© Frazer HudsonSecurity could be lacking.
The convenience of online banking and electronic money has led to a revolution in the way we save and spend our earnings. Banking websites and payment systems are relentlessly targeted by criminals, though, so continuous improvements in security are needed to prevent fraud. But as was revealed at this week's Financial Cryptography and Data Security conference in Tenerife in the Canary Islands, some of the best-known security systems can still be compromised relatively easily.
All too often, banks' security systems are developed in secret, so their flaws are only identified when they are deployed, says Steven Murdoch, a security researcher at the University of Cambridge. This opens a window of opportunity for criminals.
Weaknesses in three widely used financial security systems highlight the extent of the problem. These systems, used by millions of people every day, can in some cases be breached using off-the-shelf technology and a little persistence, says researchers at the cryptography conference.
Take the Mifare family of smartcards devised by NXP Semiconductors of Eindhoven, the Netherlands. The "Classic" version of the card is used to carry small amounts of credit - one German bank allows up to €150 to be stored on the card - or for public-transport tickets, such as the Oyster travel card in London.
Weaknesses in the Classic card's security first became apparent when researchers partially reverse engineered the card's encryption system in 2007. Now a group from the Ruhr University in Bochum, Germany, has built on that work to develop a quick and straightforward method to alter the credit stored on some types of the card.
The Classic cards use 16 separate encryption keys to protect the information stored on the card. Timo Kaspar and colleagues studied the codes on one set of the cards currently in use, which are being used as a payment system by a million people in Germany. They found that each card used the same set of 16 codes and, once the team had identified them by building on the 2007 hack, Kaspar was able to alter the information stored on any card that used the system, if given access to the card.
Using a card reader built by the team, Kaspar was able to add credit to blank cards. To prove that the hack worked, he used the cards to purchase items such as coffee and ice cream. The cards only have to come near a reader to be activated, so a hacker with Robin Hood-style inclinations could hide a system in a public place so that anyone walking close enough would find that their card had magically filled up.
"It's so simple," says Kaspar. "Anyone can buy a reader for around $30." Criminals can also download free software that can be used to read the encryption codes on the card. Kaspar has notified the company that runs the payment system and says that the firm is fixing the problem. The card's manufacturer, NXP, told New Scientist that it is the card issuers themselves that decide how to implement their encryption security, and that NXP alerted each issuer of the dangers of using the same set of 16 encryption keys on all the cards it issues.
Elsewhere, another group of security researchers has taken aim at a card reader that is used to verify online banking payments. The reader, used by some European banks, plugs into a computer using a USB connection and launches a supposedly secure browser. Users place their bank card into the reader, which then creates a secure connection with the bank via the browser. The system was designed to allow customers to safely sign off transactions such as transfers between bank accounts.
That, at least, is the theory. Felix Gröbert and colleagues, also at the Ruhr University, designed a piece of software that attacks the modified browser as soon as it launches, disabling its security. It can then surreptitiously alter the details of the account that is due to receive transferred money, siphoning off money to an account of the hacker's choosing. Gröbert says he has alerted the banks that use the system and also the producer of the smartcard reader. Both are addressing the problem.
That reader is only given to corporate customers, who use it to process large numbers of transactions. But systems used to protect online consumer purchases also show flaws, warn Murdoch and his Cambridge colleague Ross Anderson. Many online transactions contain an extra layer of security - such as "Verified by Visa" or "MasterCard Secure" - which is run by card companies. Customers enter a password, which has to be checked by Visa or MasterCard before the transaction can be completed.
The system was designed to combat fraud in online card transactions. Unfortunately, say Murdoch and Anderson, the system fails to follow many established security guidelines. For example, the Verified by Visa form pops up in the centre of shopping websites, much like a phishing attack might. This means customers may become less wary of other threats, says Murdoch. Customers also have to select a password when the system is activated for the first time - usually during a spot of shopping. Anderson has previously shown that without explicit guidance people tend to choose weak passwords. Visa were asked for comment, but had not done so at the time of writing.
All of these security issues can be fixed without too much effort, but their existence is symptomatic of a wider issue, says Murdoch: the secrecy culture of banks is resulting in systems being deployed with all-too-obvious weaknesses in them. Companies should be more open to external help, he says, and have independent experts inspect their systems.
Reader Comments
to our Newsletter