[Clips] Online ID Thieves Exploit Lax ATM Security
Anne & Lynn Wheeler
lynn at garlic.com
Wed Aug 3 12:25:27 EDT 2005
two-factor authentication nominal objective is to have different
vulnerabilities, i.e. PINs ("something you know") is nominally
countermeasure to lost/stolen cards ("something you have").
However, skimming exploits can copy both magstripe and pin for
producing a counterfeit magstripe card that can be used with stolen
PIN (common vulnerability) ... minor reference found with search
engine:
http://wiki.whatthehack.org/index.php/Time_to_Ditch_the_Magstripe
The phishing vulnerability can steal both account number and PIN for
producing counterfeit magstripe card for use with the stolen pin; again,
common vulnerability defeating objective of using two-factor authentication.
back in the dark ages there were attacks on magstripe credit cards that
used the algorithms for valid account numbers to generate counterfeit
magstripe credit cards. magstripes then acquired effectively a kind of
hash code as countermeasure to counterfeit mastripes with algorithm
generated account numbers. this turns out to also be a countermeasure
for counterfeit magstripe credit cards that have been created from
phished account number (however this isn't a countermeasure to skimmed
magstripe exploit that produces counterfeit magstripe with all the exact
information). description of magstripe (and descretionary data field)
format:
http://en.wikipedia.org/wiki/Magnetic_stripe_card
PINs have also been used as countermeasure to counterfeit magstripe
debit cards ... possibly based on assumption that counterfeit debit
magstripe from phishing exploits were similar threat to lost/stolen
card. However, this isn't a effective countermeasure when both the PIN
and the account number (magstripe) have a common vulnerability (phishing)
As an aside, a countermeasure for lost/stolen cards is also early
reporting (owner is aware of the missing card). However this is not
applicable to skimmed/phished information since the card owner might not
even be aware that it has happened (until after discovering fraudulent
transactions).
...
spate of recent articles on phishing and ATM/debit
Analysts Say ATM Systems Highly Vulnerable To Fraud
http://www.banktech.com/aml/showArticle.jhtml?articleID=167100238
Something Phishy's Going On
http://www.banktech.com/aml/showArticle.jhtml?articleID=167100396
Analysts Say ATM Systems Highly Vulnerable To Fraud
http://www.banktech.com/news/showArticle.jhtml?articleID=167100238
E-Fraud | Cybercrooks Target ATM And Debit Cards, Steal Billions
http://www.techweb.com/wire/security/167100202
Analysts Say ATM Systems Highly Vulnerable To Fraud
http://www.financetech.com/utils/www.banktech.com/story/enews/showArticle.jhtml?articleID=167100238
Phishers exploiting lax ATM security - Gartner
http://www.finextra.com/fullstory.asp?id=14058
Banks let phishers get away with $2.75bn
http://www.vnunet.com/vnunet/news/2140690/banks-let-phishers-away-75b
Banks let phishers get away with $2.75bn
http://www.pcw.co.uk/vnunet/news/2140690/banks-let-phishers-away-75b
Phishing attacks highlight banks' weaknesses
http://news.zdnet.co.uk/internet/security/0,39020375,39211852,00.htm
Phishers cash in on ATM cards
http://www.zdnetasia.com/news/security/0,39044215,39246973,00.htm
ATM Systems Highly Vulnerable
http://www.newsfactor.com/story.xhtml?story_id=003000002F1U
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list