Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Understanding Security APIs - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Because the ATM network is link based architecture, rather than end-to-end, the<br />
increasing user-base increases the encryption workload several fold.<br />
4.1.1 Targets of Attack<br />
The ATM system security in banks has a quite conventional threat model which<br />
shares aspects with that of many other data-processing and service-providing corporations,<br />
because there are no secrets which are absolutely mission-critical. Whilst<br />
the keys used for deriving PINs from account numbers are extremely valuable, even<br />
a theft of tens of millions of pounds is not enough to collapse a bank for financial<br />
reasons (their brand name, however, can certainly be considered mission-critical).<br />
The crucial secret is the customer PIN. Sometimes PIN information exists as explicit<br />
data which must be kept secret from an attacker, and sometimes it is kept as a PIN<br />
derivation key. The authorisation responses sent to ATMs, although not secret, are<br />
also valuable. If the integrity of these responses can be compromised, and a no<br />
turned to a yes, money can be withdrawn from a particular cash machine, without<br />
knowledge of the correct PIN. Service codes for disabling ATM tamper-resistance,<br />
or for test dispensing of cash are also of course valuable and must be kept secret.<br />
It is actually quite easy to quantify the financial loss associated with PIN theft.<br />
‘Velocity checking’ limits mean that maybe a maximum of £300 can be withdrawn<br />
per calendar day, and if monthly statements to the customer are checked, then the<br />
fraud can perpetuate for at most one month. Thus each stolen PIN is worth up<br />
to £9300 to the attacker – maybe on average £5000. There have been cases where<br />
velocity checking was bypassed, or not even present [20]; in these circumstances, as<br />
a rough guide, one person can withdraw about £25000 per day working full time.<br />
Unfortunately for the bank, because their prime business of storing money for people<br />
is strongly built upon trust, the effects of fraud on the bank’s image and the trust<br />
of its customer base have to be factored in. These are very difficult for an outsider<br />
to assess, let alone consider quantitatively.<br />
If handled shrewdly, the loss may not be costly at all, for instance if the bank<br />
declares the customer to be liable. If the amount is small enough, the customer<br />
will be tempted to give up rather than wasting time and effort to retrieve a small<br />
sum. However, the potential loss of revenue from bad handling of a fraud worth,<br />
say £10000, could be in the tens of millions in terms of long-term business lost.<br />
The primary motive for attacking a bank is obviously financial gain. Some attackers<br />
seek short-term financial gain, for instance by extracting PINs for several hundred<br />
accounts and looting them in a couple of weeks. Others may plan for mid-term<br />
financial gain, for instance by selling a PIN extraction service for stolen cards at<br />
£50 per card; this slow trickle of cash may be easier for the attacker to conceal in<br />
his finances.<br />
31