[fc-discuss] Financial Cryptography Update: Breaking Payment Systems and other bog standard essentials
iang@iang.org
iang@iang.org
Wed, 26 Oct 2005 16:11:43 +0100 (BST)
Financial Cryptography Update: Breaking Payment Systems and other bog standard essentials
October 26, 2005
------------------------------------------------------------------------
https://www.financialcryptography.com/mt/archives/000578.html
------------------------------------------------------------------------
Man people have sent me pointers to _How ATM fraud nearly brought down
British banking_. It's well worth reading as a governance story, it's
as good a one as I've ever seen! In this case, a fairly bog standard
insider operation in a major brit bank (not revealed but I guess
everyone knows which one) raided some 2000 user accounts and probably
more. They did all this through the bank's supposedly fool proof
transaction system, and the bank aided and abetted by refusing to
believe there was an issue! Further, given the courts willingness to
protect the banks' secrecy, one can say that the courts also aided and
abetted the crooks.
This is bog standard. Once a system grows to a certain point, insider
fraud is almost a given, and it is to this that the wiser FCer turns.
http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
========8<=============8<=======
This is the story of how the UK banking system could have collapsed in
the
early 1990s, but for the forbearance of a junior barrister who also
happened to be an expert in computer law - and who discovered that at
that
time the computing department of one of the banks issuing ATM cards
had
"gone rogue", cracking PINs and taking money from customers' accounts
with
abandon.
=======>8============>8=========
As I say, this is a must-read, especially if you are new to FC. Here's
news for local currency pundits on how easy it is to forge basic paper
tokens.
http://www.wired.com/news/business/0,1367,68909,00.html
========8<=============8<=======
In a world of home laser printers and multimedia PCs, counterfeiting
has become increasingly easy. With materials available at any office
supply store, those with a cursory knowledge of photo-editing software
can duplicate the business-card-size rewards cards once punched at Cold
Stone Creamery or the stamps once given out at Subway sandwich
sho........
=======>8============>8=========
Steven Bellovin reports that Skype have responded to criticisms over
their "secret cryptoprotocol."
========8<=============8<=======
Skype has released an external security evaluation of its product; you
can find it at
http://www.skype.com/security/files/2005-031%20security%20evaluation.pd
f
(Skype was also clueful enough to publish the PGP signature of the
report, an excellent touch -- see
http://www.skype.com/security/files/2005-031%20security%20evaluation.pd
f.sig)
The author of the report, Tom Berson, has been in this business for
many years; I have a great deal of respect for him.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
=======>8============>8=========
Predictibly, people have pored over the report and criticised that, but
most have missed the point that unless you happen to have an NSA-built
phone on your desk, it's still more secure than anything else you have
available. More usefully, Cubicle reports that there is an update to
Skype that repairs a few bugs. As he includes some analysis of how to
exploit and create some worms... it might be worth it to plan on
updating:
http://thurston.halfcat.org/blog/?p=260
http://www.eweek.com/article2/0,1895,1877052,00.asp
========8<=============8<=======
The Blackhat in me salivates at the prospect. It’s beautiful security
judo, leveraging tools designed to protect confidentiality (crypto) and
Availability (peer-to-peer) to better hide my nefarious doings. Combine
it with a skype API-based payload and you’ve got a Skype worm that can
leverage the implicit trust relationship of contact lists to propagate
further, all potentially wrapped inside Skype’s own crypto.
Too bad the first that most of Skype’s 60 million-and-growing users
will ever hear of it will be after someone who does pay attention to
these sorts of things decides they want to see if it’s possible to
create a 60-million node botnet or retire after making The One Big
Score with SkypeOut and toll fraud.
Hey Skype, Ignoring Risk is Accepting Risk–NOT Avoiding it. Put this on
your main page while upgrading is still prevention rather than incident
response.
=======>8============>8=========
A little hyperventilated, but consider yourself in need of a Skype
upgrade.
--
Powered by Movable Type
Version 2.64
http://www.movabletype.org/