Re: New attacks on the financial PIN processing

---

• From: Anne & Lynn Wheeler <lynn@xxxxxxxxxx>
• Date: Thu, 23 Nov 2006 10:57:48 -0700

---

re:
http://www.garlic.com/~lynn/2006v.html#1 New attacks on the financial PIN processing

part of the issue was that the x9a10 financial standards working group
in the mid-90s was given the requirement to preserve the integrity of
the financial infrastructure for all retail transactions (that met all
kinds of environments, internet, point-of-sale, face-to-face,
non-face-to-face, etc ... as well as all kinds of retail transactions,
credit, debit, ach, etc).

part of the activity was looking at existing standards, industry
specification, association specification ... other protocol related
work going on in the same time ... and investigate the various
associated threats and vulnerabilities ... and what any
countermeasures were being targeted at.

the result was the x9.59 financial standard for all retail payments
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

one of the wide-spread threats/vulnerabilities at the time was
skimming/harvesting of static data that could be used in various kinds
of replay attacks for fraudulent transactions. a major feature of
x9.59 was the elimination of static data.
http://www.garlic.com/~lynn/subintegrity.html#harvest
http://www.garlic.com/~lynn/subintegrity.html#secrets

another was the extreme ambiquity/confusion regarding the account
number in various kinds of transactions. in some kinds of
transactions, skimming/harvesting the account number was sufficient
(static) information for an attacker to perform a fraudulent
transaction. this led to requirements for the account number to be
kept confidential and never be divulged. at the same time, the account
number was the critical piece of information needed in performing a
large number of different business processes ... requiring it to be
readily available. the conflicting requirements led to my comments
about even if the planet was buried under miles of encryption, it
still wouldn't be sufficient to prevent account number leakage.

so another part of the x9.59 was to make it so that the account number
was no longer sufficient for letting an attacker perform a fraudulent
transaction (it didn't do anything about preventing account number
leakage, it just eliminated the risk related to any account number
leakage).

this is slightly related to my past comment about security proportional
to risk
http://www.garlic.com/~lynn/2001h.html#61

and a recent news item concerning insider threats

Banks face growing threat of identity theft from insiders
<a href="http://news.com.com/Banks+face+growing+threat+of+identity+theft+from+insiders/2100-1029_3-6137940.html";>http://news.com.com/Banks+face+growing+threat+of+identity+theft+from+insiders/2100-1029_3-6137940.html</a>

from above:

<cite>
Banks are pouring money into building formidable defenses against
computer hackers, but are only just waking up to what may be a bigger
threat--the physical theft of client information by people in the
office.
</cite>

..... snip ...

also mentioned here
http://www.garlic.com/~lynn/aadsm26.htm#7

it isn't exactly new news ... insiders have always been considered the
major threat ... whether it is physical theft or various kinds of
electronic data breaches and/or security breaches.

misc. past items ...

Study: ID theft usually an inside job
http://www.garlic.com/~lynn/aadsm17.htm#38
Leading Cause of Data Security breaches Are Due to Insiders
http://www.garlic.com/~lynn/aadsm18.htm#49
Bank workers biggest ID theft threat
http://www.garlic.com/~lynn/2005l.html#35
other insider threat
http://www.garlic.com/~lynn/2006p.html#9
.

---

• References:
  • New attacks on the financial PIN processing
    • From: JR
  • Re: New attacks on the financial PIN processing
    • From: uri
  • Re: New attacks on the financial PIN processing
    • From: Joseph Ashwood
  • Re: New attacks on the financial PIN processing
    • From: uri
  • Re: New attacks on the financial PIN processing
    • From: Anne & Lynn Wheeler

• Prev by Date: Re: Strongest encryption algorithm
• Next by Date: Question from an intelligent (?) layman
• Previous by thread: Re: New attacks on the financial PIN processing
• Next by thread: Re: New attacks on the financial PIN processing
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Newbie question about db normalization theory: redundant keys OK? ... fan of persistent message queues. ... If your queue is ... Or if some of the queued transactions can be rolled ... geographically separated databases storing account balances. ... (comp.databases.theory) RE: Carry forward balance of account ... your database contains hundreds of thousands of transactions. ... CurrentFiscalYear field in my Company table... ... Use the Income and Expense balances to calculate a net profit or loss ... Update the G/L AccumulatedProfitOrLoss account accordingly. ... (microsoft.public.access.modulesdaovba) RE: Display queried records with Null values (null recordcount) ... tables related to Assets and Transactions tables in the query, ... since AssetID from tblAssets is a foreign ... The query would return multiple rows per account, ... (microsoft.public.access.gettingstarted) Re: Design Question - Accounts/Transactions ... The indexed view can't return anything about individual transactions. ... reason is that the indexed view contains only one row per account. ... you want an index that will help this query. ... One of the most important thing to get right is the clustered index. ... (microsoft.public.sqlserver.programming) Re: T.J. Maxx data theft worse than first reported ... No, my intellectually deficient friend, retailers only need store the authorization code they receive from the card issuer". ... with just account number, amount and date. ... http://www.garlic.com/~lynn/2007c.html#15 Securing financial transactions a high priority for 2007 ... (bit.listserv.ibm-main)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)