1. Chapter 10  ATM 1 Automatic Teller Machines

2. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of the 20th century”  Began in 1968, more than 500,000 today  One of the first commercial use of crypto (block ciphers), tamper resistant hardware, security protocols, etc.  The “killer app” for commercial crypto

3. Chapter 10  ATM 3 ATMs  An interesting case study o What was done correctly o What was done incorrectly

4. Chapter 10  ATM 4 ATM Security Module  Security module implemented in tamper-resistant hardware o IBM 4758 crypto processor o Security module is at bank o All crypto computations done in security module, such as PIN verification

5. Chapter 10  ATM 5 ATM Security Module  IBM PIN generation o Acct number N on magnetic stripe o PIN key K (in tamper-resistant hardware) o “Natural PIN” is F(E(N, K)), where encryption E is DES, and F is a function o PIN = natural PIN + offset (so customers can choose their own PIN)  Note: PIN verification relies on N and secret K, and is done in security module

6. Chapter 10  ATM 6 IBM PIN Gen Example  Account number:  PIN key K:  DES encrypt E(N,K):  Decimalize:  Natural PIN:  Offset:  Customer PIN: 8807012345691715 FEFEFEFEFEFEFEFE A2CE126C69AEC82D 0224126269042823 0224 6565 6789

7. Chapter 10  ATM 7 More ATM Security  PIN encrypted with “terminal master key” and sent to security module  ‘Dual controls” --- terminal master key entered in 2 parts (2 people)  PIN “translation” (from one ATM network to another) done in security module

8. Chapter 10  ATM 8 Problems  Early on, encryption done in software  Not feasible for all pairs of banks to share keys, so KDC used (VISA)  Large number of trans, so corners cut o “Optimization is the process of taking something that works and replacing it with something that doesn’t quite, but is cheaper”  Most ATMs use 56-bit DES

9. Chapter 10  ATM 9 What goes wrong  ATM system designed to stop sophisticated attacks  In practice, the real issues are o Processing errors --- e.g., computer crashes o Only 0.001% probability, but 5 billion ATM trans  Card theft from mail  Fraud by bank staff o Laptop inside ATM to record PIN’s o Key for test system used for real system

10. Chapter 10  ATM 10 Unexpected Attacks  Shoulder surfing to get PIN, copy acct number from receipt  One system --- telephone calling card, ATM thought previous card inserted  One system --- output 10 bills when 14- digit test sequence entered  One bank issued same PIN to everybody  Fake ATM to collect PINs  Steal the ATM (camera is inside ATM)

11. Chapter 10  ATM 11 ATMs  Biggest mistake in design of ATM system: “… worried to much about criminals being clever instead of worrying about customers and banks being stupid”

12. Chapter 10  ATM 12 ATM legal issues  In US, banks carry risk of ATM technology o must refund most disputed transaction o costs average bank $15K/year in fraud  In much of Europe, customer bore cost o Banks claimed ATMs infallible o John Munden case  British policeman, found his acct $700 short  Bank: no bugs in code since written in assembler  Munden convicted and fired  Overturned on appeal: bank would not release its code

13. Chapter 10  ATM 13 ATM legal issues  If Munden case had occurred in California, “he would have won enormous punitive damages”  Lessons o Non-repudiation is critical --- camera in ATM would have solved Munden case immediately o In general, security system must be able to withstand examination by hostile experts