair of entities share a common key to form a key zone
10Basic Operations 3 Basic PIN operations are required: Encryption TranslationVerification
11PIN Encryption e.g. PIN is 1234, Key is 0123456789ABCDEF Start with an empty PIN blockInsert PINPadEncrypt the clear PIN blockIt’s that simple!12341234F258D6B491
12PIN Formats (some examples) VISA Format 3PIN Block = PPPPFXXXXXXXXXXXIBM 3624PIN Block = PPPPxxxxxxxxXXXXISO-1PIN Block = CLPPPPrrrrrrrrRRwhere C = X‘1`,L = X‘4` to X’C`r is either P or RVISA Format 2PIN Block = LPPPPzzDDDDDDDDD
13PIN Formats (List).ISO-0 (ANSI X9.8, VISA-1, ECI1)ISO-1ISO-2VISA-2, VISA-3, VISA-4IBM 3624, IBM 3621, IBM 4700ECI-2, ECI-3DocutelOthers…
14ANSI X9.8 Format (ISO-0)E.g. For a 4 digit PINP1 = 04PPPPFF FFFFFFFFP2 = 0000AAAA AAAAAAAAWhere AAAAAAAAAAAA represents 12 digits of the PANPB = P1 P2EPB = ek(PB)Binds the account number to the PINDiversifies the encrypted PIN block
15Basic Operations 3 Basic PIN operations are required: Encryption TranslationVerification
16Translate between different zone keys Question: PIN TranslateTranslate between different zone keysQuestion:What if different actors/entities use different formats?Additional operation requiredPIN ReformatSupports change in PIN formats and PANs
17Basic Operations 3 Basic PIN operations are required: Encryption TranslationVerification
18Exist multiple different approaches PIN VerificationExist multiple different approachesSimpleOffsetsPIN Verification Values(PVV)Compare the customer supplied PIN with a reference PIN
19PIN Verification (Offsets) Validation data is encrypted under PIN generation (verification) key.Ciphertext is ‘decimalised’ to form IPIN by means of a table.Calculate the offset as OFFSET = PIN-IPIN (where ‘-’ is subtraction modulo 10)
20PIN Verification (Offsets) IBM PIN Offset AlgorithmAllows user to choose own PIN (also to change it easily)Validation data is typically customer and financial institution specific (e.g. PAN)‘Decimalization’ by means of a table.123456789ABCDEF
21Attack #1a: ANSI X9.8 Attack Attack #1b: Extended ANSI X9.8 Attack The AttacksAttack #1a: ANSI X9.8 AttackAttacks the PIN translate function.Attack #1b: Extended ANSI X9.8 AttackAttacks the PIN translate and reformat functions.Attack #2: The Decimalization AttackAttack against PIN verification algorithm using offsets.
22Attack #3: Key Separation #1 The AttacksAttack #3: Key Separation #1Attack against PIN verification functions based on failure to enforce key separation between verification and translation(encryption).Attack #4: Key Separation #2Attack against PIN verification functions based on failure to enforce key separation for different verification algorithms.Attack #5: Check Value AttackAttack against PIN verification algorithm using the check value of a key
23ANSI X9.8 (ISO-0) Attack Attack #1 Attacks the PIN translate/reformat function
24ANSI X9.8 (ISO-0) Attack Input Parameters Attack Strategy: Encrypted PIN Block (EPB)PANEncrypted ‘In’ KeyEncrypted ‘Out’ KeyAttack Strategy:In an iterative manner, we make a modification to the PAN and observe the effects
25ANSI X9.8 (ISO-0) AttackUnder normal operation:Inputs (EPB, P2)PB = dk(EPB)P1 = PB P2= 04PPPPFFFFFFFFFFExtract PIN as PPPPTest that PPPP is valid PIN (i.e. each P is a valid decimal digit)
26ANSI X9.8 (ISO-0) AttackInstead of supplying the correct PAN (P2) to a call, use a modified PAN (P2’ = P2 )Inputs (EPB, P2’)PB = dk(EPB)P1’ = PB P2’= (P1 P2) (P2 )= P1 Say = 0000xP1’ = 04PPPPFFFFFFFFFF 0000x
27ANSI X9.8 AttackQ: What happens if (P x) is a decimal digit?A: The call passes.Q: What happens if (P x) is not a decimal digit?A: Typically, the call FAILS!We have a test for (P x) < 10.
28Building a simple algorithm to identify P ANSI X9.8 AttackBuilding a simple algorithm to identify PTry all possible values of x, yielding a unique* pattern of ‘passes’ and ‘fails’ allowing you to identify P.A decision tree
29The Decimalization Attack Attacks the PIN Verification using offsets function
30Decimalization Attack Input ParametersEncrypted PIN Block (EPB)Validation DataDecimalization TableOffsetEncrypted KeyAttack Strategy:In an iterative manner, we make a single change to an entry in the decimalization table and observe the effects
31Decimalization Attack PIN = 6598PIN Ver Key =Val. Data =Ciphertext = E481FCDec. Table =IPIN = 4481Offset = 2117
32Decimalization Attack Dec. Table (0) =IPIN = 4481Offset = 2117 (will pass)Dec. Table (1) =IPIN = 4482Offset = 2117 (will fail)= 2116 (will pass)Thus far we have identified that the 4th digit in the original IPIN is a 1 and hence that the 4th PIN digit is 1+7 = 8 (IPIN + Offset).
33Decimalization Attack Work factorInitial search for (an unknown) offset requires at most (n-4)•10 queriesEach change in the dec. table requires at most 24 + (n-4) queriesAt most need to try 15 of the 16 entries in the table for a total of 15(24 + n-4) queries.Attack time dependant on TRSM speedTypical values (dependent on speed of TRSM):Known initial offset: 1 – 20 secondsUnknown initial offset: seconds
34Properties How efficient are these attacks? What are the requirements? Computationally trivialExtremely fastRequires just a few seconds on a Pentium ITypically limited by performance of TRSMWhat are the requirements?Requires query access to the device, implying either:Physical access to the device/switch/trust centerSpecial case: Stolen deviceAccess to the network transporting transaction traffic and the ability to inject messages
35What about in the ‘Real World’? Real world systems should be following standard industry best practices that if implemented correctly and enforced should limit a potential hacker’s ability to perform such attacks.Physical access control to restricted area.Some thoughts and counter arguments.Attacker can attack at weakest point. One institution’s account holder can be compromised on another institution’s network. Hence must guarantee that all potential networks through which the PIN may travel to be secure.So why did you buy an expensive TRSM in the first place if your defense rests on physical access control?Multi-lane Retail Stores
36So what went wrong?Some functions are just badly thought out and insecure.Individually secure functions were added to the API in a manner to make entire system insecure. Insufficient attention was given to the possible interplay between functions.Absence of a single standard to which everyone completely adheres to (many different formats and algorithms exist due to historical reasons).Different customers want different functionality from the same product.
37Solutions - Cryptographic Remove ‘weaker’ algorithms/functions (leave only the strongest)Parameter(data) IntegrityMAC the PIN block and dataPAN, PIN block format, etcMAC any verification/generation dataDecimalization table, Validation data, TSP, etcA better PIN Block Format?Key SeparationFormat (PIN Block Variance)AlgorithmsOther data (e.g. PAN)
38Solutions – Access Control Electronic access controlFine grained, allowing the individual enablement/disablement ofFormatsAlgorithmsFunctionsLimit functionality. Only enable what is required. Disable everything else.Useful to allow a function to be disabled should it later be shown insecure.True split control
39Risk, Reward and Liability Hackers and Threats?Real world scenarios:Risk, Reward and Liability
40DisclaimerThis material is made available as a courtesy, purely for educational and informative purposes only for an intended audience of responsible individuals with a genuine interest in improving the security of financial networks.Prism makes no claim as to the accuracy or completeness of this information.Prism accepts no responsibility or liability arising from the use of this material.
41Insider attackExtract the PIN number for a given account (or accounts)Create a duplicate ‘white card’ (or multiple duplicate cards)Distribute to accomplices to perform a random tour of ATMs
42Insider Attack - Reward Let N be the number of compromised accounts, P the average period before unnatural transaction behavior is noticed and L the daily withdrawal limit.Total Fraud Value = NPLExample:N = 5000P = 2L = $1000Total Fraud = $ 10 M
43Account Holder AttackProduce a number of duplicate ‘white cards’ of your own cardDistribute to multiple accomplices, preferably in different geographical locations to perform a random tour of ATMs.Report the ‘unauthorized’ activity on your account and dispute the transactions.
44Account Holder Attack (cont.) It may be advisable to perform a valid transaction “simultaneously” with a fraudulent one since this ‘proves’ you are in possession of your card and preferably in a different location.Best done by multiple card holders from a given institution since:Not an isolated incidentQuestions the security of the institutionGives the impression of a possible insider attack
45Account Holder Attack - Reward Let N be the number of conspiring account holders, P the average period before unnatural transaction behavior is noticed and L the daily withdrawal limit.Total Fraud Value = NPLAverage return = PLExample:N = 100P = 10L = $1000Total Fraud = $ 1 MAverage return per account holder = $ 10 K
46The Repudiation Attack Just deny a transactionDispute procedure leading to possible litigationArgue the insecurity of the systemBest if security of institution already questionedScenario:Following a successful account holder/insider attack being made public – other account holders (acting individually) may dispute valid transactions that occurred during the attack period (or after)Financial risk is great due to the possible scale (e.g. 0.1 % of an institution’s 1,000,000 customers each disputing a $1000 transaction = $1 M)Loss of confidence in the given institution could well be more damaging
47Other Ideas The Competitor Attack The Stock Market Attack Use own network to compromise a competitor institution (could even choose to use administrator privileges to effect this)Reward not the stolen money but the ‘after effects’Less of a connection between accomplices and institution (no cash trail leading back)The Stock Market Attack‘Short’ the stock prior to any attack (no cash trail)The Terrorist AttackAll/any combinations of all the previous attacks
48What now? Q: What should you do now if you are a bank? Q:Is that all? Contact your vendor, request any best practices information and implement it.Be vigilant. Increase your auditing.Reassure your clients.Wait.Positive pressure on the role players.Q:Is that all?The nature of the problem is such that it is not yours alone (unless you disconnect from the network). The entire network must be secured and until that happens you and your account holders are potentially vulnerable.
49The road ahead? Process driven by Card Associations? Due to role and influence over the infrastructureRevise the standardsNew design/security requirements.Prescriptive requirements limiting what functionality is allowed.Vendors will then update products based on revised standardsExpecting (and hoping) for more uniformity and collaboration between different vendor product offerings. (Makes business sense for institutions)Card associations will mandate new requirements to institutions.
50The unanswered question? Who is liable in the event of such an attack leading to fraud?
51SummaryA set of API attacks which allow PIN recoveryDesign criteria/suggestions to combat the attacksSome potential attack scenarios
52The final comment…The most concerning aspect of these attacks, is that you can be attacked on someone else’s network – a network over which you have little or no control.