Light Blue Touchpaper

The Federal Reserve commissioned me to research and write a paper on fraud, risk and nonbank payment systems. I found that phishing is facilitated by payment systems like eGold and Western Union which make the recovery of stolen funds more difficult. Traditional payment systems like cheques and credit card payments are revocable; cheques can bounce and credit card charges can be charged back. However some modern systems provide irrevocability without charging an appropriate risk premium, and this attracts the bad guys. (After I submitted the paper, and before it was presented on Friday, eGold was indicted.)

I also became convinced that the financial market controls used to fight fraud, money laundering and terrorist finance have become unbalanced as they have been beefed up post-9/11. The modern obsession with ‘identity’ - of asking even poor people living in huts in Africa for an ID document and two utility bills before they can open a bank account - is not only ridiculous and often discriminatory. It’s led banks and regulators to take their eye off the ball, and to replace risk reduction with due diligence.

In real life, following the money is just as important as following the man. It’s time for the system to be rebalanced.

An article in the Guardian, and a more detailed story in PC Pro, give the background to Operation Ore. In this operation, hundreds (and possibly thousands) of innocent men were raided by the police on suspicion of downloading child pornography, when in fact they had simply been victims of credit card fraud. The police appear to have completely misunderstood the forensic evidence; once the light began to dawn, it seems that they closed ranks and covered up. These stories follow an earlier piece in PC Pro which first brought the problem to public attention in 2005.

Recently we were asked by the Lords Science and Technology Committee whether failures of online security caused real problems, or were exaggerated. While there is no doubt that many people talk up the threats, here is a real case in which online fraud has done much worse harm than simply emptying bank accounts. Having the police turn up at six in the morning, search your house, tell your wife that you’re a suspected pedophile, and with social workers in tow to interview your children, must be a horrific experience. Over thirty men have killed themselves. At least one appears to have been innocent. As this story develops, I believe it will come to be seen as the worst policing scandal in the UK for many years.

I remarked recently that it was a bad idea for the police to depend on the banks for expertise on card fraud, and to accept their money to fund such investigations as the banks wanted carried out. Although Home Office and DTI ministers say they’re happy with these arrangements, the tragic events of Operation Ore show that the police should not compromise their independence and their technical capability for short-term political or financial convenience. The results can simply be tragic.

Today’s news coverage of the theft of 46m credit card numbers from TK Maxx underlines a number of important issues in security, economics and regulation. First, US cardholders are treated much better than customers here - over there, the store will have to write to them and apologise. Here, cardholders might not have been told at all were it not that some US cardholders also had their data stolen from the computer centre in Watford. We need a breach reporting law in the UK; even the ICO agrees.

Second, from the end of this month, UK citizens won’t be able to report bank or card fraud to the police; you’ll have to report it to the bank instead, which may or may not then report it to the police. (The Home Office wants to massage the crime statistics downwards, while the banks want to be able to control and direct such police investigations as take place.)

Third, this week the UK government agreed to support the EU Payment Services Directive, which (unless the European Parliament amends it) looks set to level down consumer protection against card fraud in Europe to the lowest common denominator.

Oh, and I think it’s disgraceful that the police’s Dedicated Cheque and Plastic Crime Unit is jointly funded and staffed by the banks. The Financial Ombudsman service, which is also funded by the banks, is notoriously biased against cardholders, and it’s not acceptable for the police to follow them down that path. When bankers tell customers who complain about fraud ‘Our systems are secure so it must be your fault’, that’s fraud. Police officers should not side with fraudsters against their victims. And it’s not just financial crime investigations that suffer because policemen leave it to the banks to investigate and adjudicate card fraud; when policemen don’t understand fraud, they screw up elsewhere too. For example, there have been dozens of cases where people whose credit card numbers were stolen and used to buy child pornography were wrongfully prosecuted, including at least one tragic case.

The Financial Ombudsman Service offers to adjudicate disputes between banks and their customers who claim to have been treated unfairly. We were forwarded a letter written by the Ombudsman concerning a complaint by a Halifax customer over unauthorised ATM withdrawals. I am not familiar with the details of this particular case, but the letter does give a good illustration of how the complaint procedure is stacked against customers.

The customer had requested further information from Halifax (the Firm) and the Financial Ombudsman Service (this Service) had replied:

However this Service has already been presented with the evidence you have requested from the Firm and I comment on it as follows. Although you have requested this information from the Firm yourself (and I consider that it is not obliged to provide it to you) I conclude that this will not make any difference, because this Service has already reviewed this information.

The right of parties in dispute to see the evidence involved is a basic component of justice systems, but the Financial Ombudsman has clearly not heard of this, but then again they are funded by the banks. While the bank can have their own experts examine the evidence, the customer cannot do the same. Although the Financial Ombudsman service can review the evidence, giving it to the customer would allow them to pursue further investigation on their own.

The Firm has provided an ‘audit trail’ of the transactions disputed by you. This shows the location and times of the transactions and evidences that the card used was ‘CHIP’ read.

Without access to the audit trail and information concerning how it was produced, it is almost impossible for the customer to know the precise details of the transaction. Based solely on the letter, there are still a number of important unanswered questions. For example:

Was the card in question SDA or DDA?

SDA cards can be cloned to produce yes cards, which will accept any PIN and still work in offline transactions, where the terminal or ATM does not contact the bank. This type of fraud has been seen in France (pp. 5–10).

Was the ATM online or offline at the time of the transaction?

Although ATMs are generally online, if Chip & PIN terminals fail to dial up the bank they may continue to work offline and so accept SDA clones. Could this have happened with this ATM?

What was the application cryptogram presented in this transaction?

When a Chip & PIN card authorises a transaction, it produces an application cryptogram which allows the bank to verify that the card is legitimate. A yes card would not produce the correct application cryptogram.

What is the key for the card?

The application cryptogram is produced using a cryptographic key known only by the card and bank. With this and some other information the customer could confirm that the application cryptogram really came from his card. Since the card has long since been cancelled, releasing this key should not be a security risk. If the banks are not storing this information, how can they be sure that their systems are operating correctly?

It seems unlikely that the Financial Ombudsman knew which of these events have occurred either, otherwise I would have expected them to say so in their letter.

As we have already advised you, since the advent of CHIP and PIN, this Service is not aware of any incidents where a card with a ‘CHIP’ has been successfully cloned by fraudsters so that it could be used by them successfully in a cash machine.

Besides the scenarios mentioned above, our demonstration for Watchdog showed how, even without cloning a card, a Chip & PIN terminal could be fooled into accepting a counterfeit. Assuming this ATM read the chip rather than the magnetic stripe, our attack would work just as well there. The situation surrounding this particular case might preclude a relay attack, but it is one of many possibilities that ought to be eliminated in a serious investigation.

Although you question The Firm’s security systems, I consider that the audit trail provided is in a format utilised by several major banks and therefore can be relied upon.

The format of the audit trail is no indication of whether the information it records is a true and complete representation of what actually happened and it is almost ludicrous to suggest that. Even if it were, the fact that several banks are using it is no indication of its security. To actually establish these facts, external scrutiny is required and, without access to bank’s systems, customers are not a position to arrange for this.

So the banking dispute resolution process works well for the banks, by reducing their litigation costs, but not well for their customers. If customers go to the Ombudsman, they risk being asked to prove their innocence without being given access to the information necessary to do so. Instead, they could go directly to the courts, but while the bank might accuse customers of not following proper procedures, if they win there they can at least send in the bailiffs.

Saar Drimer and myself have shown that the Chip & PIN system, used for card payments in the UK, is vulnerable to a new kind of fraud. By “relaying” information from a genuine card, a Chip & PIN terminal in another shop, can be made to accept a counterfeit card. We previously discussed this possibility in “Chip & Spin” but it was not until now that we implemented and tested the attack.

A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster’s accomplice, in another shop, inserts their counterfeit card into the merchant’s terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.

From the banks’ perspective, there will be nothing unusual about this transaction. To them, it will seem as if the real card was used, with a chip and along with the correct PIN. Banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.

For more information, we have a summary of the technique and FAQ. This attack will be featured on Watchdog, tonight (6 February) at 19:00 GMT on BBC One. The programme will show how we successfully sent details between two shops in the same street, but it should work equally well, via mobile phone, to the other side of the world.

It is unlikely that criminals are currently using techniques such as this, as there are less sophisticated attacks which Chip & PIN remains vulnerable to. However, as security is improved, the relay attack may become a significant source of fraud. Therefore, it is important that defences against this attack are deployed sooner rather than later. We discuss defences in our draft academic paper, submitted for review at a peer reviewed conference.

Update (2007-01-10): The segment of Watchdog featuring our contribution has been posted to YouTube.

Many discussions over the security of Chip & PIN have focused on the tamper-resistance of terminals (for example in the aftermath of the Shell Chip & PIN fraud). It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent anyone from replacing most of the terminal’s hardware and presenting it to customers as legitimate, so freely collecting card details and PINs.

Steven Murdoch and myself took the chassis of a real terminal and replaced much of the internal electronics such that it allows us to control the screen, keypad and card-reader. Steven suggested that in order to show that it is completely under our control, we should make it play Tetris (similarly to the guys who made a voting machine play chess). We recorded a short video showing our Tetris playing terminal in action. Have a merry Christmas and happy New Year

Update (2007-01-03): The video is now on YouTube.

Update (2007-01-05): The Association for Payment Clearing Services
(APACS) has responded:

APACS, the payments organisation representing high street banks, said the Cambridge breakthrough could be a threat.

‘People could, in theory, use this to steal account details from cards,’ said Sandra Quinn of APACS. ‘Our experts are in discussion with the manufacturers of terminals to see what can be done. Essentially what these people have done is replace the innards of a chip and Pin machine.

‘However, we would say that this has only been seen in a laboratory so far. People would not be able to create counterfeit chip and Pin cards, but they could use this information abroad to make purchases.’

(more…)

The 23rd Chaos Communication Congress will be held later this month in Berlin, Germany on 27–30 December. I will be attending to give a talk on Hot or Not: Revealing Hidden Services by their Clock Skew. Another contributor to this blog, George Danezis, will be talking on An Introduction to Traffic Analysis.

This will be my third time speaking at the CCC (I previously talked on Hidden Data in Internet Published Documents and The Convergence of Anti-Counterfeiting and Computer Security in 2004 then Covert channels in TCP/IP: attack and defence in 2005) and I’ve always had a great time but this year looks to be the best yet. Here are a few highlights from the draft programme, although I am sure there are many great talks I have missed.

• Bernd R. Fix on A not so smart card — one of the rare cases where key length (320 bit RSA) was the major weakness in a security system
• Caspar Bowden, Chief Privacy Advisor, Microsoft EMEA (and former director of FIPR) on Transparency and Privacy, covering Kim Cameron’s 7 laws of identity
• Ilja (who has an amazing ability to exploit seemingly unexploitable bugs) on Unusual bugs and You can’t make this stuff up
• Jacob Appelbaum and Ralf-Philipp Weinmann on Unlocking FileVault — Jacob was at the CCC last year giving a summary of disk encryption systems; now he is back to go into more detail on the one from MacOS X
• Joanna Rutkowska, author of the Nushu TCP/IP steganography scheme (which I discussed in my paper on this topic) and the Blue Pill virtualization based rootkit, will be talking on Stealth malware — can good guys win?
• Melanie Rieback on A Hacker’s Toolkit for RFID Emulation and Jamming — covering the RFID Guardian, as featured on Schneier’s blog, Boing Boing and Slashdot. Melanie gave a talk on an early version of this project at the International Workshop on Security Protocols so I will be interested to see how it has progressed
• Roger Dingledine (co-designer of Tor) on Tor and China — censorship resistance has been a major interest of mine, particularly since I started working for the OpenNet Initiative
• Rop Gonggrijp on We don’t trust voting computers — from the team who made a Dutch voting computer play chess

It’s looking like a great line-up, so I hope many of you can make it. See you there!

EMV (or “Chip and PIN” as it’s known in the UK) is changing the fraud landscape, no doubt about it. Counterfeit card fraud at POS is down, card theft is down, card-not-present is up, phishing is up, ATM fraud is up. Fraud migrates, we get the picture. But as EMV reaches maximal deployment in the next five years or so, the banks and other investors in this technology are hoping that the flood will abate to a trickle, and that some holes can be totally plugged.

I’ve been thinking about whether or not EMV is capable of sorting out the ATM fraud problem (also known as “phantom withdrawals”) once and for all. Well as I wandered around town this afternoon, I snapped some pics at WH Smiths this afternoon of an ATM in distress, and it reminded me how horribly vulnerable our ATM infrastructure is.

It’s not just the “look of vulnerability” exuded by them… like these cheap wafer-locks on the housing of the aforementioned ATM (I’m sure there must be a better lock before the cash safe itself), it’s that all the security is based around keeping the money and the secrets safe, and very little attention is focussed on keeping the machine alive and operating.

Read on to find out my master plan…

(more…)

The banks are thinking about introducing a new anti-phising meaure called the ‘chip authentication protocol’. How it works is that each customer gets a device like a pocket calculator in which you put your ‘chip and PIN’ (EMV) card, enter your PIN (the same PIN you use for ATMs), and it will display a one-time authentication code that you’ll use to log on to your electronic banking service, instead of the current password and security question. The code will be computed by the card, which will encrypt a transaction counter using the EMV authentication cryptogram generation key - the same key the EMV protocol uses to generate a MAC on an ATM or store transaction. The use model is that everyone will have a CAP calculator; you’ll usually use your own, but can lend it to a friend if he’s caught short.

I can see several problems with this. First, when your wallet gets nicked the thief will be able to read your PIN digits from the calculator - they will be the dirty and worn keys. If you just use one bank card, then the thief’s chance of guessing your PIN in 3 tries has just come down from about 1 in 3000 to about 1 in 10. Second, when you use your card in a Mafia-owned shop (or in a shop whose terminals have been quietly reprogrammed) the bad guys have everything they need to loot your account. Not only that - they can compute a series of CAP codes to give them access in the future, and use your account for wicked purposes such as money laundering. Oh, and once all UK banks (not just Coutts) use one-time passwords, the phishermen will just rewrite their scripts to do real-time man-in-the-middle attacks.

I suspect the idea of trying to have a uniform UK solution to the phishing problem may be misguided. Bankers are herd animals by nature, but herding is a maladaptive response to phishing and other automated attacks. It might be better to go to the other extreme, and have a different interface for each customer. Life would be harder for the phishermen, for example, if I never got an email from the NatWest but only ever from Bernie Smith my ‘relationship banker’ - and if I were clearly instructed that if anyone other than Bernie ever emailed me from the NatWest then it was a scam. But I don’t expect that the banks will start to act rationally on security until the liability issues get fixed.

After almost 3 years of problem-free banking in the UK I recently received the following letter from HSBC’s “Accounts Review Team”. It advised me that the HSBC group no longer wished to have me as a customer and that I had 30 days to move my banking to an establishment in no way connected to HSBC, before they would close my account. Confident that I had not indulged in any illegal activity recently, and concerned about their reasons for taking such action, I attempted several times to phone the number given in the letter, unsuccessfully reaching a “we are busy, please try again” recording each time. Visiting my home branch was not much more helpful as they claimed that the information had not been shared with them. I was advised to make a written complaint and was told that the branch had already referred the matter, as a number of customers had come in with similar letters.

After two written complaints and a phone call to customer services, a member of the “Team” finally contacted me. She enquired about a single international deposit into my account, which I then explained to be my study grant for the coming year. Upon this explanation I was told that the bank would not close my account, and I was given a vague explanation of them not expecting students to get large deposits. I found this strange, since it had not been a problem in previous years, and even stranger since my deposit had cleared into my account two days after the letter was sent. In terms of recent “suspicious” transactions, this left only two recent international deposits: one from my parents overseas and one from my savings, neither of which could be classified as large. I’m not an expert on complex behavioural analysis networks and fraud detection within banking systems, but would expect that study grants and family support are not unexpected for students? Moreover, rather than this being an isolated incident, it would seem that HSBC’s “account review” affected a number of people within our student community, some of whom might choose not to question the decision and may be left without bank accounts. This should raise questions about the effectiveness of their fraud detection system, or possibly a flawed behaviour model for a specific demographic.

My account is now restored, but I have still had no satisfactory explanation as to why the decision was made to close my account, nor do I know how this sorry affair will affect my future banking and credit rating. Would an attempt to transfer my account have caused HSBC’s negative opinion of me to spread to other institutions? A security mechanism that yields false positives or recommends a disproportionate reaction, e.g. closing an account based on a single unexpected transaction, should be seen as somewhat flawed. The end result is that the system runs on a guilty until proven innocent premise, with the onus for correcting marginal calls placed on the customer. Ultimately the bank will claim that these mechanisms are designed to protect the customer, but in the end randomly threatening to close my account does not make me feel any safer.