[AI] Benevolent hackers poke holes in e-banking

Sanjay ilovecold at gmail.com
Tue Jun 15 03:46:11 EDT 2010


          The more popular online banking and credit-laden smartcards
          become, the more their security is coming under scrutiny - and
          being found lacking

by Jim Giles

ONLINE banking fraud doesn't just affect the naive. Last year, Robert
Mueller, a director at the US Federal Bureau of Investigation,
admitted he'd come within a mouse-click of being a victim himself.
Now the extent of the problem has been brought into sharp relief, with
computer scientists warning that banking culture is increasing the
likelihood that customers are using vulnerable systems.

The convenience of online banking and electronic money has led to a
revolution in the way we save and spend our earnings. Banking websites
and payment systems are relentlessly targeted by criminals, though, so
continuous improvements in security are needed to prevent fraud. But
as was revealed at this week's Financial Cryptography and Data
Security conference in Tenerife in the Canary Islands, some of the
best-known security systems can still be compromised relatively
easily.

All too often, banks' security systems are developed in secret, so
their flaws are only identified when they are deployed, says
Steven Murdoch, a security researcher at the University of
Cambridge. This opens a window of opportunity for criminals.

Weaknesses in three widely used financial security systems highlight
the extent of the problem. These systems, used by millions of people
every day, can in some cases be breached using off-the-shelf
technology and a little persistence, says researchers at the
cryptography conference.

Take the Mifare family of smartcards devised by NXP Semiconductors
of Eindhoven, the Netherlands. The "Classic" version of the card is
used to carry small amounts of credit - one German bank allows up to
EUR150 to be stored on the card - or for public-transport tickets,
such as the Oyster travel card in London.

Weaknesses in the Classic card's security first became apparent
when researchers partially reverse engineered the card's encryption
system in 2007. Now a group from the Ruhr University in Bochum,
Germany, has built on that work to develop a quick and straightforward
method to alter the credit stored on some types of the card.

The Classic cards use 16 separate encryption keys to protect the
information stored on the card. Timo Kaspar and colleagues studied
the codes on one set of the cards currently in use, which are being
used as a payment system by a million people in Germany. They found
that each card used the same set of 16 codes and, once the team had
identified them by building on the 2007 hack, Kaspar was able to alter
the information stored on any card that used the system, if given
access to the card.

Using a card reader built by the team, Kaspar was able to add credit
to blank cards. To prove that the hack worked, he used the cards to
purchase items such as coffee and ice cream. The cards only have to
come near a reader to be activated, so a hacker with Robin Hood-style
inclinations could hide a system in a public place so that anyone
walking close enough would find that their card had magically filled
up.
A hacker with Robin Hood-style inclinations could 'magically' fill the
cards of passers-by with credit

"It's so simple," says Kaspar. "Anyone can buy a reader for around
$30." Criminals can also download free software that can be used to
read the encryption codes on the card. Kaspar has notified the company
that runs the payment system and says that the firm is fixing the
problem. The card's manufacturer, NXP, told New Scientist that it is
the card issuers themselves that decide how to implement their
encryption security, and that NXP alerted each issuer of the dangers
of using the same set of 16 encryption keys on all the cards it
issues.

Elsewhere, another group of security researchers has taken aim at a
card reader that is used to verify online banking payments. The
reader, used by some European banks, plugs into a computer using a USB
connection and launches a supposedly secure browser. Users place their
bank card into the reader, which then creates a secure connection with
the bank via the browser. The system was designed to allow customers
to safely sign off transactions such as transfers between bank
accounts.

That, at least, is the theory. Felix Grobert and colleagues, also at
the Ruhr University, designed a piece of software that attacks the
modified browser as soon as it launches, disabling its security. It
can then surreptitiously alter the details of the account that is due
to receive transferred money, siphoning off money to an account of the
hacker's choosing. Grobert says he has alerted the banks that use the
system and also the producer of the smartcard reader. Both are
addressing the problem.

That reader is only given to corporate customers, who use it to
process large numbers of transactions. But systems used to protect
online consumer purchases also show flaws, warn Murdoch and his
Cambridge colleague Ross Anderson. Many online transactions contain an
extra layer of security - such as "Verified by Visa" or "MasterCard
Secure" - which is run by card companies. Customers enter a password,
which has to be checked by Visa or MasterCard before the transaction
can be completed.

The system was designed to combat fraud in online card transactions.
Unfortunately, say Murdoch and Anderson, the system fails to follow
many established security guidelines. For example, the Verified by
Visa form pops up in the centre of shopping websites, much like a
phishing attack might. This means customers may become less wary of
other threats, says Murdoch. Customers also have to select a password
when the system is activated for the first time - usually during a
spot of shopping. Anderson has previously shown that without
explicit guidance people tend to choose weak passwords. Visa were
asked for comment, but had not done so at the time of writing.

All of these security issues can be fixed without too much effort, but
their existence is symptomatic of a wider issue, says Murdoch: the
secrecy culture of banks is resulting in systems being deployed with
all-too-obvious weaknesses in them. Companies should be more open to
external help, he says, and have independent experts inspect their
systems.







More information about the AccessIndia mailing list