Keeping an eye on ATM fraud
Anne & Lynn Wheeler
lynn at garlic.com
Sun Jul 10 17:50:17 EDT 2005
http://www.atmmarketplace.com/news_story_23530.htm
Keeping an eye on ATM fraud
What happened to the good ole days when the magnetic stripe was king?
Remember … those were the days when you didn’t have to worry about ATM
devices that skim or trap. In today’s techie world, those days are long
gone, and the mag-stripe’s life is nearing its end.
... snip ...
note, as in previous posts ... it isn't just the skimming of static data
from the magstripe (as well as pin-hole cameras that capture any pin)
.... but it is being able to capture the static data at any point in the
infrastructure
http://www.garlic.com/~lynn/subpubkey.html#harvest
and use that static data in any kind of subsequent fraudulent transactions.
For the *enforced* PIN-debit and *enforced* x9.59 operations, it also
means that normal static data is *never* sufficient to perform a
transaction .... that authentication is always required.
The specific issue for PIN-debit is that technology advances are making
it easier to skim both the magstripe as well as the PIN ... and then
reproduce them for fraudulent transactions. *Enforced* PIN-debit does
improve situation (compared to regular credit magstripe) that harvesting
static data from transaction logs is normally not sufficient to perform
fraudulent transactions. *enforced* PIN-debit has somewhat higher
resistance to the data breaches that have been in the press ... since
the necessary PIN won't be found in the standard log and accounting
files for standard business process (but PIN-debit is still vulnerable
to the skimming exploits at transaction origin).
ecdsa on x9.59 transactions
http://www.garlic.com/~lynn/index.html#x959
http://www.garlic.com/~lynn/subpubkey.html#privacy
won't expose any of the information to originate a fraudulent
transaction (the specific account number and digital signature may be
exposed ... but not the private key).
A PIN on digital signature transactions can act as a countermeasure for
lost/stolen token exploits. The issue is that the PIN doesn't make a lot
of difference on point-of-origin skimming exploits ... since the PIN
will nominally be captured (but not the private key). Digital signature
with private key (that is never divulged) for *enforced* x9.59
transactions (i.e. the related static information can never be used
succesfully for a non-x9.59 transaction) is sufficient countermeasure
against both skimming and harvesting vulnerabilities.
A lot has been made of two-factor authentication as being necessary as
countermeasure for majority of the current threats and vulnerabilities.
A majority of the current threats and vulnerabilities are authentication
infrastructures that use static data for authentication (and the static
data can be skimmed and used for fraudulent transactions). Simple
(static data) two-factor authentication isn't a countermeasure for the
skimming exploits, while (dynamic data, like digital signature) single
factor authentication is a countermeasure for the skimming and
harvesting exploits.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list