We live in an age where even crime is cyber and global. Last week’s news shows that in a matter of hours, a sophisticated worldwide operation secured the cash from ATMs in over 20 countries. There were several weak links left exposed in the complex financial transaction security network.
Firstly, the cards used were pre-paid magnetic stripe, thus very easy to create and clone. The magnetic stripe card data was retrieved from the back-end systems. The data then only needed to be transmitted over the Internet around the globe and copied to blank magnetic stripe cards locally (like hotel cards). The cloned cards were then distributed to individuals in each country, thus enabling money to be retrieved from ATMs all over the world with the same account data over and over again.
As the data was from prepaid debit cards, the transaction amount was subtracted from the preloaded balance, this circumvents most real-time network checks and network security mechanisms. Had EMV chip cards using Dynamic Data Authentication (DDA) chip cards been used, it would have been impossible to clone card on limited stored data and to tamper with the card limits. A DDA chip card is validated by the ATM or POS terminal, before any transaction takes place. This is achieved by exchanging signed certificates and random number challenges between card and backend via the terminal.
Had the cards contained a chip, even changing the card limits in the back-end would have had no effect. Without breaking the security features of the chip card, secret keys cannot be cloned onto a new empty smartcard. By asking the chip card to encode random challenges, and validating results and signatures in the back-end, originality can be proven. After validation, transactions are individually signed, using transaction counters and other mechanisms to prevent replaying transactions a second time. Any validation or transaction is preceded by entering the smartcard pin code, which proves the owner of the smartcard is authorized the use.
In DDA cards, the pin is still required and a unique signed electronic datagram is created, describing the details of the transaction. It is impossible to re-use such a datagram a second time, due to the amount, the transaction counter and many other items encoded into the signed datagram. This makes the DDA card much more secure against fraud than the magnetic stripe card.
Secondly, as hack was made into financial processor of pre-paid cards it can be presumed that sufficient security measure may not have been in place. Hackers were able to update card data as well as balance limits to ‘unlimited’ to ensure they could withdraw up to the maximal cash limit of at each ATM. This means the data may not have been stored following best-practice as well as access not protected as well. One of the required standards is the PIC-DSS standard of the PCI Security Standards Council, which is recognized by international payment associations, such as Visa and MasterCard. Even when certified by a Qualified Security Assessor, the PCI-DSS demands to remediate vulnerabilities and to rescan and self assess the infrastructure on a regular basis. This is costly, but if omitted or postponed, breaches can occur.
A system is as strong as its weakest link. In this case there were two weak links exploited globally; the processor in the backend and the magnetic stripe card. Simple security mechanisms on the back-end, such as not storing pin/login codes, but only salted hashes in databases, no storing of card details in plain, but only encrypted would help support security in the system. At the card level, introduction of DDA cards which protect consumer and bank data are also a front-line step in securing financial transactions.