http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html Let's make the assumption that the outage of ATM's that BoA suffered was caused by last nights 'SQL Slammer' virus. The following things can then be assumed: a) BoA's network has Microsoft SQL Servers on them. b) BoA has not applied SP3 (available for a week) or the patch for this particular problem (SQL Slammer) (available for many months). c) somehow, this attack spawned on the public internet made it's way to BoA's SQL servers, bypassing firewalls (did they have firewalls?). Another article states, "Bank of America Corp., one of the nation's largest banks, said many customers could not withdraw money from its 13,000 ATM machines because of technical problems caused by the attack. A spokeswoman, Lisa Gagnon, said the bank restored service to nearly all ATMs by late Saturday afternoon and that customers' money and personal information had not been at risk." Does anyone else, based upon the assumptions above, believe this statement to be patently incorrect (specifically, the part about 'personal information had not been at risk.') ? I find these statement made by BoA, based upon assumptions which are probably correct, to be very scary. Comments? -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
Let's make the assumption that the outage of ATM's that BoA suffered was caused by last nights 'SQL Slammer' virus.
The following things can then be assumed:
a) BoA's network has Microsoft SQL Servers on them.
Not necessarily. There's this statement from a BoA employee: '"We have been impacted, and for a while customers could not use ATMs and customer services could not access customer information," Gagnon said.' While that's clear as mud, one could also infer that the network that they depend on to interconnect their ATMs and branches was impacted by all the garbage network being carried at the time. They don't disclose how these atm's and branches are connected back to their datacenter(s?), but perhaps someone had the bright idea of tunneling everything over something like the Qwest network, which some here reported as being b0rked for quite some time... Or perhaps they (or the VPN concentration gear) are in a shared datacenter space where other customers bouncing this junk around trashed the network within the datacenter. These days you can never make assumptions about what passes for BCP. Just another possibility... Mind you I'm not rushing out to open an account with them. C
Comments?
-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
FWIW: http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28.html "About 13,000 Bank of America cash machines had to be shut down. The bank's ATMs sent encrypted information through the Internet, and when the data slowed to a crawl, it stymied transactions, according to a source, who said customer financial information was never in danger of being stolen." -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Or, IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction. I'd be willing to bet the failure rate Saturday was high enough to cause concern that bank customers (knowingly or innocently) could bypass the normal limits and overdraw or otherwise negatively effect their accounts. So BoA decided to shut down the system until the failure rate returned to 'normal.' Not a bad thing, IMHO. Best regards, ______________________________ Al Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Leo Bicknell Sent: Tuesday, January 28, 2003 8:03 PM To: nanog@merit.edu Subject: Re: Banc of America Article
FWIW:
http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28.html
"About 13,000 Bank of America cash machines had to be shut down. The bank's ATMs sent encrypted information through the Internet, and when the data slowed to a crawl, it stymied transactions, according to a source, who said customer financial information was never in danger of being stolen."
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
AR> Date: Wed, 29 Jan 2003 07:20:35 -0800 AR> From: Al Rowland AR> IIRC, the ATM system is similar to CC transactions. A best AR> effort is made to authorize against your account (Credit Card AR> or Banking) but if it fails and the transaction is within a AR> normal range (your daily card limit) the CC/ATM completes the AR> transaction. Fail-open security on financial networks? Yucky. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
Too bad it is not the case, but lets presume that it is. How does it explain branches not being able to process direct withdrawals either? The incident on hand illustrates that the design of our financial networks is broken. If a non sophisticated worm managed to create so many problems, what is going to happen should a real attack be mounted against the networks used by financial services? Alex
At 12:46 PM 1/29/2003, alex@yuriev.com wrote:
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
Too bad it is not the case, but lets presume that it is. How does it explain branches not being able to process direct withdrawals either?
The incident on hand illustrates that the design of our financial networks is broken. If a non sophisticated worm managed to create so many problems, what is going to happen should a real attack be mounted against the networks used by financial services?
Perhaps the bank bought VPN service with an SLA from a large network vendor. That SLA was not met due to network congestion. Said vendor will be responsible for reparations to the bank. That doesn't help the customers, of course. Now the bank COULD just use T-1 or faster circuits to all branches, but the network vendors are pushing VPNs (whether formed by IPSec tunnels, Frame Relay, MPLS, etc.) as cheaper alternatives. It would be foolish and irresponsible for the bank management to spend many times the amount of money. Of course even the T-1 circuits can have problems. ATT did melt their telephony backbone on Martin Luther King Day some years back. So should the bank run their own fiber between branches to ensure they're OK in the event of an SS7 meltdown? Where do you draw the line? Which technology do YOU trust? Which can you afford?
I believe specific account data is not kept on the local machine. I may be wrong, not to mention the data strip on the card... Nothing new. Look at what happened to the Chicago Board of Trade a few years back. I wonder how WCOM reported the out-of-court settlement for that one their books. ;0 The original NSI SI, National-Security-Internet-(Survivable-Infrastructure), model was replaced years ago by the BBC, Best-Business-Case model, puns intended. Best regards, ______________________________ Al Rowland
-----Original Message----- From: alex@yuriev.com [mailto:alex@yuriev.com] Sent: Wednesday, January 29, 2003 9:47 AM To: Al Rowland Cc: nanog@merit.edu Subject: RE: Banc of America Article
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
Too bad it is not the case, but lets presume that it is. How does it explain branches not being able to process direct withdrawals either?
The incident on hand illustrates that the design of our financial networks is broken. If a non sophisticated worm managed to create so many problems, what is going to happen should a real attack be mounted against the networks used by financial services?
Alex
Your assumption is my account is at my local branch. Neither is my safe deposit box. It's at a different, larger branch in the adjacent suburb. My 'account' is likely in one of their corporate monoliths downtown, hence the network connection. That's why my card works as well in Virginia (my most recent trip) as it does at my local branch in LA. My local ATM also needs access to other bank networks if they have any hope of collecting that usury fee for not-my-bank customers using the teller. It's about the Benjamins. I completely agree with your second point but don't expect change until outside forces affect change in the current business model. Just my 2¢. Best regards, ______________________________ Al Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of alex@yuriev.com Sent: Wednesday, January 29, 2003 9:47 AM To: Al Rowland Cc: nanog@merit.edu Subject: RE: Banc of America Article
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
Too bad it is not the case, but lets presume that it is. How does it explain branches not being able to process direct withdrawals either?
The incident on hand illustrates that the design of our financial networks is broken. If a non sophisticated worm managed to create so many problems, what is going to happen should a real attack be mounted against the networks used by financial services?
Alex
On Wed, 29 Jan 2003, Al Rowland wrote:
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
So you're telling me that if I go to Kwik-E-Mart, cut the wires, put my card with a $0 balance in it will happily let me withdraw money? Somehow that doesn't sound right. How would it know my PIN, or would it assume I entered it correctly? How would it know my daily card limit? Charles
Best regards, ______________________________ Al Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Leo Bicknell Sent: Tuesday, January 28, 2003 8:03 PM To: nanog@merit.edu Subject: Re: Banc of America Article
FWIW:
http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28.html
"About 13,000 Bank of America cash machines had to be shut down. The bank's ATMs sent encrypted information through the Internet, and when the data slowed to a crawl, it stymied transactions, according to a source, who said customer financial information was never in danger of being stolen."
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Just for grins, The PIN is on your card, likely encrypted, this based on the fact that most ATMs will reject your card at the initial PIN prompt before you try to execute any transaction, as is likely your balance and daily withdrawal limit but the Kwik-E-Mart system might not have a way to see that you've already withdrawn your daily limit from three other ATMs etc. I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction. My daily limit at my home bank is significantly higher than my daily limit at non-home-bank ATMs so that might be a local feature rather than hard coded to your card. (or readable by the particular machine you're using, who knows what your bank considers privacy or proprietary information.) Just conjecture, no way to know how this specifically works without looking at the BoA specific ATM code but I'd be willing to bet the code errs on the side of customer convenience over absolute security. See most software as examples. Best regards, ______________________________ Al Rowland
-----Original Message----- From: Charles Sprickman [mailto:spork@inch.com] Sent: Wednesday, January 29, 2003 10:19 AM To: Al Rowland Cc: nanog@merit.edu Subject: RE: Banc of America Article
On Wed, 29 Jan 2003, Al Rowland wrote:
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
So you're telling me that if I go to Kwik-E-Mart, cut the wires, put my card with a $0 balance in it will happily let me withdraw money? Somehow that doesn't sound right. How would it know my PIN, or would it assume I entered it correctly? How would it know my daily card limit?
Charles
Best regards, ______________________________ Al Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Leo Bicknell
Sent: Tuesday, January 28, 2003 8:03 PM To: nanog@merit.edu Subject: Re: Banc of America Article
FWIW:
http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28 .html
"About 13,000 Bank of America cash machines had to be shut down. The
bank's ATMs sent encrypted information through the Internet, and when the data slowed to a crawl, it stymied transactions, according to a source, who said customer financial information was never in danger of being stolen."
-- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote:
The PIN is on your card, likely encrypted,
We're off-topic now, so I won't go into detail, but the PIN is sometimes on the card and sometimes not. There are different ways of doing it. (If the sampling of cards in my wallet is representative, then mostly, the PINs aren't on the card anymore (I still have one card that has the PIN on the card).) -- Brett
Halleluljah. A voice of knowledge as opposed to conjecture. Different bank ATMs operate differently. There are online and offline modes. The PIN may or may not be recorded on the card. Some of these differences are due to the fact that not all financial institutions were connected to interbank networks over two decades ago. And yes, some banks' ATMs dispense limited amounts of cash while disconnected from the network. This is a compromise between customer service and fraud exposure. You won't be able to get rich that way. There are plenty of resources on and offline related to magnetic stripe cryptographic security and PIN verification methods such as Atalla Identikey, Visa PW, IBM 3624, etc. Those making the most noise should take a look at their own network security, data security, and redundancy practices as they rail against large financial networks and systems. Regards, Sharif --- "Whenever I'm caught between two evils, I take the one I've never tried." - Mae West On Wed, 29 Jan 2003 13:15:54 -0600, Brett Frankenberger wrote:
On Wed, Jan 29, 2003 at 10:35:37AM -0800, Al Rowland wrote:
The PIN is on your card, likely encrypted,
We're off-topic now, so I won't go into detail, but the PIN is sometimes on the card and sometimes not. There are different ways
of
doing it. (If the sampling of cards in my wallet is representative, then mostly, the PINs aren't on the card anymore (I still have one card that has the PIN on the card).)
-- Brett
Al Rowland wrote:
The PIN is on your card ...
Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so. Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used.
I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction.
I'm not surprised. But the PIN is verified as a part of the transaction. I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the "invalid PIN" message. -- David
Since nobody has given the correct information about the PIN on the card I will give a very brief description. There are two types of PIN, natural and customer selected. The natural PIN is computed from the number on the card. The computation involves one way crypto keys. I don't remember the algorithm. For this the PIN that is stored on the card is 0000. Now, when a customer selects a PIN, an offset is computed between the natural PIN and selected PIN. This offset is stored on the card. Based on this you can see that re-encoding is needed when you change the PIN number, most ATM will do that re-encoding. So unless things have changed in the last 4 years since I worked with this, you can not change your PIN over the phone without physical contact by the bank with the card. Personally I carry a card without any logo as my ATM card, at one point I had access to reader/encoder for mag strip cards and I programmed a blank card with the info from my real ATM card. No encryption involved. K On Wed, 29 Jan 2003, David Charlap wrote:
Al Rowland wrote:
The PIN is on your card ...
Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so.
Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used.
I use a not-my-bank ATM in the lobby at work and it doesn't initiate the call (you can hear the modem dial) until you're beyond the PIN screen and are actually requesting a transaction.
I'm not surprised. But the PIN is verified as a part of the transaction.
I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the "invalid PIN" message.
-- David
On Thu, 2003-01-30 at 15:39, Krzysztof Adamski wrote:
Based on this you can see that re-encoding is needed when you change the PIN number, most ATM will do that re-encoding. So unless things have changed in the last 4 years since I worked with this, you can not change your PIN over the phone without physical contact by the bank with the card.
The last two banks I've used both allowed me to do it over telephone banking. -Paul -- Paul Timmins paul@timmins.net / http://www.timmins.net/ H: 248-683-7295 / C: 248-379-7826 / DC: 130*116*24495 A: noweb4u / R: KC8QAY
at Wednesday, January 29, 2003 6:35 PM, Al Rowland <alan_r1@corp.earthlink.net> was seen to say:
The PIN is on your card, likely encrypted IIRC, the actual answer is a bit simpler - an initial pin is *calculated* from your account number (which *is* stored on the card) and an offset (also on the card) is applied to give the pin you actually type.
Just conjecture, no way to know how this specifically works without looking at the BoA specific ATM code but I'd be willing to bet the code errs on the side of customer convenience over absolute security. Possibly. unfortunately (here in the uk at least) "the system" also defaults to believing that only the registered owner could possibly use the card - hence lots of cases over "phantom withdrawls" that the bank refuses to refund. So customer convenience is ok provided it comes free for the bank :)
On Wed, Jan 29, 2003 at 01:19:08PM -0500, Charles Sprickman wrote:
On Wed, 29 Jan 2003, Al Rowland wrote:
Or,
IIRC, the ATM system is similar to CC transactions. A best effort is made to authorize against your account (Credit Card or Banking) but if it fails and the transaction is within a normal range (your daily card limit) the CC/ATM completes the transaction.
So you're telling me that if I go to Kwik-E-Mart, cut the wires, put my card with a $0 balance in it will happily let me withdraw money? Somehow that doesn't sound right. How would it know my PIN, or would it assume I entered it correctly? How would it know my daily card limit?
Disclaimer: while I did work for a company that was (or would have been) involved with CC transactions, I have never actually worked with CC auth mechanisms; only discussed them with a housemate who worked on $(MAJOR_CC_VENDOR)'s transaction/auth system. The short answer is: yes. The longer answer is: your PIN is on your card, the rest is recorded in the ATM and syncronized when it has connectivity again. At which point, your bank will be sending you a polite (or, for some amounts, not so polite) request to pay the outstanding balance, the fees incurred for overdraft, and other assorted charges. Most of the financial world operates on a pair of fairly straightforward principles: 1) It costs money to stop fraud. Unless and until the cost of fraud exceeds the cost of stopping the fraud, it is not profitable to attempt to stop the fraud (and, as a correllary, the effort put into stopping fraud is limited to that amount which produces a better-than-even return on investment). All major CC vendors simply budget for some amount of fraud every year; it's a known risk of the business model, and is accounted for. 2) Banks are, as a rule, care fairly little about whether you can withdraw money that you shouldn't be able to. ATM limits are largely about limiting the amount of damage done in the short term. What banks care about a very great deal is trying to make sure that that nothing, anywhere, in the entire system, can cause a transaction that doesn't have an audit trail - and spotting such things is (relatively) easy, because the books suddenly don't balance. Money may be information, but *within the system*, that information is checked, double-checked, cross-checked, and otherwise run through a really insane amount of effort to make sure you can't create money from nothing - and can't move it from one place to another without leaving some record of the movement. Thus, you can get physical cash from an ATM, if the system is out of sync, but as soon as it gets synced up again that will be linked back to your account. The bank only really cares, then, if your account happens to end up negative (and, as above, will take action in more concrete ways, to deal with the situation). Anyone who actually cares about this is strongly advised to not take my word on it, but go do the homework for yourself; most of this information is available to a sufficiently curious searcher. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
participants (14)
-
Al Rowland
-
Alex Rubenstein
-
alex@yuriev.com
-
Brett Frankenberger
-
Charles Sprickman
-
Daniel Senie
-
David Charlap
-
David Howe
-
E.B. Dreger
-
Joel Baker
-
Krzysztof Adamski
-
Leo Bicknell
-
Paul Timmins
-
Sharif Torpis