ATM, Bank Card Security Getting Worse

Vulnerabilities Identified but Fixes Aren't So Easy

By Martin H. Bosworth
ConsumerAffairs.com

November 21, 2006

Identity Theft

• FTC Proposes Ways to Reduce Identity Theft
• "Underground Economy" for Crime Thrives, Report Says
• Feds Issue New Identity Theft Recommendations
• Identity Theft: One Woman's Story, Eight Months Later
• Consumers Cautioned About Voter Registration Scams
• Young Adults Seen As Prime Identity Theft Targets
• Researchers Find Security Flaws In Online Banking Sites
• 'Red Flags Rules' for Identity Theft on the Way
• Identity Theft: One Woman's Story
• Xbox or PC Stolen? Don't Forget to Cancel Your Credit Cards
• Identity Theft a Growth Industry in Texas Border Towns
• FTC Warns Consumers About Tax Rebate Scams
• Big Banks, Telcos Top Identity Theft List
• Identity Theft Tops FTC Complaint List Again
• Study Claims Identity Theft 'Continues To Decline'
• 650,000 Retail Customers Exposed In Data Breach
• Children Becoming Prime Identity Theft Targets
• FTC Finds 8 Million Identity Theft Cases
• New Jersey Wants Banks to Help Fight Phishing Scams
---
• More ...

The ATM is such a ubiquitous staple of life now that we don't even think about the process of putting the bank card in and taking money out anymore.

ATMs have so many bells and whistles attached to them -- ordering movie tickets, watching ads, or making phone calls -- that the act of withdrawing money from your account seems almost an afterthought.

Unfortunately, that same nonchalance may be catching on with banks.

Several recent incidents indicate that that it's easier than ever to not only hack an ATM and steal all the cash, but to steal a bank customer's PIN number and drain their checking account without them ever being the wiser.

Dancing On A PIN

According to "The Unbearable Lightness of PIN Cracking," a new report released by a pair of Israeli security researchers, a weakness in how PINs are transmitted across global financial networks could enable unscrupulous bank employees to crack a cardholder's PIN using as few as one or two guesses.

The flaw could enable crooked insiders to gain access to a PIN if the cardholder withdraws money from their bank, even if the cardholder's money is in another bank. It could also be used to generate new PINs that would work just as well as the legitimate number.

Researchers Odelia Moshe Ostrovsky and Omer Berkman demonstrated several weaknesses in the "chain" a PIN goes through when it is transmitted from the machine a user enters it into, through a series of "switches," to the verifying bank that the user does businesses with.

One weakness centers around the "translation" of PINs as they go through the chain, while another targets ATMs that enable users to select PINs during online banking.

Ostrovsky, of Algorithmic Research (ARX), and Berkman determined that even if the issuing bank addressed every possible vulnerability on their end, customers would still be vulnerable to attacks along the chain if other banks did not improve their systems.

"To be protected from this attack, countermeasures in all verification paths to the issuer must be taken," they said. "As this is unrealistic, solutions outside the standard must be sought."

The two researchers claimed that the vulnerabilities could account for many unexplained instances of "phantom withdrawals" from cardholders' accounts.

"The attacks are so simple and practical that issuers may have to admit liability not only for future cases but even retroactively, " they said. "The attacks can be applied on such a large scale...that such liability can be enormous."

The authors went public with their research after presenting it to major credit card issuers and banks, none of whom acted on the information.

MP3 vs. ATM

Sometimes it doesn't take a sophisticated hack attack or the work of greedy insiders to break a bank network open. In one case, all it took was a simple MP3 player.

Manchester, England resident Maxwell Parsons was recently convicted of stealing 200,000 pounds from cash machines throughout Britain. Parsons would find "free-standing" ATM machines, plug his MP3 player into the back, and record the tones of the keys when users would input the PIN numbers.

Parsons would then run the recorded tones through separate software programs to decipher them, and created "clone" cards which he then encoded with the recorded PINS, according to a report in The Register.

Parsons was arrested by sheer luck when he was pulled over for an illegal U-turn in London. The police found a fake bank card in his wallet, and after searching his residence, turned up 26 other fake cards, 18 of which were cloned.

Parsons was sentenced to 32 months in prison for deception and unlawful interception of communications transmissions. The authorities believed he was the ringleader of a gang, The Times reported.

Representatives of the U.K. banking industry claimed to be so shaken by the incident that they planned to move immediately to fix the flaws in free-standing machines to prevent similar crimes.

What You Can Do

• Avoid using any ATM machine that looks like it's been tampered with or damaged in any way. If you see people loitering around an ATM who don't seem to be getting money out, find another one to use.

• Try to stick to ATMs from your bank or in your credit union's network. It won't remove vulnerability to fraud, but it can reduce it -- and you'll be saving yourself extra money by not incurring withdrawal fees from ATMs.

• When using an ATM, shield the keypad from view so that your PIN can't be seen by onlookers.

• Keep receipts from ATM withdrawals at the time of the transaction, but be sure to destroy or shred them later.

• Regularly check your bank account or statements for unusual activity.

More Information

The complete text of "The Unbearable Lightness of PIN Cracking" is available online as a .pdf document.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Share		Follow us on Twitter.

FREE CONSUMER NEWSLETTERS
The Daily Consumer Afternoons M-F Sign up now!	Consumer News & Alerts Every Sunday Sign up now!

CONSUMER NEWS

ConsumerAffairs.com on Facebook

SAFETY RECALLS

MOST-VIEWED PAGES

NEW COMPLAINTS

Allied American Warranty
Battery Doctors
Dollar Tree
Robert Zitofsky, DDS, West Haverstraw, NY
Country Lane Pups, Purdy, MO
Bayport Credit Union
Valley View Bank, Overland Park, KS
Victory Nissan, Chesapeake, VA
Victory Nissan, Richmond, VA
Napleton Chrysler Jeep Dodge, Kissimmee, FL

Back to the top |

Custom Search

AUTOMOTIVE
• Dealers
• Manufacturers
• Service
• Extended Warranties
• Lemon Laws
• Recalls
• Tires
• Transporters

FAMILY
• Aging
• Children, Parenting
• Recalls
• Dating
• Education
• Entertainment
• Pets
• Weddings

FINANCE
• Annuities
• Banks
• Credit Cards
• Debt Collection
• Debt Counseling
• Insurance
• Investing
• Loans
• Mortgages
• Payday Loans
• Student Loans
• Tax Prep

HEALTH
• Doctors
• Drugs, Pharmacies
• Health Clubs
• Hearing Care
• Hospitals
• Nursing Homes
• Nutrition, Diets
• Vision Care
• Weight Loss

HOUSE & HOME
• Appliances
• Cookware
• Furniture
• Home Improvements
• Lawn & Garden
• Movers
• Pools & Spas
• Realtors, Rental Agents
• Recalls
• Utilities

ELECTRONICS
• Cable TV/DBS
• Cameras
• Cell Phones
• Computers
• Home Electronics
• Internet Access
• Local Phone Service
• Long Distance
• VoIP

SHOPPING
• In-Home
• Online
• Retail Stores
• Sporting Goods
• Supermarkets
• Telemarketers

TRAVEL
• Airlines
• Bus Lines
• Car Rental
• Cruises
• Hotels
• Travel Agents
• Trains

RESOURCES
• Class Actions
• Complaint Form
• Small Claims Guide
• Lemon Laws

CONSUMER NEWS
• Latest News
• Automotive
• Telecom
• Financial
• Health
• Homeowners
• Scams
• Seniors
• Travel
• More ...

RECALLS
• Automotive
• Children's Products
• Drugs
• Food
• Household Products
• Sporting Goods

ABOUT US
• FAQ
• Privacy Policy
• Advertise With Us
• Newsroom
• Syndication
• Terms of Use

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.