Did the major banks ever respond to this issue and solution?

Further, what makes you think the bank is losing money whilst the ATM is out of service? Cash handling is a cost.

How much money can the fraudster get out of the broken machine? I think the theory is correct but in practise?

I don’t think this is workable.

This is the crucial issue. Could such a racket actually work or not? I see your arguments about DOS being practicable on the net because it’s cheap, the cost of nodes is low, and the cost of losing nodes is low. But I think these facts also remain true in the real world for ATM infrastructure attack…

* One man working full time over a weekend can easily visit 200 cash machines (I’ve known a case where 200 phantom withdrawals were made in a single weekend), and they don’t need a lot of people — they just need more people than there are ATM repair engineers, scaled by the factor for how long a break takes (seconds) versus a repair (hours–days). It’s much quicker to break stuff than to repair it, I promise. And to find problems with the ATM network, than to solve them

*DOS based on killing hardware-equipment is very different from DOS based on filling up bandwidth pipes. Once the attack stops in the latter, business can resume as normal, no-one needs to go round fixing anything as such, possibly reboot a few computers.

* Remember that smashing it with a bat is at the extreme end of a whole spectrum I presented. Some of the subtle stuff could be done so that ATMs could be disabled even while under surveillance.

* Don’t think that the police would put ATM racketeering at the top of their priority list without a serious political impetus, or a wad of cash from the banks to go investigate. There are a lot more violent and hurtful crimes to think about too. And you are not even disabling the whole ATM, just the chip functionality.

It probably deserves some response though

The author appears to suggest that ATM fraud will be solved by updating all the ATMs (that’s quite an investment) to read another sort of card (the ID KEY) which they happen to have patented. This card will require you to input not only your PIN but also a one-time code (so that observing the transaction doesn’t assist the bad guys).

There is no discussion as to the costs (or methods) of updating these one-time codes, or indeed whether a camera (or a shoulder-surfing crook) will be unable to read the paper on which all these codes will (necessarily) be written out.

Clearly this does make ATM usage a bit more secure (and a bit more inconvenient), but it’s a pretty disruptive change to their use and so it doesn’t look like a no-brainer to implement it (rather the reverse).

The second safeguard is apparently the use of embedded photo-id. This is straightforward to rebut as a solution since there’s existing research as to its ineffectiveness. A description of the classic experiment can be found in #13.3 of Ross’s book. Those who have not read about it will find the time well spent.

Delivering enough smash attacks to impose a cost that is significant compared to the bank’s free cash flow is far harder in reality than in cyberspace – you need quite a few people. The chance of getting caught each time is probably far greater on the streets, and you only need to get caught a few times before the cost spikes dramatically (i.e. someone realises that the same person keeps smashing ATMs and asks why, you go down for blackmail rather than crim dam).

The banks have every reason to keep cash machines cheap, cover them with CCTV cameras, and design them to fail-secure by breaking down easily under attack.

You say,

“Fraud migrates”

I actualy think “it evolves”, that is simple fraud works against an unsophisticated system, the users get hurt and scream the system operators are then forced to marginaly increase security.

However the criminal now knows from experiance that the improvment is only going to be small, therefor their previous fraud gives the funding and incentive to take the fraud to the next level and so on, and alows them to continue to recoup on their initial investment in associated procedures (fencing) to deal with their ill goton gains.

So the war starts, at each stage the defender has a choice, a simple / incremental improvment, or a major / quantum improvment. If they chose the former due to expediancy then the war goes on, if the later there is a reasonable chance they will raise the threshold beyond the attackers means.

It is almost exactly the same as EW / ECM / ECCM / ECCCM….

Likewise if the system operator had implemented a sensible level of security at the out set then the fraud would not have been started in the first place as it would have been to difficult / expensive for the attacking fraudster to gain the initial toe hold. However once in the attacker goes on to make further investment into the attack, and this gives the attacker an increased incentive to prolong the war.

The fact that the system operator was lazy / negligent / unknowing allowed a crack to appear in the system, and once it is there, the crack will be fourced open again and again unless the operator takes a sufficiently large step to prevent it.

Examples of this abound, the German Enigma is one of the earliest. The Sky Card system a more modern example, likewise the “set top box cube” that still bedevils cable operators. If at any point the system operators had taken a sensible look at their system security and not an expident look then the initial attack threshold would have been to dificult to cross.

To the fraudster, it is almost like a drug dependency, the initial fairly easy crack starts them off they then develop methods and systems to exploit it and they become hooked on hacking the system.

Therefor unless the system operator uses sufficient resources and makes the threshold to high for the attacker they are actually commiting themselves to an endless round of expensive incremental changes.

It is fairly easy to see that even in the short term it is more cost effective to commit the required resources to raise the threashold properly…

On your initial premise – “whether or not EMV is capable of sorting out the ATM fraud problem (also known as ‘phantom withdrawals’)” – I am afraid that the answer is clearly “no”. Phantom withdrawals are going to fall into one of the following categories:

1. Where the withdrawal actually happened and the customer is deliberately trying to defraud the bank (for those without long history in this debate, this is the long-held position as the only option by the UK banks) or, to be fair, the customer simply does not remember conducting the transaction (most of us have had nights out like that ).

2. Where the withdrawal was conducted with the customer’s genuine card and their pin, but not but the customer and without their permission. Often friends / family and not necessary with the customer having deliberately disclosed the pin (well-known numbers, seen the pin form, shoulder surfing …)

3. Where the card is forged and the pin captured through camera, bodged pin-pad, shoulder surfing etc. EMV should go some way towards making the card forging more difficult, provided fallback is disabled.

4. Simple (and non-malicious) error in the bank ATM or ledger systems. (Error in the ledger should be catchable by cross-reference to the ATM transaction logs, but if the ATM accidentally records the wrong card / account number …)

5. Casual (possible, but I can’t see how it could be done) or systematic fraud by bank staff or contractors (this would require multiple developers to be involved or some more local dodginess around authentication keys.)

There are some other (harder to do – normally needing stolen cards) attacks that apply to the smaller and simpler pay-for ATM estates but not to the main bank estates.

Addressing your main contentions:

* Is this a war that the banks can win?

Not the way you frame it. A bat through the screen will take any ATM out.

* How much of bank anti-fraud policy is really driven by economics, and how much by honour?

Some is driven by economics, much is driven by regulatory context and displeasure, a considerable amount by (the marketing department’s view of) public opinion, and a little by honour.

* Should security architects be designing security protocols and systems that try and write the crook totally out of the equation, or should we leave them a small (acceptable) window, lest they fight us on a battleground which is more costly? Think here of the problems suffered in South Africa by improving anti-theft security on cars; live hijackings and the like soared upwards

We need to consider holistic risk – already the most common attack is against cash delivery when it is in the street.

* What technologies can help us armour ATMs against denial of service?

Ah – sounds like a research project to me

S-E