Earlier this year, the Chaos Computer Club demonstrated how an ActiveX control could transfer funds from users' bank accounts without using a personal-identification or transaction number. Now, this same group of German hackers has turned its attention to ATM cards, and discovered that they, too, are easy cracks for the criminal-minded.
In a proof-of-concept demonstration last weekend, the CCC showed the German press how to read the information off a German Eurocheque-ATM card using a common, inexpensive magnetic-card reader. After doing so, they used a statistical analysis program to generate a list of a few hundred PIN codes that had a high probability of matching the original card. When the list of possible matches was run, the match was made in less than an hour.
"This (card fraud) is possible, despite the statement of the ZKA, because at offline-ATMs and ATMs not in Germany, no central storage of failures is possible. The possibility of statistical analysis has been known to the banks since at least 1989," said Christian Wolff, a CCC member.
The German Central Card Authority, the ZKA, maintains that their system is secure.
Cracking the PIN code is not simply a matter of scanning through all the possible number combinations, said the CCC. Because of how the mathematical algorithm is derived, one out of four PINs start with a 1, and the possibility of having a PIN number starting with a 0 or a 5 is twice as probable than with any other number (except 1). These factors considerably narrow the range of mathematical possibilities, and allowed the hackers to make fast time with the PIN discovery.
Wolff, a long-standing member of the Chaos Computer Club, said that their purpose is to point out long-time flaws in the German banking system. "The CCC is showing the technical feasibility of computer fraud, which is otherwise not known to the public - which has meant the customer has to assume the responsibility of fraud rather than the companies."
Unlike the US ATM system - which stores the PIN data online rather than on the card - the German Eurocheque-ATM system stores the PIN number on the actual magnetic strip of the card. The ATM validates a card's PIN number by reading parts of the account number, the bank number, and the card number off the card's magnetic strip, which is encrypted with a 56-bit DES key - the bank's backdoor key. The results then get encrypted with a trapdoor function. The entered PIN number is then encrypted with the same trapdoor function and compared to the original. If the two are equal, the ATM dispenses the money.
German banks have always maintained that any fraudulent use of ATM cards is the responsibility of the user. The user is accountable for any money taken out of their account, since the banks maintain that the only way one can defraud an ATM is to disclose one's PIN number to another, or through careless user action. The CCC, with this week's demonstration, wants to force banks to re-examine this policy.
The alleged insecurity of the EC-Card system will be one of the topics discussed at the upcoming annual Chaos Communication Congress, which takes place on 27 through 29 December in the Eidelstaedter Buergerhaus in Hamburg, Germany.
