Prominent among public fantasies about hackers is the one where
banks are entered electronically, accounts examined and some money
moved from one to another. The fantasies, bolstered by
under-researched low-budget movies and tv features, arise from
confusing the details of several actual happenings.
Most 'remote stealing' from banks or illicit obtaining of account
details touch computers only incidentally and involve straightforward
fraud, conning or bribery of bank employees. In fact, when
you think about the effort involved, human methods would be much more
cost-effective for the criminal. For hackers, however, the very
considerable effort that has been made to provide security makes the
systems a great challenge in them- selves.
In the United Kingdom, the banking scene is dominated by a handful
of large companies with many branches. Cheque clearing and account
maintenance are conducted under conditions of high security with
considerable isolation of key elements; inter-bank transactions in
the UK go through a scheme called CHAPS, Clearing House Automatic
Payments System, which uses the X.25 packet switching protocols
The network is based on Tandem machines; half of each
machine is common to the network and half unique to the bank. The
encryption standard used is the US Data Encryption Standard. Certain
parts of the network, relating to the en- and de-cryption of
messages, apparently auto-destruct if tampered with.
The service started early in 1984. The international equivalent
is SWIFT (Society for Worldwide Interbank Financial Transactions);
this is also X.25- based and it handles about half-a-million messages
a day. If you want to learn someone's balance, the easiest and most
reliable way to obtain it is with a plausible call to the local
branch. If you want some easy money, steal a cheque book and cheque
card and practise signature imitation. Or, on a grander scale, follow
the example of the £780,000 kruggerand fraud in the City. Thieves
intercepted a telephone call from a solicitor or bank manager to
'authenticate' forged drafts; the gold coins were then delivered to a
bogus company.
In the United States, where federal law limits the size of an
individual bank's operations and in international banking, direct
attacks on banks has been much easier because the technology adopted
is much cruder and more use is made of public phone and telex lines.
One of the favourite techniques has been to send fake authorisations
for money transfers. This was the approach used against the Security
National Pacific Bank by Stanley Rifkin and a Russian diamond dealer
in Geneva. $10.2m moved from bank to bank across the United States
and beyond. Rifkin obtained code numbers used in the bilateral Test
Keys. The trick is to spot weaknesses in the cryptographic systems
used in such authorisations. The specifications for the systems
themselves are openly published; one computer security expert, Leslie
Goldberg, was recently able to take apart one scheme--proposed but
not actually implemented--and show that much of the 'key' that was
supposed to give high level cryptographic security was technically
redundant, and could be virtually ignored. A surprisingly full
account of his 'perfect' fraud appears in a 1980 issue of the journal
Computer Fraud and Security Bulletin.
There are, however, a few areas where banking is becoming
vulnerable to the less mathematically literate hacker. A number of
international banks are offering their big corporation customers
special facilities so that their Treasury Departments (which ensure,
among other things, that any spare million dollars are not left doing
nothing over night but are earning short-term interest) can have
direct access to their account details via a PC on dial-up. Again,
telebanking is now available via Prestel and some of its overseas
imitators. Although such services use several layers of passwords to
validate transactions, if those passwords are mis-acquired, since no
signatures are involved, the bank account becomes vulnerable.
Finally, the network of ATMs (hole-in-the-wall cash machines) is
expanding greatly. As mentioned early in this book, hackers have
identified a number of bugs in the machines. None of them,
incidentally, lead directly to fraud. These machines allow cardholders
to extract cash up to a finite limit each week (usually
£100). The magnetic stripe contains the account number, validation
details of the owner's PIN (Personal Identity Number), usually 4
digits, and a record of how much cash has been drawn that week. The
ATM is usually off-line to the bank's main computer and only goes
on-line in two circumstances--first, during business hours, to
respond to a customer's 'balance request'; and second, outside
regular hours, to take into local memory lists of invalid cards which
should not be returned to the customer, and to dump out cheque book
and printed statement requests.
Hackers have found ways of getting more than their cash limit each
week. The ATMs belonging to one clearing bank could be 'cheated' in
this way: you asked for your maximum amount and then, when the
transaction was almost completed, the ATM asked you 'Do you want
another transaction, Yes/No?' If you responded 'yes' you could then
ask for--and get--your credit limit again, and again, and again. The
weakness in the system was that the magnetic stripe was not
overwritten to show you had had a transaction till it was physically
ejected from the machine. This bug has now been fixed.
A related but more bizarre bug resided for a while on the ATMs
used by that first bank's most obvious High Street rivals. In that
case, you had to first exhaust your week's limit. You then asked for
a further sum, say £75. The machine refused but asked if you wanted a
further transaction. Then, you slowly decremented the amounts you
were asking for by £5...70, 65, 60...and so on, down to £10. You then
told the ATM to cancel the last £5 transaction...and the machine gave
you the full £75. Some hackers firmly believe the bug was placed
there by the original software writer. This bug too has now been
fixed.
Neither of these quirks resulted in hackers 'winning' money from
the banks involved; the accounts were in every case, properly
debited. The only victory was to beat the system. For the future, I
note that the cost of magnetic stripe reader/writers which interface
to PCs is dropping to very low levels. I await the first inevitable
news reports.
No comments:
Post a Comment