Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23
Vin McLellan (vin@shore.net)
Thu, 29 Apr 1999 01:49:17 -0400
[From the ACM's RISKS Forum (20.34) - 4/28/99.]
Date: Thu, 29 Apr 1999 04:43:00 +0900 (JST)
From: Chiaki Ishikawa <Chiaki.Ishikawa@personal-media.co.jp>
Subject: A man charged with counterfeiting bank ATM cards
Lately about a dozen people whose account reside in two Japanese banks found
their money withdrawn by unknown third party. Police began investigating
and found, from the video tape recording of the ATM machines where
withdrawals took place, a man seemed to have used fake bank ATM cards and
withdrew the money from ATM machines in Tokyo area.
Last week, the police arrested a man and charged him for the theft.
But how did this man find about the existence of the bank account and that
the man found the password or PIN? It turns out that the man worked for a
software company that subcontracted the reservation system maintenance for a
city-operated resort facility from an NTT group company. All the people
whose money was stolen made a reservation to the city facility at least
once.
The city resort facility takes reservation from its citizens with advance
partial payment. The hitch is that when the applicant cancels the
reservation, the advance payment is returned to the applicant's bank
account. For this purpose, the city office records the bank account
information as well as other personal information such as telephone number,
address, etc. in the database. All these reservation and cancellation work
seems to be done via computer terminal.
The culprit who works at the company that manages the host computer for the
reservation system obviously had access to the database of the reservation
including the bank account (no encryption that keeps the maintenance
operator to look inside?). So he could concoct a new ATM card by recording
the information onto a magnetic-strip card using a magnetic card writer.
Now the second big question is how he figured out the PIN. (The card itself
no longer carries PIN on itself.) Well, it seemed easy to him. Since he
had access to the personal information such as telephone number, address,
etc., he seemed to make educated guesses and obviously he succeeded. Sigh...
In the same article, some banks were quoted as thinking of making it
possible for customers to change the PIN regularly. (I am not sure if this
works well. If someone picks up bad password, will the person pick up good
password next time? There may be human risks here, but am not sure.) For
that matter, PIN for bank ATM cards here in Japan are only 4 digits!
Shoulder-surfing certainly is possible.
Also, I just learned today that the culprit stole other people's bank
cards in trains and so forth so that he could overlay the stolen bank
account information on these cards to try his guessed PINS. Any
physical checking done by the card reader itself seems to have been
thwarted by the culprit's using otherwise genuine ATM cards. However,
I don't know if any such checks are done by the card readers and cards
used today in Japan. Maybe the culprit was very cautious. Police
reportedly found fake credit card as well at the culprit's home, so in
that case, nice-looking holograph, etc. was necessary for
counterfeiting.
A few risk lessons from this incident:
Private database with sensitive information should be encrypted so that only
the appropriate user can access its contents. The night-shift operator who
do backup can carry a duplicate copy, etc.. Also, proper auditing of access
to the database could deter such criminals. In this case, the city office
could use a PC for terminal and use plain text information on that terminal
alone and could store the encrypted information at the host computer managed
by the company where the culprit works. (Sure, the search against the
stored data record might be an issue here. But by storing the name in plain
text and the rest in encrypted from, it should pose no big problem IMHO.)
ATM cards should be hard to fake in the first place. The bank officials
were quoted in an Asahi shimbun article as saying that making counterfeiting
like this impossible is very difficult technically.
I wonder if adding some information on the card, such as the md5 checksum of
the concatenation of the closely kept secret master bank seed string + the
ordinary infomration on the card such as the branch number, account number,
holder's name, etc. could make the counterfeiting more difficult. Unless the
counterfeiter knows the secret seed string it becomes impossible to fake the
ATM. I guess such scheme would make the counterfeiting very difficult. But
the bank people may not want to upgrade all the ATMs across the whole of
Japan at once, or it may be that the ATM card used today may not hold all
the md5 digits or even reasonable length of it capacity-wise. But probably
they'll be forced to upgrade the security anyway by the social pressure in
not too distant future. I was very surprised about this counterfeting being
so easy myself.
Also, as has been said million times, don't use the obviously easy to guess
PINs based on your telephone number, birth date, etc.. I am not sure if the
database in question contains the birth date for the purpose of the
reservation, but since the success rate seemed to have been high, it
could. But if so, I will add another lesson here.
Don't collect unnecessary personal information. It will leak out
or be abused in some way or the other. (Chiaki's law a la Murphy's law.)
Will computer IC card solve these counterfeting problems in the future?
Chiaki Ishikawa <Chiaki Ishikawa <ishikawa@personal-media.co.jp.NoSpam>
Personal Media Corp., Shinagawa, Tokyo, Japan 142-0051
--------
"Cryptography is like literacy in the Dark Ages. Infinitely potent,
for good and ill... yet basically an intellectual construct, an idea,
which by its nature will resist efforts to restrict it to bureaucrats
and others who deem only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <vin@shore.net> *
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:23