[fc-discuss] Financial Cryptography Update: Breaking Payment Systems and other bog standard essentials

iang@iang.org iang@iang.org
Wed, 26 Oct 2005 16:11:43 +0100 (BST)

 Financial Cryptography Update: Breaking Payment Systems and other bog standard essentials 

                            October 26, 2005




Man people have sent me pointers to _How ATM fraud nearly brought down
British banking_.  It's well worth reading as a governance story, it's
as good a one as I've ever seen!  In this case, a fairly bog standard
insider operation in a major brit bank (not revealed but I guess
everyone knows which one) raided some 2000 user accounts and probably
more.  They did all this through the bank's supposedly fool proof
transaction system, and the bank aided and abetted by refusing to
believe there was an issue!  Further, given the courts willingness to
protect the banks' secrecy, one can say that the courts also aided and
abetted the crooks.

This is bog standard.  Once a system grows to a certain point, insider
fraud is almost a given, and it is to this that the wiser FCer turns.

 This is the story of how the UK banking system could have collapsed in
 early 1990s, but for the forbearance of a junior barrister who also
 happened to be an expert in computer law - and who discovered that at
 time the computing department of one of the banks issuing ATM cards
 "gone rogue", cracking PINs and taking money from customers' accounts

As I say, this is a must-read, especially if you are new to FC.  Here's
news for local currency pundits on how easy it is to forge basic paper

In a world of home laser printers and multimedia PCs, counterfeiting
has become increasingly easy. With materials available at any office
supply store, those with a cursory knowledge of photo-editing software
can duplicate the business-card-size rewards cards once punched at Cold
Stone Creamery or the stamps once given out at Subway sandwich

Steven Bellovin reports that Skype have responded to criticisms over
their "secret cryptoprotocol."

Skype has released an external security evaluation of its product; you 
can find it at
(Skype was also clueful enough to publish the PGP signature of the
report, an excellent touch -- see 
The author of the report, Tom Berson, has been in this business for
many years; I have a great deal of respect for him.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Predictibly, people have pored over the report and criticised that, but
most have missed the point that unless you happen to have an NSA-built
phone on your desk, it's still more secure than anything else you have
available.  More usefully, Cubicle reports that there is an update to
Skype that repairs a few bugs.	As he includes some analysis of how to
exploit and create some worms... it might be worth it to plan on

The Blackhat in me salivates at the prospect. Itís beautiful security
judo, leveraging tools designed to protect confidentiality (crypto) and
Availability (peer-to-peer) to better hide my nefarious doings. Combine
it with a skype API-based payload and youíve got a Skype worm that can
leverage the implicit trust relationship of contact lists to propagate
further, all potentially wrapped inside Skypeís own crypto.

Too bad the first that most of Skypeís 60 million-and-growing users
will ever hear of it will be after someone who does pay attention to
these sorts of things decides they want to see if itís possible to
create a 60-million node botnet or retire after making The One Big
Score with SkypeOut and toll fraud.

Hey Skype, Ignoring Risk is Accepting RiskĖNOT Avoiding it. Put this on
your main page while upgrading is still prevention rather than incident

A little hyperventilated, but consider yourself in need of a Skype

Powered by Movable Type
Version 2.64