Two recent security issues show how those who should know a good deal better are often too blinded by their own cleverness.
Fraud, Chip, and PIN
Wired reports the story of a chip-and-PIN bank card fraud in France in 2011, which exploited a vulnerability in bank cards which had been reported in 2010.
Chip-and-PIN readers work by asking the chip on the card whether the PIN which you have entered is correct. Essentially, those fraudsters made stolen cards with additional chips which told card readers that, whatever the PIN that had been entered, it was correct. This enabled them to spend nearly €600,000 on stolen cards before they were detected.
The strange twist to this story is that, from the outset, the chip-and-PIN readers could have prevented such fraud, had the card companies paid attention to the vulnerability report in 2010. It would have been so simple for the card readers to have deliberately asked the card to validate an incorrect PIN, to ensure that the chips were working correctly.
But no, building that simple security check into the system was not necessary. Until this ‘man in the middle’ attack was pulled off.
Login to Money
The second story is potentially more alarming, at least if you are directly affected by US banking transactions.
Telnet is an ancient network protocol dating back to 1969 which gives a remote client access to a server’s command line, provided that the client enters the correct username and password. All an attacker needs is a valid username and password, and they can walk right in.
Telnet is one of the least secure ways of providing remote access, and it has long been recommended that it should not be used. Aside from issues about ‘cracking’ usernames and passwords, transactions with Telnet are not encrypted (unlike SSH), so it is easy for a hacker to eavesdrop and harvest credentials and more. Implementations of Telnet have also had more than their fair share of significant vulnerabilities. Leaving a home network exposed with TCP port 23 open and a system ready to Telnet into, would be an act of crass stupidity, and invitation to be hacked.
So what do you think of an IP address in the USA, which can be telnetted into from anywhere in the world, and then responds:
Welcome to Interstate Banking Transactions Exchange (IBTS) System.
This system ensures inter-bank financial routing transactions for
banking institutions in North America.
Please note: In order to receive initial access to IBTS, you will
need to complete and submit a formal system access request via
your systems administrator. Upon approval your will be provided
with (login with edit and eID password). VAX and VMS
certification are required before approval is provided.
Is it just a spoof? Or is someone at the Interstate Banking Transactions Exchange System really so stupid as to have left their front door wide open?