J Cryptogr Eng DOI 10.1007/s13389-015-0104-3

REGULAR PAPER

Automated teller machines: their history and authentication protocols Alan G. Konheim1

Received: 12 April 2015 / Accepted: 6 May 2015 © Springer-Verlag Berlin Heidelberg 2015

Abstract Luther Simjian filed a patent in 1959 for perhaps the first ATM; he convinced the City Bank of New York (now Citibank) to run a 6-month field test of his Bankmatic. The test was, however, not extended due to lack of demand. Simjian suggested that the only customers using the machine were a small number of prostitutes and gamblers who did not want to deal with bank tellers face to face. Nature abhors a vacuum and is also the mother of invention; John Shepherd-Barron (OBE), managing director of London’s De La Rue Instruments succeeded in 1964 with help from Barclay’s Bank. The DACS (De La Rue Automatic Cash System) was installed at their branch in Enfield, North London, on June 27, 1967. Since banks are guardians of your money, it was necessary to institute controls on who could get the moolah or lolly! JSB and his many successors required an ATM user to provide two identifiers: the first, a PAN—proof of the existence of a bank account—though not necessary well funded—and the second, a PIN—proof of identity, the creation of James Goodfellow of Chubb’s Integrated System. The PAN in time would ultimately be recorded magnetically on an ATM bankcard, the PIN entered at the ATM’s keyboard. Goodfellow’s inven-

tion was followed by ATM inventions of Geoffrey Constable (also of Chubb) and in the US by Donald C. Wetzel. He was former baseball player (shortstop) for a farm team of the San Francisco (née New York) Giants, IBM sales person and then vice president of Docutel. Since pickpockets were plentiful in London, a substantial part of the security rested with knowledge of the PIN. But how were the PAN and PIN related and how was this tested during an ATM transaction? These remained to be discovered. The IBM Corporation entered the scene in 1968 with a contact to design an ATM. Horst Feistel working at their Yorktown Research Center developed the first cryptographic algorithm to relate the PIN and PAN. Feistel’s algorithm LUCIFER was modified and affirmed in 1976 as the Data Encryption Standard (DES) in the US by the National Bureau of Standards. It evolved into Triple DES (3DES), currently the guardian of most PINs today. This paper is a summary of the achievements of the inventors, the problems encountered and the necessary technical enhancements needed and introduced. Keywords API · ATM · Banking · Cryptography · Hardware Security Module · Horst Feistel · PED · IBM

W. Somerset Maugham: British playwright, novelist and short-story writer (1874–1965).

“In the bank, large amounts, I’m afraid these don’t grow on trees. You’ve got to pick-a-pocket or two”. from the Pickpocket song in Oliver— words and lyrics by Lionel Bart.

“Money is like a sixth sense—and you can’t make use of the other five without it.” W. Somerset Maugham “Money is better than poverty, if only for financial reasons.” Woody Allen “The trick is to stop thinking of it as your money.” IRS Dogma

B

Alan G. Konheim [email protected]; [email protected]

1 Introduction

Emeritus Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA 93106, USA

This paper is not about making, saving, stealing or either wisely or unwisely spending money. It only deals with the

Woody Allen: Heywood “Woody” Allen is an American actor, writer, director, comedian, musician (clarinet), and playwright. He is very much alive expanding his career spans more than 50 years.

1

123

J Cryptogr Eng

bank’s efforts to provide the typical Joe and Jane with access to their banking funds at all times of the day and night; an example of instant gratification which I was told was available in Southern California when I moved here in 1982. In the 1970s, the banking industry began offering some electronic banking services, performed at unattended banking tellers referred to as automated teller machines (ATM). The advantages of ATMs to the banks and their customers were significant. Convenience was a major ATM benefit to both. A banking customer did need not arrive at the bank during its normal business hours and if she/he did, might avoid long teller lines in banks; one did not have to decide, “which line has the fastest teller?” The ATM services were meager at first, but ultimately included the withdrawal of cash, making deposits, transfer between accounts and viewing account balances. For merchants who would not accept credit cards and checks as payment,1 an ATM quickly provided needed cash. A single ATM cash withdrawal might arm you for multi-merchant shopping and would provide a reconciliation of transactions in place of an unsightly collection of credit card receipts. It simplified vacation or business travel, especially abroad and lessened the need to purchase traveler’s checks. Foreign ATM transactions generally enjoy favorable exchange rates; ATMs dispense foreign currency and your bank debits your account in U.S. dollars with conversion fees which you discover only after you return to home. An ATM also provided many management benefits to the bank. An ATM has no gender, no religious preferences nor registered political affiliations. An ATM does not get sick, demand overtime pay or threaten to form a union. It is always respectful to its manager and usually open and available to serve 24/7, provided it is supplied with juice—the electrical variety. The bank would save on the considerable cost of processing checks;2 an ATM terminal does not demand overtime pay, require annual raises, require medical benefits and they can be discharged at will. Electronic transactions would not require human supervision or intervention, permitting labor savings. In other words, it is a perfect employee, except they are not human. It allowed the bank to debit a customer’s account almost instantaneously; no free float until the end of the credit card billing payment. And, the bank could charge you for providing this very enticing service.

Two conflicting forces have influenced the design of electronic banking systems: • Profitability the desire by the bank to improve their bottom line, and • Security the fear that individuals might learn how to penetrate the system, for example, to empty the ATM of cash in maybe a largely invisible manner. The considerable experience of banks with credit card transactions pointed to certain risks, including the use of counterfeit, lost, or stolen banking cards. Alas, in the contest between greed versus fear, the former always wins in banking. However, bank managers are very cautious and decided that a valid ATM transaction would require a customer to be authenticated for a transaction could be successful.

2 Authentication The word authentication conveying action is derived from au·then·ti·cate, a verb meaning to prove or show (something); for example, a claim made for an artistic work to be genuine, valid or true. Authenticating a person refers to the process of determining whether someone or something is, in fact, who or what it is declared to be. There are many examples in which this process occurs, including • the authentication of an artistic work of art, referred to as the object’s provenance,3 • the use of a driver’s license to authenticate identity when cashing a check, • The use of a photograph on a passport when crossing a national boundary. In each of these instances, the object—the painting, the individual presenting the check or the identity of the person— is in or will be brought in close physical proximity of the entity responsible for determining and accepting or denying the authenticity. In the ATM context, it meant proving your identity What happens if the entity doing the authentication is not a person, but a machine? The banks decided to require a customer to offer two bona fides in establishing their identity:

1

I remember the difficulty trying to cash a check drawn on a New York bank on my first extended visit to California in 1963.

2

http://paysimple.com/articles/echeck_processing.html claims that it costs $1.22 to process a check. The cost of an ATM transaction (at your home bank’s banking network) is in the pennies. The fees at a bank outside of your home bank’s banking network range from $2 to $5. The website of ATMDepot.com which sells the machines to merchants, calls the ATM, the Amazing Money Machine and suggests “Get an ATM, Make Money”.

123

• Possession of a banking card on which the customer’s Primary Account Number (PAN) was magnetically recorded, and 3

The term provenance refers to the place of origin or earliest known history of an object.

J Cryptogr Eng

• A separate identifying element,4 today universally referred to as the customer’s Personal Identification Number (PIN). The customer would insert the ATM bankcard into the ATM’s slot (card reader); the PAN would be read and the customer then be prompted to enter the PIN at a keyboard. The ATM would verify the relationship between PIN and PAN and by doing so authenticate the customer who presented it. Left to the discretion of the bank was the decision of what transactions were then to be permitted.

is a very extensive history of the ATM machine which originated in both the United States is related in [1–4] and in the United Kingdom in [5,6]. Apparently, memories are subject to some enhancements and some details are either fuzzy or just fabricated. Of course, a common proverb teaches, ‘truth is in the eye of the beholder” and we all acknowledge that people see things differently. We describe the inventors and their inventions, not strictly according to the date of their patent creation, but only in rough chronological order.

3 The ATM inventors

3.1 Luther Simjian’s ATM patent

Many inventors acted independently as there was no Google to search for ideas. Most ATM inventors filed patents applications after their creation, generally first in their home country and usually afterwards in the United States or Europe. The U.S. Federal patent power stems from Article I, §8, Clause 8 of the U.S. Constitution, which authorizes Congress To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries Not all things may be patentable; in particular, the proliferation of software inventions continues today to occupy the federal courts as it has for many decades; it has enriched the legal profession which no longer has to pursue more dangerous activities, like chasing ambulances. 35 U.S. Code § 101—Inventions Patentable Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefore, subject to the conditions and requirements of this title. Two other provisions of 35 U.S. Code limit the applicability of § 101; • 35 U.S. Code § 102—Conditions for patentability; novelty • 35 U.S. Code § 103—Conditions For Patentability; NonObvious Subject Matter Alas, my mother was correct and I should have gone to law school as my father did, for it is not evident to even a mathematician what these conditions really require. Even today, the pursuit of ownership of intellectual property is the subject of litigation. The question of whether software is patentable has yet to be completely resolved. Every writer is indebted to his or her predecessors who have researched this topic before and I am no exception, except that I have had the advantage of the Internet. There 4

Four to six of the digits 0, 1, 2,…, 9.

In 1962, Luther Simjian was issued a patent5 [7] for an early and not-very-successful prototype of an ATM.6 Luther Simjian came up with the idea of creating a “hole-in-thewall machine” that would allow customers to make financial transactions. His ATM machine, which he called the Bankograph, was field tested at a Citigroup bank in New York. After 6 months, the bank reported that there was little demand for the new invention and thus discontinued its use. Luther was not discouraged and invented more things; a self-posing and self-focusing portrait camera, a flight speed indicator for airplanes, an automatic postage metering machine, a colored X-ray machine, and a teleprompter. US 3,039,582 “Subscriber Controlled Apparatus” Luther G. Simjian, Greenwich, Connecticut, Filed: April 9, 1959 Granted: June 19, 1962 5

Luther also filed and was issued a later patent [8] which incorporates an ATM photographing the deposited check. It was brought to my attention in email from Bernardo Bátiz-Lazo.

6

In [6] Bátiz-Lazo and Reid observe that Simjian’s patent describes less than a full-function ATM. However, Simjian’s patent writes “... the apparatus described hereafter is well adapted for such applications as cashing of checks, that is, accepting a check for ‘deposit and dispensing in exchange therefore money in pre-determined amounts...”

123

J Cryptogr Eng

3.1.1 Specification This invention in general has reference to a subscribercontrolled apparatus and, more specifically, has reference to an apparatus which is rendered operative by coded subscriber identification means embodying conditional validity information and whereby the validity information is modified by the apparatus after each use. More particularly, the instant invention concerns an apparatus which is caused to be operative upon insertion of subscriber identification means, the identification means being provided with code means identifying the subscriber and establishing validity of the identification means during a pre-determined period of time. 3.2 John Adrian Shepherd-Barron’s ATM

John Adrian Shepherd-Barron born June 23, 1925, in Meghalaya, India, was the inventor of the first successful ATM. His father, Wilfrid Barron, was chief engineer of the Chittagong Port Commissioners who later became a president of the Institution of Civil Engineers. Mom, Dorothy Shepherd, was an Olympic tennis player who won the Wimbledon ladies’ doubles in 1931. John was educated in history and economics at Edinburgh University and Trinity College, Cambridge. During the Second World War, he served in the 2nd Indian Airborne Division. De La Rue’s website claims that it is now the world’s largest commercial banknote printer and passport manufacturer, a trusted partner of governments, central banks and commercial organizations around the world. John Adrian Shepherd-Barron joined De La Rue as a management trainee in 1950. Between 1957 and 1959, Barron set up the North American division of De La Rue and established a joint venture between them and Wells Fargo to create Britain’s first armoured-truck cash transit service, Security Express, and became its chairman in 1963. He married Caroline Murray, the daughter of Sir Kenneth Murray, one-time chairman of

123

the Royal Bank of Scotland and secured a contract to print their stock certificates for the New York Stock Exchange. At that time, De La Rue’s glory days as printer of the world’s banknotes were fading and the company was constantly seeking new ideas that could be developed into products. John Shepherd-Barron was appointed managing director of De La Rue Instruments in 1964, an eight-person division with a mission to get the ball moving. Barron claimed [4] the idea of a cash machine occurred while taking a bath. It was in response to his frustration at not being able to get access to his money on a Saturday7 having arrived at his bank on Friday a minute after closing time. An automatic banking machine, which would always be open, was the answer. First, JSB needed a technologyadventurous bank to act as a customer for the machine, and Barclays8 was the obvious target, being the most automated and computerized of all the British banks. Shepherd-Barron recalled that the deal was sealed in a 90-second conversation over a pink gin (or two) with a senior manager of Barclays’. The first machines installed at a branch of Barclays Bank in Enfield, North London, and inaugurated on June 27, 1967. Sometimes referred to as a robot cashier, the machine was officially marketed as De La Rue Automatic Cash System (DACS). Alas, even a pink gin was not enough to invent the now familiar and ubiquitous plastic bankcard. In its place, the first DACS machine used specially printed Barclay cash vouchers for £10, which were exchanged for a packet of 10 one-pound notes. JSB thought that £10 was sufficient for a pretty wild weekend; if only he had gone to the LA branch of Barclays! John Shepherd Barron claims the idea of a personal identification number or PIN,9 though refined by his wife Caroline, who changed John’s six digit numbers to four as it was easier to remember. To prevent fraud, the Barclays cash vouchers10 were impregnated with a mildly radioactive 7 Bernard Bátiz-Lazo and Robert Reid’s papers [5,6] explain the history and patenting of Cash Dispensing in the UK. It contradicts JSB’s Saturday bank closing story stating that “... it was not until 1969, well after cash dispensers had proven their effectiveness, that banks stopped servicing retail clients on Saturday mornings”. As a romantic, I prefer Barron’s explanation, but as a mathematician I am obligated at least in footnotes to veritatem tantum scribere. 8

Barclays’ website claims that it has more than 300 years of history from its beginnings in Lombard Street (London).

9 The invention of then PIN is attributed to James Goodfellow (Sect. 3.3). Bernard Bátiz-Lazo and Robert Reid’s paper [5] writes “ ... prior to activating the machine, a manual signature was the first form of individual customers’ identification and authorization.” Of course, I like the explanation involving his wife more. 10

Bernard Bátiz-Lazo and Robert Reid’s paper [6] questions the timing of the use of the PIN in a DACS explaining they were used in later models of the DACS and were developed for the Royal Dutch Shell Corporation. Additionally, it explains “ The idea [of vouchers] was that customers would purchase the vouchers from Barclays’ retail branches (during normal opening hours). These were valid for 6 months from the date of issue”.

J Cryptogr Eng

chemical, which encoded a personal identification number that the user had to key in. The Shepherd-Barron ATM invention was never patented; Barclay’s lawyers had “advised [him] that applying for a patent would have involved disclosing the coding system, which in turn would have enabled criminals to work the code out”. He decided to try to keep his technology a trader secret.11 In recognition of his contributions, John Adrian SheperdBarron was made an OBE, the most populous order of chivalry in the British and Commonwealth honors systems. He died on May 15, 2010. 3.3 James Goodfellow’s patented pin idea

which may have achieved this aim. Areas researched included fingerprints, voice recognition, retinal patterns of intrinsic value equal to the maximum amount money and ATM might provide. These approaches all foundered on technical feasibility/cost/bulk or just price/ performance criteria. It was obvious that a new solution had to be found”. Concerned about the risks, Mr. Goodfellow stated, “I preferred the card to be returned to the customer on completion of the transaction. However the banks insisted on retaining the card as a receipt for the money issued, as there was not a lot of confidence in only an electronic record in 1965. As far as I know this two part security system is still the vehicle for accessing all ATMs. This has recently been introduced as a method of verification of Credit Card sales”. James Goodfellow, the Scot who invented the PIN number in 1965, was honored on March 21, 2013, during an awards dinner and ceremony at Harvard University and entered in the payments hall of fame. His patent describes the PIN concept. US 3,905,461 “Access-Control Equipment” Inventors: Anthony Ivan Oliveira Davies, Gerrards Cross, England and James Goodfellow, Paisley, Scotland, Filed; May 1, 1967 Issued: September 16,

James Goodfellow was born 1937 in Paisley, Renfrewshire (Scotland). He is the acknowledged inventor of the Personal Identification Number (PIN) patented in 1967 in addition to an Automatic Teller Machine (ATM) technology [9]. As a development engineer for Chubb Integrated System, Goodfellow was assigned the project of developing an automatic cash dispenser in 1965. His system accepted a machine readable encrypted card, with a numerical PIN keypad. His machine was tested a month later than the one developed by John Shepherd-Barron. James Goodfellow was awarded an OBE in the Queen’s Birthday Honors in 2006 for his invention of the Personal Identification Number. A. W. Miller’s article [3] quotes to Mr. Goodfellow describing his job saying, “My task was to design the means of allowing a customer, and only a genuine customer, to actuate the dispenser mechanism. I reviewed many techniques,

Claim 1 Access-control equipment for selectively enabling access to a facility comprising first means for receiving a coded token12 presented to the equipment to read from the received token information encoded thereon, second means that is operable manually for entering into the equipment a plural-character word,13 the word entered being dependent upon manual selection, third means that is selectively operable for enabling access to said facility, fourth means to effect comparison for correspondence between said information read from the token and said word entered into the equipment,14 said fourth means including means to operate said third means to enable access to said facility in dependence upon whether a predetermined correspondence exists between said information and said manually entered word, and recording means including a printer for providing a printed record of said information. The PIN–PAN correspondence specified in US 3,905,461 was kindly explained15 by Mr. Goodfellow; 12

11

I hope the California Bar will not investigate me for practicing without a license. Perhaps English intellectual property rules are different than our rule, but in U.S. patent law, the specification of a patent is a description of a way in which the inventor intends to implement the invention. It need not be the only way in which the invention can be practiced. The description must only be such that a person of ordinary skill in the art should be able to build it. He could have patented it and kept his ideas still secret.

ATM card.

13

Lines 30–31 in the Specification describe the PIN as being composed of the digits 0–9. The inventors use the term plurality of numbers rather than specifying the PIN length.

14

In mathematics, a function y = F(x) describes a correspondence between the values x and y. Cryptographic encipherment is an example of a correspondence.

15

Email on 3/7/2015.

123

J Cryptogr Eng

“The data read and decoded from the card now did not directly correspond with the keyed data, and I called it the PAN, Personal ACCESS Number, not ACCOUNT number. In 1966 PAN was simply the tens complement of the PIN, very simple to verify electronically against the PIN. Since the card was retained, (banks insistence), customer name, sort code and account number were written on the card (no computer in branch) to be read manually.” 3.4 Geoffrey Ernest Patrick Constable’s ATM patent In the 1980s, the National Cash Register Corporation (NCR) and Chubb Integrated Systems were involved in litigation regarding a claim of patent infringement. Chubb had purchased the patent rights of Smith Industries Limited whose assets included the ‘904 patent [10].16 Chubb and NCR claimed their ATM system was infringed by the other’s protocol to validate an ATM-user and there was litigation.17 Fig. 1 US 3,673,571

US 3,673,571 “Credit-And Access-Control Equipment” Inventor: Geoffrey Ernest Patrick Constable, Cheltenham, England Assignee: Smith Industries Limited, London, England Filed: November 17, 1970 Issued: June 27, 1972 Claim 1 Access-control equipment for selectively enabling access to a facility, comprising first means18 for receiving a coded token presented to the equipment and for reading from the token19 a plurality20 of numbers encoded thereon, second means21 for entering separately into the equipment a further number,22 third means that is selectively operable for enabling access to said facility, and fourth means for comparing effectively the numerical result of a predetermined arithmetical operation 16

Constable is also named as the inventor on a patent [11] filed and issued later.

17

Two trials were held in Washington, DC at which counsel for Chubb included Stuart A. White of New York City and Thomas Vande Sande of Hall, Vande Sande & Pequignot, Potomac (Maryland). I consulted for Chubb and also testified on their behalf. The first trial found, as my analysis and testimony had concluded, that NCR infringed on Chubb; the second trial assessed damages. As preparation for my experience, I received extensive explanations of patent law from both White and Vande Sande. Subsequent education on patents during consulting for Robert Haslam, then at Heller-Ehrman (San Francisco, California), continued my legal education.

18

The term means in a patent refers to some device performing some function.

19

An ATM bank card might be a token.

20

Plurality, a multitude, state of being numerous; in the world of patent law, plurality, just means more than one.

21

Keyboard for PIN entry might be a second means.

22

The PIN.

123

involving said-numbers read from the token, and the said further number entered into the equipment ... and means to operate23 said third means as aforesaid in dependence upon whether a predetermined correspondence exists10 between said number result and said further number. Description of the preferred embodiments The money-dispensing system represented in Fig. 1 is for installation at a bank to be operable to dispense packets of bank-notes, one at a time to authorized customers of the bank after, as well as during, normal banking hours. The customers authorized to use the system are each issued with an information-bearing token in the form of the rectangular plastics card 10 that may be used generally as a credit card. Each card, as shown in Fig. 2, bears the date of expiry and numerical information identifying the account of the customer to whom the card bas been issued. This information, as well as being embossed or printed on the card in alpha-numeric characters 11, is recorded magnetically in a decimal-code form in a ferromagnetic track 12 running lengthwise of the card 10. Each customer is informed of a secret, personal-identification number that is individual to his account but cannot be deduced from the card 10 itself, and of a maximum, permissible rate of use of the card to withdraw packets of bank-notes. For the purposes of the present description it will be assumed that the maximum rate of withdrawal is once in any day.

23

Dispense cash.

J Cryptogr Eng

Fig. 2 US 3,673,571

[STEP 1: READING FROM BANK CARD] When the customer wishes to withdraw a packet of banknotes, he presents his card 10 to a card-reception unit 13 of the system. The unit 13 has a facia24 that is mounted in an external wall of the bank to be accessible from outside and provide an entrance 14 for the card 10. The card 10, which as shown in Fig. 2 carries dark markings 15 at one end, is inserted in the entrance 14 lengthwise with the magnetic track 12 uppermost ... [STEP 2: PIN ENTRY] The customer is now instructed by illumination of a sign (not shown) on the facia of the unit 13 to enter his personal identification number into the system. The number, preferably of six digits, is entered using a set of ten push-buttons 42 mounted on the facia of the unit 13 and numbered 0 to 9. As the push-buttons 42 are operated one at a time to enter the digits sequentially, their values are conveyed to the comparison unit 39. Geoffrey Constable25 was kind enough to provide me with a summary of the period 1967–1971, during which Chubb Lock and Safe in collaboration with Smiths Industries marketed ATMs. He makes a number of observations regarding the security risks and the measures Chubb and Smith instituted to counter them. • Chubb MD2 Machine was designed, without detailed knowledge of any of the competing machines (De La Rue, Midland/Speytec) to meet the simple brief outlined by the banks. The token26 was a punched card, identical in size to a normal credit card. When the card was inserted into the receiving slot, the leading row of holes opened a gate, which permitted the card to be inserted further and enter the drive system to the card reader. The gate provided exclusivity in that cards issued to one bank could be excluded from machines owned by other banks, the entry of dirt and dust into the machine was reduced, and unauthorized (e.g. criminal) access to the drive system and card reader was blocked. 24

A flat piece of material.

25

In a lengthy email on 3-10-15 from Mr. Constable.

26

The encoded token contained the account number (8 digits), (national) sort code (6 digits), an expiry date (6 digits) and a PIN (at least 4 digits).

• An MD2 user was allowed three attempts to key in the correct PIN; when correctly entered, cash was dispensed in the form of a bank note in a shallow cardboard box. In all circumstances the token was retained, to be returned later to the customer, normally by post. This machine sold widely, in many countries. It helped many banks to gain experience of ATM operation and became adequately reliable. However, it soon became outdated, due largely to high back-office costs and the lack of a token that was returned to the customer after each transaction. • Since it would be relatively easy for the criminal to obtain one punched card token for the MD2 plus the appropriate PIN. It would also be possible to clone27 the token many times using simple thin punched card. If these copies worked in the MD2, all the machines in an entire region could be emptied leading to a large gain for the criminal(s) plus discrediting of the machines. Thus there is a high risk of criminal success plus a huge potential pay-off—so a very effective security measure is needed to counter such a threat. • The anti-cloning measures taken by Chubb and its competitors were to make the punched card tokens from a material that possessed easily recognized but hard-toreplicate properties, thereby ensuring that simple copies of the token would not likely work and upon seizure, would be retained for forensic examination; it worked and the Chubb anti-cloning strategy remained uncompromised during the life of the MD2). An initial security measure was to scatter the PIN punched hole positions throughout the entire punched card field. This scheme was evaluated and found defective and replaced by one requiring a sixdigit PIN. • A different type of threat related to the production of tokens. The PIN to be associated with each PAN had to be selected in an appropriately random manner. If, for example, a recurrent pattern was detected that enabled sequences of PINs, there would be an exposure. How was PIN related to the PAN? We used a pseudo-random number generator implemented by a feedback shift register; the PAN —all 14 digits (account number plus sort code) or all 16 digits (credit card account number) used as seed and the PIN obtained as a result. • The concept of a retained token was not convenient for either the bank or its customers. A re-usable card machine was a necessity; National Cash Register Corporation (NCR) had entered the market with just such a

27 In biology, cloning is the process of producing similar populations of genetically identical individuals that occurs in nature. In technology, the term also refers to the production of multiple copies of a product such as digital media or software. The term clone is derived from the Greek word, referring to the process whereby a new plant can be created from a twig.

123

J Cryptogr Eng

machine. The successors of the MD2 replaced token by bankcards with data magnetically recorded. 3.5 Donald C. Wetzel’s ATM patent

Donald C. Wetzel was born in New Orleans (Louisiana) and attended grade school, high school and college there. He graduated from the University of Loyola in New Orleans in 1951 with a Bachelor’s degree in foreign trade. He played professional baseball while attending college, as a shortstop for 3 years with the New York Giants farm system. Putting aside his spikes and glove upon graduation, he started working for the Service Bureau Corporation a subsidiary of IBM. They processed applications for clients such as payroll, accounts receivable and sales analyses on their IBM machines. Wetzel’s initial responsibility was a machine operator, processing punch cards. In an interview at the National Museum of American History (NMAH) [12], he states ‘’long hours, but it was a good experience too.” He was made a supervisor and eventually became the branch manager in Fort Worth (Texas). A turning point in his business career occurred when he became a systems engineer in San Antonio. An IBM salesman would sell a customer the IBM hardware for certain applications and Wetzel would write procedures. Early in his career, in the absence of computers, it was Wetzel’s responsibility to make sure all the control panels were wired properly, to test the reports the hardware issued and train the client’s personnel. Wetzel then began to study programming as computers began to appear. It was the just before emergence of the 1401 era at IBM. At this time, IBM organized into specialized industry territories, and Don Wetzel was appointed as the sales representative for the banking community in San Antonio. His dominion included all the banks, credit unions and savings and loan institutions. He became IBM’s special representative for the banking industry and was promoted in 1963 as one of the managers in Houston (Texas).

123

IBM offered to transfer him to their headquarters in Armonk (New York). He believed that it was a staff job and did not want to go. Wetzel moved northwest from Houston to Dallas in 1968 when he accepted an offer from a friend and former IBM colleague to work as Vice President of Product Planning at Docutel, a company that had developed automated baggage-handling equipment. Don Wetzel relates in [12] that his ATM epiphany occurred while waiting in line at a Dallas bank. The first Wetzel ATM installed at the Nassau County Rockville Center (New York) Chemical Bank. He wrote that “no, it wasn’t in a lobby, it was actually in the wall of the bank, out on the street. They put a canopy over it to protect it from the rain and the weather of all sorts. Unfortunately they put the canopy too high and the rain came under it. One time we had water in the machine and we had to do some extensive repairs. It was a walkup on the outside of the bank. That was the first one. And it was a cash dispenser only, not a full ATM... We had a cash dispenser, and then the next version was going to be the total teller (created in 1971), which is the ATM we all know today— takes deposits, transfers money from checking to savings, savings to checking, cash advances to your credit card, takes payments; things like that. So they didn’t want just a cash dispenser alone.” US 3,761,682 “ Credit Card Automatic Currency Dispenser” Inventors: Thomas R. Barnes, Dallas; George R. Chastain, Irving Don C. Wetzel, Dallas, all of Texas! Assignee: Docutel Corporation, Dallas. Date Filed: October 7, 1971 Date Granted: September 25, 1973 Don Wetzel and his co-inventors Tom Barnes and George Chastain also developed the ATM cards, with a magnetic stripe and personal ID number to get cash. ATM cards had to be different from credit cards (then without magnetic strips) so account information could be included. Wetzel’s PIN-PAN authentication28 uses the word scrambling which is usually synonymous with encryption by symbol transposition. The Abstract contains the following statement: 28 References [1,3] cite John D. White and Kenneth Goldstein of Docutel as inventors. They filed the patent “Credit Card Automatic Currency Dispenser” on an earlier date July 29, 1970, and it was granted as US #3,662,343 on May 9, 1972, The assignee was also the Docutel Corporation, Remarkable coincidence perhaps, but the White and Goldstein patent contains the same three figures as shown in Wetzel et al. Novelty is a necessary condition for patentability as described in 35 U.S. Code § 102. For Wetzel to obtain a patent on the same idea and after the filing date of the White patent must mean something. Perhaps this should be referred to the disciplinary committee of ...

J Cryptogr Eng Fig. 3 (Figs. 1, 3) in US 3,761,682. Fig. 3 is a perspective view of a currency packet delivery/card transport system for the dispenser (ATM) of Fig. 1

After checking the credit card format, coded information thereon is evaluated to check the user’s identity prior to authorizing him to receive cash from the machine. The evaluation consists of descrambling the coded PIN (on the bankcard) and comparing the result with the user entered PIN. The scrambler is implemented in hardware (Fig. 3). The patent describes some innovations; after a successful cash withdrawal, the contents on the card are updated, and the use of the card, withdrawals/time interval, is limited. As dieticians advise us, eat sparingly, live longer. From the inventors description [C2,L3–18] Upon the acceptance of a coded document [bankcard] by the dispensing apparatus of the present invention, the document proceeds to a first station where scrambled coded information stored thereon is read and sent to unscrambling logic. A customer’s personal identification code as read from the presented document is checked by comparison with a code manually inserted by the user. If the coded customer identification number and the inserted identification number do not agree, the user is instructed to re-enter his personal code. This operation will be repeated until the customer inserts the correct code or a favorable comparison does not result after three attempts. If on the third attempt the stored code and the entered code do not agree, the coded document is transported to an internal storage bin and not returned to the user [C2, L29–40] After the code on the document as presented is read and sent to the unscrambling logic, a descrambler converts the data into a series of separate, logically arranged data words. These data words, after being checked and updated as explained previously, are scrambled in accordance with a scrambling key to produce a code arrangement different from the arrangement as read. Upon completion of the scrambling, the document is recoded with the updated scrambled data.

The code changing logic also includes circuitry for generating a different scrambling key for subsequent readings of the same coded documents. 3.6 Speytec-Burroughs ATM patent The last of the ATM inventors to be described came about because of a misunderstanding, although the word greed is perhaps more appropriate. The extensive historical details are carefully explained by Bátiz-Lazo and Reid [5,6]; here, we only give the overture. The Committee of London Clearing Banks (CLCB) was formed in 1821 as the Committee of Bankers to oversee the London Clearing House.29 The CLCB also came to represent the interests of the London private and joint stock banks and later the “Big Five” clearing banks. It was renamed the Committee of London and Scottish Bankers in 1985 and was subsumed into the British Bankers’ Association in 1991. Barclays’ became a bit greedy in 1966 and disagreed with the rest of the oligarchs of CLCB, who apparently did not want any member bank to enjoy the exclusivity from the current ATM purveyors. Barclays’ ordered six of the devices as prototypes with a view to purchase 250 additional machines. Barclays’ had contacted De La Rue further requesting them to provide their DACS only to them. It is important to remember that the ATM business was still in its infancy at this time. Barclays greediness produced a response: Sir Archibald Forbes, chairperson of the Midland Bank. As he was born in Scotland, he naturally played golf. On one such occasion it was with Sir Ralph Gordon Smith, the chairman of S. Smith’s and Sons. Sir Forbes suggested that Sir Gordon’s firm develop an alternative device to DACS. It would be a partnership in conjunction with Chubb & Son’s Lock and Safe Co. Established in 1818, Chubb had years of experience in providing security services to financial institutions (safes) and would be an ideal partner with Smiths. All ATM systems 29 The term clearing refers to the settlement process for checks between the banks.

123

J Cryptogr Eng

need physical security, to defend against letter-opener attacks and other youthful pleasures. The marine systems arm of the then Rutherford-Smith (Smith’s Industries), in Hillington, Glasgow, Scotland, might design the security aspects of the DACS-sequel device. Greediness prevailed when Midland Bank parted company with Chubb, having failed to secure the exclusive supply of Chubb’s cash dispenser. Therefore, not wanting to miss out on the future ATM business, Midland Bank awarded a contract in the summer of 1966, to develop their machine to a small engineering outfit called Speytec. Based in Croydon, south London, Speytec was established by John Edwards, Len Perkins, Simons, and Young; like RSA, their corporate name is nearly an anagram of the letters E, P, S and Y of the initial letters of last names. Midland Bank instructed its General Manager to have Speytec work to “develop an alternative approach: to the Chubb and De La Rue systems” consulting with the National Physical Laboratory (NPL).30 There was a security concern of the possibility of a legitimate user cloning or duplicating their card and vastly overdrawing their account. The DACS and Chubb cashissuing systems had anti-cloning measures, the Barclays’ system used tokens impregnated with radioactive material, and the Chubb system had three non-obvious bursts of magnetic recording along one edge. Speytec had an existing capability31 in magnetic technology; its ATM had a series of magnetic spots hidden under a printed arrow. These spots could be measured more accurately than they could be reproduced thus making each card individual. Online banking dispensed with the need for the anti-cloning features. Speytec embarked on designing the currency dispenser from first principles and with NPL reporting on improvements to the security systems;, they developed a system in which an ATM card could be returned to the clients as part of the cash delivery, dispensing fixed amounts of currency while the magnetic stripe recorded the number of withdrawals. Bátiz-Lazo and Reid concluded that Speytec’s solution was clearly distinct from the Chubb and De La Rue systems, where the cards and vouchers were retained and processed as checks drawn on cash. However, Speytec imposed limitations on the use of its cards. An NPL review found it possible to copy their soft plastic punched- cards, although the PIN itself could not be read from the card. Speytec responded to the NPL report by introducing several changes to the coding and moved to a plastic

credit-card-sized token resulting in four magnetic tracks to store the customer’s six-digit secret number. The Burroughs Corporation32 in Detroit (Michigan) was the chief supplier of Midland’s computer equipment. Burroughs bought Speytec in May 1969 and became a division of the UK subsidiary. The Midland Bank passed on its technology to Burroughs and ordered 500 cash dispensers from them. Burroughs filed patents in England and in the United States GBD1329964 “Apparatus for Dispensing Items in Response to the Presentation of a Security Card Assignee: Burroughs Corporation Date Filed: September 9, 1969 Date Issued: September 12, 1973 Description An item dispensing apparatus receives from a customer a security card carrying magnetically recorded data in scrambled form, decodes the scrambled data, and dispenses an item only when the card, together with further information entered into the apparatus by the customer, is deemed valid. US 3697729 “ Dispensing System and Security Card for use Therewith” Inventors John David Edwards, 21 Heathhurst Road, Sanderstead, Surrey; Leonard Perkins, 3 Amhurst Gdws., Ealing, London W 13; John Henry Donald, 34 Chamberley Avenue, London SW20; Peter Lee Chappell, 24 Doodcrest K I, Surrey, all of England; Sean Benjamin Newcombe 73, Lynnmouth Crescent, Rumney, Cardiff, Wales; Malcolm David Roe, 22 Elmhurst Avenue, Surrey, England Assignee: Burroughs Corporation Date Filed: September 1, 1970 Date Published: October 10, 1972 Description Apparatus for dispensing items desired by the user in response to the introduction of a valid security card and additional predetermined information. The apparatus includes means for reading data from the security card, keyboard means for introducing additional information and electronic logic for determining the validity of the card and the validity of the predetermined information. A security card is provided including a first area to record the number of uses of said card and a second area to record the date of the last use. The apparatus includes logic to prevent dispensing

30

The National Physical Laboratory (NPL) was founded in 1900 “for standardizing and verifying instruments, for testing materials, and for the determination of physical constants.” It is one of the oldest standardizing laboratories in the world. 31

See Figure 1 in [5, p. 36].

123

32

The Burroughs Corporation was a major American manufacturer of business equipment. The company was founded in 1886 as the American Arithmometer Company, and after the 1986 merger with Sperry Univac was renamed Unisys.

J Cryptogr Eng

and to retain the card if the card has been used more than a predetermined number of times or more than once within a predetermined time interval. The word scrambling is used as a generic for encryption.

4 Authenticating the PIN-PAN: mechanisms Today’s ATM transaction protocol is essentially the same as described in the inventions cited in Sects. 3.2–3.6; a customer initiates an ATM transaction by inserting the bankcard into the ATM’s slot (card reader); the PAN is read and the customer is then prompted to enter the PIN at a keyboard. It is necessary to verify the correctness of the PAN → PIN derivation. A table containing the valid pairs (PAN, PIN) for each customer must exist at least conceptually somewhere in the bank’s cyberspace. Setting aside the issue of the table security, authentication by means of able reference might work if only a few people used an ATM. In such a table-lookup protocol, the PIN can be selected either by the customer or institution. The former possibility is attractive for marketing the system, making the customer feel that she/he is participating in the security of the system – and, if something goes wrong, the customer can be made to feel at least partially responsible! Of course, table-lookup is infeasible when the number of customers is very large; in 2003 there were more than fifteen billion ATM transactions and forty-seven billion in 2012 [13]. And how will my ATM transactions be managed by table-lookup, while I am on a vacation in Tahiti? Susan K. Langford’s presentation at the 1st CACR Information Security Workshop33 [14] begins by describing the history of the banking security management. She notes that the PAN and PIN were originally transmitted in the clear, from the ATM for verification. Even when transmissions were enciphered to lessen the exposure to wire-tapping, software was used for authentication and IT employees might have access to such information. At least conceptually, a table exists somewhere in the banks cyberspace containing the proper pairs (PAN, PIN) for each customer. The reliability of computing systems in the 1970s and the need for periodic system maintenance almost mandated the use of banking systems with two modes of operation: • On-Line meaning the identification of a user is performed remotely by the bank’s computing system. and • Off-Line meaning the identification of a user is performed locally at the banking ATM.

The banks intended initially to allow both modes of operation to coexist; during normal operation, the authentication would be performed at the bank’s computing system. When the system was down for repair or maintenance, authentication would be carried out at the ATM. The limited capability of ATMs and the fact that the list of customers might grow to several millions of customers implies that tables such as those described before cannot be stored anywhere. There is also a significant logistics problem with new customers applying for an ATM card each day; new customers are added, some are dropped. Moreover, banks wanted to cross state boundaries and form networks, which would require changes to be made nationally. It might be possible to make these changes by teleprocessing the table changes from the bank’s computing system, but this further exposes the system to wiretapping. The solution was to make PAN and PIN functionally related; that is, a functional relationship PIN j = f (PAN j ) where f is complicated. Authentication would involve checking if the same relationship existed between the keyboard entered PIN j and the PAN j read from the bankcard. Although in the 1970s, this issue was not imagined, today international banking raises a second question. Will a transaction be authenticated at the acquiring bank at which it is made or the issuing bank where the customer’s bankcard was issued? If these are different, a cash withdrawal comes from the acquiring banks’ funds and must be debited and repaid nearly instantly by the issuing bank. While banks protect all money in their custody, their money is more preciously guarded. In today’s international ATM network, this implies that the pair (PIN, PAN) entered at an acquiring bank would need to be conveyed to the issuing bank to be authenticated. 4.1 Cryptography and the ATM user’s PIN and PAN The solution today seems obvious; in order to make the (PIN, PAN) relationship E (K, PAN j ) → . PIN j unfathomable, or undecipherable—make use of the ideas from cryptography.34 The notation → is used to indicate that E (K,*) is some form of encipherment of the quantity * using a secret cryptographic key K. In other words, → means that PINj is in some way derived as a result of the encipherment or encoding operation involving the PAN and the secret key K. There are drawbacks: in the context of the ATM, namely • the key may be needed for authentication at every bank issuing the particular flavor (network/issuer) of the ATM card, and • the customer could not choose his or her PIN.

33

The Centre for Applied Cryptographic Research (CACR) is located at the University of Waterloo in Waterloo, Ontario, Canada. They carry out research in the field of cryptography.

34

The word cryptography is derived from the Greek words kryptos, meaning hidden, and graphien, meaning to write.

123

J Cryptogr Eng

There was a simple remedy for involving the customer since it seemed attractive to have the customer choose the PIN. This could be facilitated by recording on the ATM card both the PAN and a second quantity, the PIN offset (O-PIN). This second value when combined with the Customer-selected PIN (U-PIN) would yield the True-PIN (I-PIN), derived directly from the encryption E (K, PAN) of the customer’s PAN. 4.1.1 Horst Feistel and IBM Hindenburg Ernst Richard Horst Feistel was the son Richard Feistel and Helene Freudenreich Feistel of Frankfurt an der Oder (Germany). He was born on January 30, 1915 in the city, which in three decades, would be referred to as (East) Berlin and become the focus of the cold war. Feistel joined the Computer Science Department at the IBM Research Center in 1968. I became his manager when he transferred to the Mathematical Sciences Department in 1971. His cryptographic contributions are described in [15]; a second paper [16] on his pre-IBM life, his transformation from physicist to cryptographer will also appear. On June 30, 1971, the IBM Corporation filed a U.S. patent application entitled Block Cipher Cryptographic System 1971 with Horst Feistel named as the inventor. The Invention Secrecy Act of 1951 (35 USC§§ 181-8) is a body of United States law designed to prevent disclosure of new inventions and technologies that, in the opinion of selected federal agencies, present a possible threat to the national security of the United States. Before foreign patent coverage can applied for, a patent application must be first filed in the United States and reviewed by government agencies selected by the Patent Office.35 The Commissioner of Patents issues a secrecy order to stop the patent process in instances, if the publication of an application or the granting of a patent may be detrimental to national security. If in the 6 months after the submission of a patent application in the United States no secrecy order results, patent applications outside the United States may proceed. Since the patent’s title incorporated the term cipher, NSA quickly realized they had an interest. It took NSA nearly a year and a half, but it resulted in a secrecy order issued on October 17, 1973. Papers by Feistel [17], his colleague Smith [18] and Sorkin [19] had or would soon appear. It let the cat out of the bag describing the innards of Horst’s algorithm LUCIFER and the secrecy order seemed ludicrous. Nevertheless, the government continued to push for secrecy. After much hand wringing and debate, the secrecy order was lifted on November 14, 1973 and the U.S. Patent Office issued US#3798359A, on March 19, 1974. 35 Described in 35 U.S.C. 184 Filing of Patent Application in a Foreign Country.

123

Horst Feistel’s research might just have been just IBM -supported blue sky36 and not found any commercial application, except that IBM now entered the cryptobusiness. IBM began the development of their 2984 (Cash Issuing Terminal) in 1968 in connection with their contract with the Lloyds Banking Group. The IBM 2984 became an early component of the Lloyds Bank Cashpoint System. Now referred to as an ATM (Automated Teller Machine), an IBM 2984 became operational in 1972 in Essex England. The Systems Communication Division (SCD), located along the Hudson River in Kingston (New York), was assigned responsibility for the crypto-product development. As a first step, IBM SCD needed to identify an appropriate encipherment algorithm. SCD initially considered the Hill cipher to provide the connection between the PIN and PAN in ATM transaction. While Hill encryption has a potentially large key space, its encryption is a linear transformation and therefore susceptible to a (partial) known plaintext attack. Walter Tuchman, the IBM project manager quickly realized the weakness of the Hill Cipher. As Hesiod (∼800 BC), the Greek didactic poet recognized, “timing is everything;” LUCIFER was available and IBM and SCD decided to modify it, referring internally to it as DSD-1. Close technical cooperation developed between the Yorktown and Kingston groups in the process. DSD-1 was incorporated in the IBM 2984 and became the Data Encryption Standard (DES), the Federal information Processing Standard (FIPS) [20] first in 1976 and renewed several times. Walter Tuchman who managed IBM’s SCD encryption effort was one of the team that implemented37 DES. He also proposed triple DES (3DES) also affirmed by NIST in 1999. If we use the notations y = DES (K, x) x = DES−1 (K, y)

(1a)

for the DES-encipherment y of plaintext x using the key K = (k3 , k2 , k1 ), then 3DES is defined by y = 3DES (K, x) y = DES(k3 , DES−1 (k2 , DES(k1 , x)))

(1b)

If either k2 = k1 or k3 then 3DES reduces the ordinary 56bit DES encipherment. The full fledged 3DES has a key of length 168 = 3 × 56 bits. Equation (1b) does not describe the version of 3DES as used in the ATM community. The 3DES key K used today 36 37

Creative ideas that are not limited by current thinking or beliefs.

In addition to Horst Feistel’s patent, IBM also was issued, US #3,962,539 “Product Block Cipher System for Data Security” describing the design of DES was filed by IBM Kingston on June 28, 1976. Listed as inventors were William Friedrich Ehrsam, Carl H. W. Meyer, Robert Lowell Powers, John Lynn Smith and Walter Leonard Tuchman.

J Cryptogr Eng

for ATM encipherment is only of length 112 = 2 × 56 bits composed of two 56 bit keys, say k2 and k1 . The encipherment of plaintext x into ciphertext y by the key is much more convoluted form than shown above in Eq. (1b). It is specified in Eqs. (2a, b).

Table 1 Standard decimalization Table

4.1.2 3DES encryption of PAN

4.1.4 3624 Derivation of the intermediate PIN

• Block 1 (B1) : 16 digits = PAN • Block 2 (B2) : 16 digits = Expiration date of Card (4) || Service Code (3) || Pad (9)

(a) Encode account number (PAN) as 0000AAAAAAAAAA AA; (b) 3DES encrypt under a PIN Derivation Key (PDK); (c) Use the leftmost four hexadecimal digits to define the HEX-PIN; (d) Convert each of the four hexadecimal digits of the HEX-PIN to one of the decimal digits 0, 1…9 according to the following table, thus defining the Intermediate PIN (I-PIN) (Table 1).

X = PAN, B1, B2 Y = 3DES (K, X) K = K1, K2 (2a) Y1 = DES (K1, B1) ⊕ B2 Y2 = DES (K1, Y1)

(e) Hex

0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

Dec

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

Y3 = DES−1 (K2, Y2)

PAN, PDK → E(PDK, PAN) → I − PIN

Y4 = DES (K1, Y3) Y = Y4

(2b) 4.1.5 3624 Derivation of the PIN-Offset

Why use only the two key versions of 3DES as it would seem to improve the strength of encryption to use a key of 168 bits. Let me add that IBM was strongly criticized for submitting to NIST the DES algorithm with the unseemly key length of 56 bits and (ii) on occasion38 was shamefully referred to as being of length 64 bits by including the check digits. The surprising answer described in Sect. 6.4 is that in some cryptographic instances, less frequently than for humans regarding consumption of food and alcohol, more key is less security.

The PIN offset generation algorithm requires two parameters in addition to those used in the 3624 PIN generation algorithm; a customer-selected PIN and a 4-bit PIN check length. The length of the customer-selected PIN is equal to the assigned-PIN length, n. (a) The 3624 PIN generation algorithm is performed. (b) The PIN-Offset data value (O-PIN) is the result of subtracting (modulo 10) – The leftmost n digits of the I-PIN from the customerselected U-PIN. – The modulo 10 subtraction is digit-by-digit (without borrow). – The rightmost m digits of the offset data constitute the PIN-Offset, – The integer m is specified by the PIN check length.40 – The integer n is constrained to be at least m.

4.1.3 The IBM 3624 PIN–PAN relationship The IBM 3624 was a late 1970s second-generation automatic teller machine (ATM), a successor to the IBM 3614 and the much earlier IBM 2984. Two versions of the IBM PIN Algorithms are described in an IBM publication [21]; the second version for the German Banking Pool (GBP)39 is a slight modification of the first. The IBM Manual [21] specifies the operations, defining 1. the true PIN aka the Intermediate PIN (I-PIN) 2. the relationship between the * I-PIN, * U-PIN (Customer-Entered PIN) and * O-PIN) (PIN-Offset), and 3. how the relationship is verified. 38

Never by me!

39

A consortium of German banks.

O − PIN = U − PIN − I − PIN (modulo 10) PAN, PDK → E (PDK, PAN) → I − PIN 4.1.6 3624 Validation of the customer-entered PIN The validation algorithm requires the following input parameters: (a) 64-bit validation data (PAN); (b) 64-bit decimalization table; 40

For GBP PIN calculations m is set to 4 and n is set to 6.

123

J Cryptogr Eng

(c) 112-bit PIN verification key41 ; (d) offset data, the rightmost 4 digits of the offset data constitute the O-PIN (e) Customer-Entered U-PIN According to the steps: 1. This algorithm repeats the encryption process starting with the PDK and PAN, generating the Intermediate PIN (I-PIN) PAN, PDK → E (PDK, PAN) → I − PIN 2. The leftmost 6 digits of the decimalized I-PIN is added digit-by-digit modulo 10 (without carry) and then the rightmost 4 digits of the result of the addition are extracted yielding the O-PIN. 3. The leftmost digit of the extracted value is checked for zero. If the digit is zero, the digit is set to one; otherwise, the digit remains unchanged. The resulting four digits are compared with the customer-entered U-PIN. – If they match, PIN verification is successful; – Otherwise, verification is unsuccessful.

5 Threats to ATM banking from the shadow 42

As Professor Ross Anderson of the Computer Laboratory of Cambridge University (England) has documented [22] the initial source of the threats to ATM security came not from cryptanalysis43 or other sophisticated attacks. It arose from careless and incompletely evaluated design policies of the issuers. An additional contributing issue was the assignment of legal responsibility for charging customers for either alleged or willful fraudulent misuse of a bank’s ATM card. A phantom withdrawal refers to cash withdrawal from an automatic teller machine where money has been withdrawn from an account, and neither the customer nor the banks admit liability. If the banks are unable to find any error in their side, they conclude that the withdrawals were done by the customer. The bank’s security experts attribute phantom 41

The IBM Reference Guide [21] describes this mode of DES3 in which the keys K1 (=K3) and K2 are 8 bytes (64 bits) long. A key is coded using IBM’s traditional Extended Binary Coded Decimal Interchange Code (EBCDIC. This 8-bit character encoding is used mainly on IBM mainframe and IBM midrange computer operating systems.

42

Lamont Cranston, alias the Shadow, was a 1940s super hero battling villainy. phan·tom noun: a ghost, a figment of the imagination, denoting a financial arrangement or transaction that has been invented for fraudulent purposes but that does not really exist.

43 Cryptanalysis refers to the study of cryptosystems with a view to finding weaknesses in them that will permit retrieval of the plaintext from the ciphertext, without necessarily knowing the key or the algorithm.

123

withdrawals to the criminal activity done using the banking network itself. Anderson [22] also notes that the legal status of claimed fraudulent withdrawals was still not entirely resolved as of 1993. As a result of a 1980 court decision in New York, the Federal Reserve passed regulations protecting the customer unless fraud could be proved. Many US banks accordingly installed cameras at ATM machines to protect their interests. And now a somewhat lengthy and non-mathematical example of how criminals faithfully observe Keep It Simple Stupid (KISS), a 1960 design paradigm of the U.S. Navy in their enterprises. Our English cousins may be kissing, but their banks are very stingy. Charles Arthur relates the story44 of The Financial Services Authority’s relates the events on the Moneymadeclear website claims that a bank customers’ liability for unauthorised transactions before reporting them to the bank will usually be capped at £50 unless you were “grossly negligent” in keeping your details safe. English banks are guided by the Financial Ombudsman Service’s (FOS) previous findings in ‘similar disputes, though their spokespeople are keen to stress that every case is examined on its individual merits. In 1990, the Hon. Alistair Kelman of Bailey was a barrister (an English attorney arguing cases in front of a judge) specializing in intellectual property law entered the scene. He was counsel in1992 to the Group Action against all the UK banks and building societies, which represented about 2000 existing or potential plaintiffs. At that time ATM cards had no security features and simply magnetically recorded some information on bankcards, including the bank-issued PIN. Often, the PIN was written in the clear on the card. Indeed, it is claimed that one bank issued the same PIN to all its customers [22, p. 35]. Alain Job was an asylum seeker from Cameroon, who came to the UK and was given rights to stay but was not permitted to work. He financially managed through the help of friends, charities and family. But owing to the UK immigration policy he led a fairly hectic life and had to move around a lot. Following the Home Office’s dispersal policy, Job was moved to Nottingham where he received some 350 hate mails that forced him to move back to Reading where his wife subsequently died. Alain Job sued UK bank Halifax Bank of Scotland (HBOS) in March 2007 over eight phantom withdrawals made from his account in February 2006. Job maintained that he did not or authorize anyone else withdraw a cumulative £2100 ($3100). Job decided to sue after the Financial Ombudsman Service (FOS), which mediates disputes between banks and customers, sided with HBOS. One key difficulty for anyone wishing to litigate against a UK bank has been the risk of the bank seeking costs against 44

http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/.

J Cryptogr Eng

them—and hounding the litigator into the ground with attachments of earnings, charges on homes and other incidentals. Kelman observes that Mr. Alain Job was therefore, in some respects, the ideal claimant, someone who had no assets, lived in rented accommodation and by law was not allowed to take paid employment. In making his order the judge ordered that Mr. Job be paid £15,000 towards HBOS costs but this order will never be satisfied because there are no assets which could be attached. Everyone wins! Mr. Arthur writes in [23] that Kelman met Andrew Stone,45 an ex-con who had been done for fraud [arrested, charged, convicted], who claimed to had taken £750,000 from ATMs by combining techniques such as shouldersurfing46 and grabbing the transaction receipts (which in those days often had the full account number on them). Stone, who was soon returned to prison, was proof that criminals could make phantom withdrawals. Ross Anderson was an expert consultant to Kelman on the case, explained [23] that “Stone had been working with building access systems using cards with magnetic stripes, and one day he thought he’d see what it could read of his ATM card. Then he tried it with his wife’s.” Stone figured that the stream of digits was probably an encrypted PIN. “Since it is possible to change the content of the magnetic strip, “ he wondered what would happen if he changed the number on his card to match his wife’s. He found he could get money out using his old PIN.” The bank Stone used had not used the account number to encrypt the PIN on the card—meaning that any card for that bank could be changed and used to make withdrawals on any other account in it, providing you knew the right details (such as branch sort code and account number. The name of the card holder of course was unimportant, because it was not on the stripe). And now, Stone could pick up those discarded ATM receipts until the police caught up with him. 5.1 Banking networks Networks of various types start small; when Alexander Graham Bell and Thomas A. Watson talked by telephone to each other on October 9, 1876, the connection was over only a two-mile wire between Cambridge and Boston, both in 45

In 1996, Andrew Stone, a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million by pointing high-definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered. After getting all the information from the videotapes, he was able to produce clone cards which not only allowed him to withdraw the full daily limit for each account, but also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to 5 years and 6 months in prison.

46 Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information.

Massachusetts. The same is true of the financial networks supporting the authorization and settlement of ATM transactions. They are referred to today as electronic funds transfer networks (EFT). Their history is described in [24,25]; Sienkiewicz [25, p. 2] begins by writing the origins of the electronic funds transfer (EFT) industry can be traced back to the introduction of the first automated teller machine (ATM) in the mid-1960s. The ATM was able to handle account transfers, accept deposits, and dispense cash using a standard magnetic stripe card and personal identification number (PIN). With the introduction an acceptance of ATMs, U.S. financial institutions entered the era of EFT systems.” The need for growth of EFT is explained b Cox [24, p. 15] “ [the] earliest concern with the payment system was rooted in the fear that growing check volumes posed a threat to the continued satisfactory performance of the system.” EFT networks combine the transmission means and the payments infrastructure linking consumers, ATMs, merchants, and banks. EFT networks serve two types of EFT transactions • ATM transactions, and • Online debit transactions, for example at point of sale (POS) terminals. EFT networks include the telecommunication connections, the switches routing transaction information to appropriate parties, and computers that store deposit and transaction information. EFT transactions have two basic characteristics; first, they are PIN-based and consumer accounts are immediately debited (funds are immediately transferred from demand deposit accounts). EFT networks in the United States are either regional or national. The three largest regional networks are NYCE, Star, and Pulse. National networks are fewer in number than regional network but are distinguished by their national territory and not necessarily translate into large size. The Armed Forces Financial Network is comparable in size to some of the larger regional networks, but its mission of serving the armed forces community leads it to a national geographic territory. Visa and MasterCard operate EFT networks that are truly national. The numbers of ATM Transactions/month for the ten largest ATM Networks are given in Table 2. The second component of the ATM and debit card infrastructure is offline debit card networks. Offline debit card networks are a telecommunications/payments infrastructure linking consumers, merchants, and banks. There are two offline debit card networks, one run by Visa and the other by MasterCard. The physical components of the offline debit network consist of POS terminals and the same communication structure as in ATM networks. Two characteristics distinguish offline debit transactions; first, transactions are signature based and consumer accounts

123

J Cryptogr Eng Table 2 Top 10 ATM networks by number of transactions (monthly transactions) EFT networks

1985

1990

1995

2000

2001

2002

Star

3,781,051

61,586,816

146,647,389

507,192,813

630,000,000

785,000,000

NYCE

6,700,000

63,759,707

115,097,672

255,650,000

302,553,000

317,680,650

32,145,344

59,355,448

Pulse

11,053,249

Plus-Visa

n.a.

Jeanie

1,467,584

MoneyMaker

1,567,000

Co-op network

n/a.

Presto

1,870,481

156,912,399

187,003,492

277,477,478

n.a.

37,525,000

51,195,000

58,697,000

7,541,790

12,011,000

17,925,000

22,010,000

29,837,000

4,415,000

8,276,077

14,803,376

28,014,400

29,743,000

1,645,000

6,966,218

23,198,225

38,533,307

20,822,293

4,388,276

6,500,000

7,600,000

8,000,000

9,812,000

8,400,000

Shazam

4,225,000

7,379,056

11,132,907

9,508,084

9,723,167

9,437,242

Accel exchange

4,700,000

18,200,000

25,000,000

47,000,000

7,000,000

8,585,500

are debited one or two days after the transaction (a lag before funds are deducted from demand deposit accounts). The Global ATM Alliance is a joint venture of several major international banks that allows customers of their banks to use their automated teller machine (ATM) card or debit card at another bank within the Global ATM Alliance with no international ATM access fees. Other fees, such as an international transaction or foreign currency fee, may still apply for some account holders. Participating banks cover Australasia, Asia, Europe, Africa, North America and South America. The participating banks include • Bank of America (United States) • Barclays (United Kingdom, France, Spain, Portugal, Pakistan, Gibraltar, Ghana, Kenya, and other countries in Africa) • BNP Paribas (France) • Banca Nazionale del Lavoro (Italy) • Deutsche Bank (Germany, Poland, Belgium, India, Spain and Portugal) • Scotiabank (Canada, Mexico, Chile, Peru, Guyana, and the Caribbean) • Westpac (Australia, New Zealand, Fiji, Vanuatu, Cook Islands, Samoa, Tonga, Papua New Guinea and Solomon Islands) 5.2 The requirements of PIN-based authentication The real threat to banking posed by true high-grade encrypted PIN-PAN protected ATM cards comes from the inescapable realization (i) of the exposure if the U-PINs are stored in software at the issuing bank and (ii) that the Pin Derivation Key (PDK) must either • reside somewhere physically close to the ATM machine • there must be communication between the ATM and the entity storing the PDK.

123

The existence of many EFTs (national and international) means there are many PDKs and authentication will require translation. The final complication was a success; while the banks were wary of ATMs, it became like hot dogs in the United States, bangers in England and bratwurst in Germany. Individual EFTS could not be counted upon to use the same PDK; thus if ATM cards issued in Fargo (North Dakota) could be used in Grenoble (France), a translation mechanism had to be created. The physical residence of the PDK might strictly speaking not be necessary. The invention of public key cryptography (PKC) in 1976 has permitted another scenario regarding the nature of the ATM banking process. Together with the Secure Shell (SSH) network protocol, PKC was applied manage E-Commerce and it provided some security authenticating a credit card holder’s identity. The logon password was transmitted in a transaction after encipherment with a session key47 involving the merchant’s PKC public key. The PKC’s private key would allow the merchant to decipher; the card issuer would decide on acceptance Alas, PKC is not without warts (called certificates) and appears not to have been adopted en masse by the ATM banking disciples. In Sect. 7, we give some statistics on fraudulent uses and PKC has not proved to be the panacea the inventors believed it to be. Exposure of the PDK could result in danger of replication of invalid ATM bankcards which could pass verification and cause great exposure to the bank. In the second situation, the messages authorizing authenticity between the PIN’s nest and the ATM must be encrypted. Not only must different keys be used in transmission from a local ATM to the verifying entity’s location be secured, but the encrypted version of U − PIN, PAN, Date, Amount Seed 47

See Sect. 5.8 for the analog in ATM-like transactions.

J Cryptogr Eng

Atalla invented the Atalla box, a hardware device used in ATM transactions today.48 The invention is based on the simple rearrangement of the PIN-verifications Figure 4 from [26, p. 488] depicts the O-PIN verification process. When a customer obtains a Bankcard, the U-PIN is entered, concatenated (||) with the PAN and enciphered with PDK. The O-PIN is derived by the same truncation and decimalization procedure as in the IBM 362. The differences between the Atalla and IBM 3624 computation are modest, but nevertheless important for the security of ATM transactions. PAN, PDK → E (PDK, PAN) → I − PIN IBM 3624 Computations PAN, PDK → E (PDK, PAN||U − PIN) → O − PIN Atalla Computations 5.4 The hazards of being a PIN

Fig. 4 Atalla PIN verification

Must also contain variable information (seed) to inhibit the replaying of a previous successful message that was once referred to as the midnight attack [26, p. 293]. 5.3 The Atalla box Martin M. Atalla (1924–2009) was born in Egypt and earned the M.S. (1947) and Ph.D. (1949) degrees in mechanical engineering at Purdue University. He worked at Bell Labs and after leaving, co-founded Hewlett-Packard Associates providing them with enhanced solid-state capabilities. In 1973, Atalla founded Atalla Technovations Corporation, to address the security requirements of banking and financial institutions. Atalla realized that if the PIN verification takes place within the confines of a hardware device whose internal results cannot be probed. The Atalla box made the significant improvement in not storing the U-PIN in a table at the issuing bank User_ID, PAN_ID, U − PIN_ID,

(3)

48

but instead User_ID, PAN_ID, O − PIN_ID

A skimmer is a device made to be affixed to the mouth of an ATM. When a debit card is swiped, the information is recorded. Skimmers have been around for years, of course, but thieves are constantly improving them. They often include tiny video cameras to record the PIN key entry. Until recently most criminals who deployed skimmers had to go through the inconvenient process of extracting PIN numbers from a video49 of the PIN pad when it was entered. Problems with the camera being blocked or discovered would cause many PINs to be lost. One implemented improvement replaced the entire ATM PIN-pad in order to directly save every number entered. Replacing the pad solves the video problem but requires a level of physical access that is rarely possible without being detected. The entry of the PIN generally takes place at the acquiring bank. This may be a different and possibly more distant location than the (issuing) bank of the customer. When a bank debit card is used for a cash withdrawal, the authentication takes place within the High Security Module (HSM) at the issuing bank; it will be discussed in Sect. 5.6. The EFTs which link these banks belong may involve encountering many HSMs on the way to the final authorization or denial. For debit cards issued by banks in the Global ATM Alliance, the PIN’s journey may involve many temporary visits to intermediate HSMs.

(4)

The construction of the I-PIN or U-PIN from the PDK, PAN and O-PIN is almost certainly not invertible, so that Eq. (4) less the exposure by not storing lists U-PINS (Fig. 4).

It was the precursor of what is universally referred to as a Hardware Security Module which will be discussed in more detail starting in Sect. 5.4.

49

To cut down on fraud, videos of a transaction at an ATM were made. In modern day ATM theft, criminals also use cameras ATM has a secret skimmer installed over the card entry slot to steal your card info and a fake panel with a tiny hole for the cell phone camera behind it that might actually capture your PIN number as you’re typing your PIN number into the pad.

123

J Cryptogr Eng Table 3 ISO-0, VISA-1, ANSI X9.8 (A) PIN Format (B) PAN Format (C) PIN-Block Format (A) 0

L

P

P

P

P

P/F

P/F

P/F

P/F

P/F

P/F

P/F

P/F

F

F

L

0

0

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

(B) 0 (C) 0

L

P

P

P

P

P/F

P/F

P/F

P/F

P/F

P/F

P/F

P/F

F

F

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

0

0

0

0

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

The right most four hex characters of the PAN are truncates

A PIN Entry Device (PED) is the entry point for secure PIN entry and processing. The PED typically consists of a keypad for PIN entry, a display for user interaction, a processor and storage for PIN processing sufficiently secure for the key management scheme used, and firmware. A PED has a clearly defined physical and logical boundary, and a tamper-resistant or tamper-evident shell. A PED Key is an electrically-programmed device, with USB interface, embedded in a moulded plastic body for ease of handling. A PED Key holds a generated secret (transfer) key that enables communication with the HSM. It is loaded into the PED after initialization of the HSM. In the past, PED Security Requirements had been overseen by Japanese Credit Bureau (JCB), MasterCard, and VISA. Now, the PCI Security Standards Council (PCI SSC), will manage the PED Security Requirements for five major global payment brands (American Express, Discover, JCB, MasterCard and Visa), allowing even greater opportunity to standardize data and device security requirements, testing methodology, and approval processes for PIN Entry Devices (PED). 5.5 The format of the PIN While John Shepherd-Barron envisioned a six-digit PIN, his wife could only remember four digits and this became the most commonly used length. Memorizing a PIN of more than six digits is deemed unsuitable. Switzerland has standardized the six-digit PIN. There are of course standards; ANSI X9.8 [27] and ISO 140-2 [28]. These standards not only define the structure (format) of the PIN but it specifies the basic principles and techniques of secure PIN management. The X9.8 format is show in Table 3 above; each entry is a hex digit (decimal) and • 0 is the format identifier. • P is a PIN digit, and • F is the pad value F = .hex (1,1,1,1).

Example 1 50

Sections 5.6–5.7 describe the ATM transaction in which the PIN-Block is super- encrypted on its journey to the authenticating entity, while the PAN and other parameters are only single-encrypted. Why not encrypt just the PIN (Table 3A) rather than the PIN-Block (Table 3C)? The PIN length is between 4 and 6 and there at most 106 different Table 3 different encrypted resulting ciphertext, possibly amenable to a catalog-attack. By combining the PIN with the PAN as in Table 3, we remove this possible weakness and after decipherment, the XORd PIN and PAN can be used to recover the PIN. The ISO-1 (resp. ISO-2, ISO-3) format differs in that its leftmost hex digit is 1 (resp. 2, 3). Additionally, the pad F is replaced (in ISO-1 and ISO-3) by R a random value depending on the PIN length, The basic principles of PIN management include: • PIN management functions shall be implemented in software and hardware in such a way that the functionality cannot be modified without detection, and that the data cannot be obtained or misused. • The PIN must always be stored encrypted or physically secured. • Encrypting the same PIN with the same key but for a different bank accounts shall not predictably give the same cipher text. • Security of the PIN encryption shall depend on secrecy of the key, not secrecy of the algorithm. • Only the customer (i.e. the user of a card) and/or authorized card issuer staff shall be involved with PIN selection 50

123

Rightmost 12 digits of PAN excluding check digits.

J Cryptogr Eng

• • • •

or issuing. Where card issuer staff are involved, appropriate strictly enforced procedures shall be used. A stored encrypted PIN shall be protected from substitution. A PIN shall be revoked if it is compromised, or suspected to be. The card issuer shall be responsible for PIN verification, but may delegate that responsibility to another institution. The customer shall be advised of the importance of keeping the PIN secret.

A customer continues to enter the U-PIN at a keyboard; the PAN and O-PIN are read from the bankcard. Internal to the Atalla box, the same computations carried out during bankcard issuance are made in the Atalla, concluding with a comparison with the O-PIN read from the card U-PINs. The 1972 Atalla box made the significant improvement in not storing the U-PIN in a table at the issuing bank, but rather the O-PIN.

Customer_ID, PAN_ID, O − PIN_ID

5.6 The high security module (HSM) As predicted possibly in Proverbs 3:15, the PDK is “more precious than rubies” and must be hidden. Snouffer [29] gives a nice non-technical description of the hardware security module (HSM); it is a black box51 containing a combination of hardware and software/firmware to support verification of ATM as well as other electronic transactions, for example point-of-sale (POS); indeed any financial transaction whose integrity depends on the secrecy of the keys encryption the authorization. An HSM is

• • • •

51

The HSM cost and performance capabilities dictate that these functions are shared by many customers (PCs) connected by a network.52 Most ATMs are connected to interbank networks, enabling people to withdraw and deposit money from machines not belonging to the bank where they have their accounts or in the countries where their accounts are held (enabling cash withdrawals in local currency). Some examples of interbank networks include NYCE, PULSE, PLUS, Cirrus, AFFN, Interac, Interswitch, STAR, LINK, Mega Link and Banc Net. ATMs rely on authorisation of a financial transaction by the card issuer or other authorizing institution on a communications network. This is often performed through an ISO 8583 messaging system. ATMs typically connect directly to their host or ATM Controller on either ADSL53 or dial-up modem over a telephone line or directly on a leased line.54 Leased lines are preferable to plain old telephone service (POTS) lines because they require less time to establish a connection. Less-trafficked machines will usually rely on a dial-up modem on a POTS line rather than using a leased line, since a leased line may be comparatively more expensive to operate compared to a POTS line. That dilemma may be solved as high-speed Internet VPN connections become more ubiquitous. Common lower-level layer communication protocols used by ATMs to communicate back to the bank include SNA over SDLC, TC500 over ASYNC, X.25, and TCP/IP55 over Ethernet. FIPS 140-2 [28] specifies the HSM requirements used to accredit vendors; it specifies four levels of accreditation; “Security Level 4 cryptographic modules are useful for operation in physically unprotected environments.” A NIST validation program was started in July 1995. NIST reports in [29] that by January 2001, there were 150 HSMs which were FIPS 140-1 validated from four vendors and the number has nearly doubled each year since its inception. A

52

Here’s bank loyalty; even though I once had a mortgage with them, the Bank of America refused to reveal to me even the number of HSMs serving their thirteen branches in Santa Barbara.

53

Asymmetric digital subscriber line.

54

The Norwegian vendor EMC Satcom Technologies is looking up!

55

an attachment to a PC or server; is tamper resistant, implements cryptographic functions, and increases the performance of the entire system.

In science, computing, and engineering, a black box is a device, system or object which can be viewed in terms of its inputs and outputs (or transfer characteristics), without any knowledge of its internal workings. Its implementation is “opaque” (black).

TCP/IP provides end-to-end connectivity specifying how data should be packetized, addressed, transmitted, routed and received at the destination. This functionality is organized into four abstraction layers which are used to sort all related protocols according to the scope of networking involved. The Transmission Control Protocol (TCP) is a core protocol of the Internet Protocol Suite along with the Internet Protocol (IP). TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets between applications running on hosts communicating over an IP network. TCP is the protocol for the applications including World Wide Web, email, remote administration and file transfer to rely on. Applications that do not require reliable data stream service may use the User Datagram Protocol (UDP), which provides a connectionless datagram service that emphasizes reduced latency over reliability.

123

J Cryptogr Eng

list of some 140-1 certified vendors in 2001 follows; note that each may offer more than one HSM for sale. • • • • • • • • • • • • •

3Com Corporation Cisco Systems, Inc. Dell, Inc. Hewlett-Packard Company IBM Corporation Lucent Technologies MacAfee Microsoft Corporation Motorola, Inc Oracle Corporation QUALCOMM Inc. RSA, The Security Division of EMC Thales Communications, Inc.

Designed specifically for payments applications, payShield 9000TM from Thales e-Security56 is a proven hardware security module (HSM) that performs tasks such as PIN protection and validation, transaction processing, payment card issuance, and key management. It is the most widely deployed payment HSM in the world, used in an estimated 80 % of all payment card transactions. PayShield 9000 ranges in price from $16,200 for 50 tps (transactions per second) to $50,586 for 220 tps. The functionalities implemented in an HSM include Tamper security terminology

– fast active erasure of all memory containing sensitive data and secret keys – overwrite of memory: zeroes, random or combination Internals • Software/Firmware Updates: Their integrity and authentication including – Access control: grant access to functions with (time, Number) controls – Auditing of access Cryptographic Algorithms • RSA 1024 bit Private Key operation: 100–7000 operations/second • ECC 160 bit ECDSA signatures: 250–2500 operations/ second • 3DES: 2–8 Mbytes/second • AES: 6–40 Mbytes/second (256 bit key) Key Handling Each HSM has its own master key (KSK). All sensitive data generated will be encrypted under this KSK before transmission. The value of the KSK will never be stored in the clear outside of the HSM. Its primary purpose is to transfer other keys to a neighboring HSM. This will be required if the acquiring and issuing banks are in different networks. 5.7 A PIN’s lengthy trip in an ATM cash withdrawal

• Tamper Evidence: unauthorized access to the protected object detected using tamper seals, temperature sensors • Tamper Responsiveness: action by when an attempt has been detected. • Tamper Resistance by normal users or others with physical access to the protected object including special seals. • Components of Tamper Security: opaque epoxy, detection of mechanical and chemical penetration, temperature manipulation, power supply or battery (voltage) variation and detection of physical movement Data handling • Data Permanence: Residual representation of digital data that remains even after attempts have been made to remove or erase the data • Zeroisation: The practice of erasing sensitive parameters (electronically stored data, cryptographic keys, and CSPs) from a cryptographic module to prevent their disclosure if the equipment is captured including – erasure sensitive data and secret keys after Tamper Detection 56

Email from Thales on 3-25-15.

123

Technical details are provided in many different sources and perspectives: from the standards community jPOS [30],57 providers Demaertelaere [31], Hines et al. [32], and the academic evaluators Anderson et al. [33]. They describe 1. secure generation (and entry), 2. secure storage of keys (and backup), 3. security achieved by means of encryption using accelerated cryptographic algorithms of sensitive keys, and 4. (Pseudo)-Random Number Generation capability The entities involved in a withdrawal request at the Acquiring Bank by a user whose bankcard was issued by the Issuing Bank58 include 1. Acquirer Bank: The bank which has control over and can initialize the ATM. 57

JPOS.org provides consulting and information on a variety of opensource, mission-critical enterprise software, based on International Organization for Standardization transaction card originated messages standard (ISO-8583).

58 In 1982, I applied for and received a Visa card issued by the Bank of America which now has thirteen banks in my area. I. Because of the high costs of an HSM, not each Bank of America branch is an issuing bank.

J Cryptogr Eng Fig. 5 Acquirer/issuer connections

1a. HSM of the acquiring bank; 1b. ATM of the acquiring bank; 1c. PED of the acquiring bank’s ATM. 2. Issuer Bank: 2a. The HSM of the issuing bank 3. One or more network switches on the EFT connecting the acquirer and issuer. 3a. Switch routing tables 3b. HSMs at these switches (Fig. 5).

All data leaving the HSM will be encrypted under this KSK. • KWP—the PIN working key used to encrypt the PIN outside of an HSM • TMK—the [ATM] terminal master key; local to ATM and its HSM All sensitive data leaving the ATM is encrypted under this key. If two HSMs communicate, they • all share the same KSK, or • each has knowledge of the other’s communicating KSK.

5.7.1 HSM keys 59 There

are many keys60 including

• PDK—PIN Derivation Key • KSK—the storage key associated with a particular HSM; 59

There are 7102 known living languages in the world according to https://www.ethnologue.com/. Fortunately, the number of keys, variables, counters and accoutrements of HSM and DUKPT (Sect. 5.8) is smaller, but philologists are a bit nervous.

60

The keys are referred to in different presentations by other names, for example PVK : PIN Verification Key ↔ PDK KEK : Key Encryption Key ↔ KWK MFK : Master File Key ↔ KSK, TMK.

The devices [HSM, ATM, and PIN-Entry] must have a tamper resistant security module (TRSM) to store any keys. 5.7.2 Transferring the U-PIN to the issuer for authentication 1. The User enters U-PIN, PAN at the Acquirer Bank’s PED. 2. Y1 = E (TMK, U-PIN, PAN, Transaction Request) is sent to the HSM. 3. Knowing TMK, the HSM can obtain Y = U-PIN, PAN, Transaction Request 4. Y2 = E (KWP, Y) is computed at the HSM; the U-PIN is encrypted.

123

J Cryptogr Eng

5. Y3 = E (KSK, Y2) is transmitted from the HSM to the HSM at the next switch. 6. Either this or subsequent HSMs share the same KSK or there is a translation61 into the KSK of the next HSM, and so forth until we reach the Issuer Bank’s HSM. 7. The Issuer Bank’s HSM Verifies the authentication and either accepts of rejects the transaction. 8. The answer is relayed back to the Acquirer Bank’s ATM.

• • • •

5.8 DUPKT

5.8.2 IPEK and TK

Derived Unique Key Per Transaction (DUKPT) is not an encryption standard, but a key management scheme. A brief examination of DUKPT’s basic ideas is the subject of this section. It is characterized by the principle

The IPEK on this POS/ATM terminal is initialized by Acquirer Bank (or Issuer of POS device) and is only known by these entities. In generally, the current value of IPEK is derived using a 10 byte field called KSN (Key serial number). This field contains information about the BDK_ID, POS/ATM_ID (unique for each POS/ATM of a particular acquirer) and transaction counter TC (set to all zeros for IPEK derivation). Using these fields IPEK is derived that is used to initialize that HSM. Since each ATM has a unique ATM_ID this IPEK is also unique for each ATM. Different methods can be employed to initialize an ATM. For sensitive data X like the PIN, the transaction key TK is derived combining IPEK and the current value of the transaction counter (TC); X is then encrypted producing Y = E (TK, X). This value Y is sent to Acquirer Bank from a POS terminal. The Acquirer Bank has BDK store inside HSM which was earlier used to derive IPEK. HSM can again derive IPEK using POS_ID and then derive TK using transaction counter and IPEK. HSM has other keys which are shared between acquirer and each other issuer bank.

a unique transaction key is used for every transaction DUKPT encryption uses a derived transaction key TK, discarded after the transaction. It is used to encrypt ATM, POS and other sensitive electronic commerce transactions. While it can be used to protect information between two commercial entities besides banks, it is typically used to encrypt PIN information acquired by Point-Of-Sale (POS) devices. If a derived key is compromised—revealing its secret, future and past transaction data are still protected since the future or prior keys cannot be determined easily. The derivation of the transaction key uses a fixed master secret key of the HSM; DUPKT is specified in ANSI X9.24 part 1b [34]. DUKPT is the creation of VISA in late 1980, but it did not receive much acceptance. In the 1990s the (POS and ATM) bankcard industry changed and recommended (and later required) that each device have a distinct encryption key. Existing schemes based on HSMs on the contrary used unique HSM-dependent master key to encrypt the PIN. DUKPT solves this problem; while each (POS/ATM) device is still initialized with a distinct key, the initialization key is derived from a different key which an entire family of devices may share. Hence, the recipient of encrypted messages needs only to store one key to support a large number of devices in the field, while simultaneously meeting the unique-key-perdevice requirement. We briefly review the principles of DUKPT as given in [35,36]. 5.8.1 DUPKT Keys and parameters • BDK—Base derivation key • TK—Transaction key • BKD_ID62 61

To be discussed in Sect. 5.8.3.

62

A key K consists of an identifier K_ID and a key token; the identifier points to a location in the tamper-resistant device where the key token is

123

IPEK—Acquirer’s Initial storage key on ATM/POS device POS/ATM_ID KSN—Key serial number TC—Transaction counter (maintained locally at POS/ ATM) • ZPK—Zone PIN key63 • ZMK—Zone master key 64 • LMK—Local masterkey65

5.8.3 HSM PIN translate function HSM Input: 1. Encrypted PIN block Y = E(TK,PIN), stored. There may be many different applications of DUPKT; for example, for exchange of health records, ATM transactions, POS transactions footnote 62 continued and so forth. DUPKT is a methodology and each application will have its only base derivation key. For APOS transactions, it maybe denoted at BKD-POS_ID. 63 The ZPK is used to encrypt the PIN blocks that traverse the network between institutions, aka the working key. DUPKT participants are obligated to change the working key at agreed-upon intervals, typically advocate every 12 h. It is analogous to the HSM’s Pin Working Key (KWP). 64 The ZMK as the key transportation vehicle; the key that the two parties use to encrypt and exchange new ZPKs. This key is established via a key ceremony. You keep a copy of the ZMK encrypted under the LMK in a file somewhere (you’ll see how it’s used here further down this post). Also referred to as the Key Exchange Key (KEK). 65

Used to exchange keys with an HSM.

J Cryptogr Eng

2. BDK_ID, 3. TC 4. Output key identifier ZPK_ID HSM Output: Z = E(ZPK, Y) Algorithm: 1. Derive_TK using BDK, POS/ATM_ID, TC 2. Decrypt X = E−1 (TK,Y) obtaining the PIN 3. Encrypt PIN again using ZPK obtaining Z = E(ZPK,X) 5.9 The application program interface An Application Program Interface (API) is a set of routines, protocols, and tools for building software applications. The API specifies how software components should interact and are used when programming graphical user interface (GUI) components. Naturally, cryptographic tasks are among the customers of many APIs which are packaged by many vendors, • The Cryptographic Application Programming Interface (aka CryptoAPI, Microsoft Cryptography API, MS-CAPI or CAPI) is an application programming interface included with Microsoft Windows operating systems that provides services to enable developers to secure Windows-based applications using cryptography. It is a set of dynamically linked libraries that isolates programmers from the code used to encrypt the data. The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions. • Crypto API is a cryptography framework in the Linux kernel, for various parts of the kernel that deal with cryptography, such as IPSec and dm-crypt. It was introduced in kernel version 2.5.45 and has since expanded to include essentially all popular block ciphers and hash functions. • Web Cryptography API describes a JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.

• • • • • •

MAC66 Generate/Verify Key Generate Key Part Import Key Export/Import Key Test (Check Value) Encrypt/Decrypt

Abbreviated descriptions of their functionalities are • key generation: accept encrypted data PIN/PAN data from a PED, decrypt (under the PED’s TWK); then encrypt, first under the HSM’s (Pin Encrypting Key) KWP, then under the HSM’s (Key Storage Key) KSK and return; • translation (key exchange), decrypt and re-encrypt inside an HSM under a different key to be forwarded to the next HSM; • verification as authentic at the issuer’s HSDM. • key test (check) verifies that O-PIN and U-PIN have decimal values There are many more with a variety of names [38]. The HSM-like devices use APIs to implement processing operations. The need for many API-flavors is needed to accommodate countries, standards making organizations and banking organizations that have proposed a variety of PINblock formats now standardized in ISO 9564 [39]. In all instances, the PINs have to be formatted into 64bit blocks for encryption under the 3DES cipher used in the network. The issue is further complicated as some switches are not able to support all known PIN formats. Thus, the translation function might need to reformat messages under newer or older formats accepted by the next switch. When the PIN reaches the issuing bank, its correspondence with the PAN is checked via a verification API. The verification API must accommodate different PIN block formats that might be supported. PIN Translate (kI, , kO , formatI , formatO , PANI , PANO , EPBlI , EPBlO ) • the subscripts I and O refer to the input and output; • the notation kI needs clarification; it refers to identifiers of a key67 (stored in the HSM), • EPBl denotes the encryption of the XOR of the PIN-PAN Block as in Table 3, 66

As PINs travel along the network from acquirer to issuer, they may have to be processed. An API is the mechanism for invoking the capabilities of the HSM. A remarkable study of cryptographic APIs is given in Chulow’s thesis for the degree Master of Science in Mathematics [37]. He identifies several APIs

No, not a Big-MAC or a MAC with cheese, but a Message Authentication Code which is used to test authenticity. Chulow writes [37, p. 35] “the MAC Generate call calculates a MAC over the user-supplied data using the given key. The MAC Verify call is used to verify that the data has not been modified. The issuing bank recalculates the MAC and compares it to the supplied MAC thereby confirming the authenticity of the data”.

67 A key consists of an identifier (or handle) and a key token; the identifier points to a location in the HSM where the key token is stored.

123

J Cryptogr Eng

• all parameters entering and departing are encrypted, their keys dependent on the identity of the HSM inputting the date and the current HSM; • When the API succeeds, the obtained PIN block is returned in EPBlO . Otherwise, an error code is returned PIN Verify (kI, kV, formatI, PANI, EPBlI, v_Data) The subscripts I and V refer to the identifiers of the input and verification values; for example, the key of the HSM from which the input arrived and the key of this destination issuer HSM; • the validation data, v_Data, contains among other parameters, the O-PIN and the decimalization table; • the U-PIN is recovered by decryption using the PINblock EPBlI and the (transfer) key referenced to by kI . By repeating the generation of the true I-PIN using the HSM-resident PIN-generating key PDK and testing the equality I − PIN = U − PIN ⊕ O − PIN • the API returns the result of the verification or an error code.

6 What went wrong? Over two decades ago, Anderson [22] reviewed the misfortunes of the ATM design policies. A considerable part of the difficulty was the inexcusable lack of oversight by the banks: • the same PINs issued to all customers, • PINs written in the clear on the bankcard, • on-line transactions in which the PIN is transmitted in the clear, and • careless PIN storage at the bank. There are many insider attacks; there will always be theft in any organization and this may account for some losses. The introduction of hardware security modules to protect the PIN Derivation Key (PDK) might have seemed the solution, but problems persisted. In a triumph for the advancing technical competency of members of Evil Incorporated, Google News reported thieves attaching special devices to the ATM: one black box assault, in which criminals gain physical access to the to the ATM unit. From there, the attackers are able to disconnect the ATM’s cash dispenser from is controlling computer and then reconnect to their own computer. It became possible to issue commands forcing the dispenser to spit out cash. This is unlikely to occur in broad daylight at my State Street Santa

123

Barbara Bank of America ATM; they work while I snooze. Examples like this cannot explain the real problems of fraud. Very incisive comments are made in Chulow’s MS Thesis in Mathematics; he writes [37, p. 85] “... real world systems should be following standard industry best practices that, if implemented correctly and enforced, should limit a potential hacker’s ability to perform such attacks.” In [37, p. 86], Chulow asks “what went wrong? ” and offers several reasons. • “Firstly, it is clear that a number of functions were just badly thought out and are insecure” • Secondly, individually secure functions were added to the API in a manner to make the entire system insecure. • Finally, the absence of a single standard, to which everyone completely adheres, contributed to the complexity of the system.” In the United States at least, the discovery of systematic incompetence requires the identification of the villain and the punishment of the guilty party or parties. Who can these ATM villains be? In political crimes, we naturally turn our focus on the governing bodies. Perhaps, they are also secreted at 10 Downing Street or 1600 Pennsylvania Avenue? In some sense, the villains are the users of ATM. Since ATMs are successful, the users are the guilty party; 124 billion debit card and 67 billion credit card transactions in 2011. In Sect. 7.0, I give the loss rate of about 0.05 %, two-thirds of the corresponding credit card fraud rate. In addition to the explanations offered by Chulow, the defects in the design of APIs was the need to • accommodate different vendors. • reconcile various banking practices throughout the world, • different customers want different functionality from the same product, and • the absence of a central authority; I believe the International Standards Organization (ISO) and the American National Standards Institutes are unqualified for this task and inappropriate for this role. 68 There is no effective mechanism in mathematics, which given a protocol tests, is capable of answering the question “ are there any possible attacks?” I will describe the extremely clever attacks due to flaws in the authentication mechanism. They were discovered not 68 When I worked at IBM Research Center—a location which the distinguished American cryptographer A. A. Albert called IBM’s intellectual playground —I used to believe that “those who can, do research, while, those who cannot, teach. Perhaps, I was influenced as an amateur musician by Woody Allen who said “ ‘those who can’t do [research], teach. And those who can’t teach gym.” Of course, when I came to UCSB, it was necessary to modify my paradigm; I replaced teaching with standards making entities.

J Cryptogr Eng

by industry RSA [38], IBM [21]; not by standard’s making entities ISO [39], ANSI [27], or the PCI69 [40]; not by those providing ATM services VISA [41] or MasterCard [42] and certainly not by my government NIST [20,28]. They were discovered by academics in various parts of the world.

Table 4 D-TAB excluding 0 0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

1

1

2

3

4

5

6

7

8

9

1

1

2

3

4

5

Table 5 D-TAB excluding 1

6.1 The decimalization attack A four-digit PIN can be verified using the PIN_Verify API. Its input consists of the encrypted PIN Block (EPBl), the O-PIN, PAN and D-TAB. The verification consists of the following steps: 1. EPBl is deciphered yielding PBl. 2. PBl ⊕ PAN gives the presumptive U-PIN. 3. The true I-PIN is computed using the PAN and the D-TAB. 4. The equality I − PIN = U − PIN ⊕ O − PIN is tested. In the original Bond and Zelinski [43] decimalization PIN attack, the authors point out that the API Clear_PIN_ Encrypt, which will derive the corresponding encrypted EPBl block from any PAN and test U-PIN*. Therefore, the secret U-PIN can be determined with at most 104 calls. Several papers [37,44,45] improve upon trial and error and the very clever 2003 original Bond and Zelinski [43] decimalization PIN attack. All of the attacks depend on the need for PIN_Verify API to accommodate ATM diversity in the banking world. They permit as input an arbitrary decimalization tables (D-TAB) other than the standard one shown previously in Table 1. Focardi et al. [44] observes that these are differential attacks [45,46], meaning they involve estimating digits in the (secret quantity, for example, the U-PIN by examining the effect of parameters to the API commands. Since HSMs are located within the premises of a bank, this attack requires the ability to issue API commands, not very likely for the average bloke or perp. The Bond–Zelinski attack and several of those that improved on it, first determine the digits in the U-PIN and then U-PIN (Tables 4, 5). Example 2 My wife decides to replace her U-PIN with 0936, connected with her date of birth, against my advice. She selects her U-PIN to be 0936 so that I − PIN = O − PIN + U − PIN

(5a)

1234 = O − PIN + 0946

(5b)

O − PIN = 1308 = 1234 − 0936

(5c)

The Bond–Zelinski attack first determines which digits occur in O-PIN. It evaluates the PIN_Verify API supplying the parameters 69

Payment Card Industry (PCI), Security Council Standards.

0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

0

0

2

3

4

5

6

7

8

9

0

0

2

3

4

5

1. 2. 3. 4.

encrypted PIN Block (E-PIN-Block) PAN, O-PIN, and uses the modified decimalization table D-TAB

The result is free of error and we conclude that 0 is not one of the digits of the I-PIN. When the process is repeated with the a different modification of D-TAB. The I-PIN is still 1234 since we have determined that 0 is not a digit appearing it in. The error code is returned since the digit 1 occurs in the I-PIN while the decimalization table converts it to 0. Continuing in this manner, at most ten tests determine that the I-PIN contains some arrangement of the digits 1, 2, 3 and 4. More generally, the I-PIN may be of the following form: α β β β (4) α α β γ (12)

α α α α (1) α α β β (6) α β β γ (12) α β γ δ (24)

α α α β (4) α β γ γ (12)

where α, β, γ and γ denote distinct integers and the integer (n) is the number of trials needed to identify the integers. The Bond–Zelinski attack [43] to identify the digits in the U-PIN requires on the average 15.4 trials. Steel [45] improved the attack to 16.145 and Focardi et al. [44] still further to 13.463. It remains to test the arrangement of the digits. 6.2 The law of unintended consequences 70 Chulow

[37] describes another attack in to determine the digits of the U-PIN (or six) values of the U-PIN They employ a simple seemingly innocuous integrity check of a U-PIN, to determine if all of its digits have (as intended) 70 The idea of unintended consequences dates back at least to John Locke who discussed the unintended consequences of interest rate regulation in his letter to Sir John Somers, Member of Parliament. The idea was also discussed by Adam Smith, the Scottish Enlightenment. In the twentieth century, the sociologist Robert K. Merton popularized this concept.

123

J Cryptogr Eng Table 6 VISA-3 PIN-BLOCK format 4

L

P

P

P

P

P/F

P/F

P/F

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

0

0

0

0

PAN

PAN

PAN

PAN

PAN

P/F

P/F

P/F

P/F

P/F

F

F

⊕

⊕

⊕

⊕

⊕

⊕

⊕

PAN

PAN

PAN

PAN

PAN

PAN

PAN

Table 7 Translated VISA-3 PIN-BLOCK format 4

L*

0

L

P

P

P

P

P/F

P/F

P/F

P/F

P/F

P/F

P/F

P/F

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

⊕

0

0

0

0

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

PAN

decimal values in 0, 1…9, showing how it can be manipulated to reveal the digits of the U-PIN (or six) values of the U-PIN. The PIN Verify API with an input consisting of the PAN, EPBl, D-TAB and O-PIN performs an intermediate step, a PIN Check (or Test) API. It tests the integrity of the four (or six) digits of the U-PIN obtained by 1. deciphering EPBl → PBl followed by 2. an XOR with the PAN, thereby obtaining the presumptive U-PIN. An error is signaled, if any of its digits are not resident in the set of values 0, 1…9; either the PAN or EPBl is defective or the key is not correct. Bond refers to this as a PIN Integrity Check Protocol and shows how it leaks all but the first two U-PIN digits. Consider repeating the integrity test with inputs • EPBl,71 D-TAB and O-PIN constructed from the true PAN, but • supplying as a input, a possibly different PAN, say, PAN*. All but the first two hex-digits of the U-PIN value are obtained from the ⊕ of the true PAN and the PIN-Block, PBl. Assuming that the PIN length is four, the integrity check recovers U − PIN∗ = (UP0 , UP1 , UP∗ 2 , UP∗ 2 )

(6a)

U − PIN = (UP0 , UP1 , UP2 , UP3 )

(6b)

which we may write with a slight abuse of notation ∗

∗

∗

(UP 2 , UP 3 ) = PAN ⊕ PAN

(6c)

It is recognized in [48] that the integrity text can be manipulated to obtain all but the first two hex-digits. Even if PAN = PAN∗ , the test will succeed if and only if UP∗ i remains a decimal digit for i = 2, 3; when the integrity test fails, it will leak the value of (UP2, UP3 ). 71

Assumed to be in.ISO-0 (Visa 1) format.

123

Example 2 (Continued) Knowing that 0, 9, 3 and 6 are the digits of U-PIN, we may choose PAN∗ =(0)64 which fails the test and increases PAN* in steps of 1 until the test succeeds. This gives the rightmost two digits. Bond and Chulow observe the unintended consequences writing “it was not necessarily the explicit intention of the authors of the ISO-0 standard to create this protocol, but it results as a consequence.” It reminds me of the song made popular by the Mills Brothers entitled “you only hurt the only you love!” 6.3 Change-format attack This attack is described in Chulow [37] and in Steel [45]; Chulow shows that the format translation API can be combined with the PIN Check may be tricked into revealing PIN-values. If the Visa-3 format (Table 6) were used for the PIN-Block in place of the Visa-3 format (Table 3), the Change-Format attack yields the PIN-Block in Table 7 with L* = L + 2, Note that the U-PIN has been replaced by U-PIN* = (0, L, U-PIN), the shift now exposing the previous leftmost two UPIN digits. But there is a minor complication; the rightmost U-PIN is signaled by hex F and PIN Check and the PAN may have to be carefully chosen as input. For simplicity, suppose L = 4; Chulow argues that if PAN = (0,0,0,0,0,q), then the leftmost five hex characters of PBl ⊕ O-PIN ⊕ PAN (including the two undetermined U-PIN digits sought, of are certainly decimal. The next hex character P may result in three possible outcomes: 1. 0 ≤ P∗ ≤ 9 (PIN Test Succeeds) 2. 10 ≤ P∗ ≤ 14 (PIN Test Fails); try a different value of q. 3. P∗ = F = (1, 1, 1, 1) (PIN Test Succeeds) truncating the U-PIN to three decimal digits but exposing the two previous hidden ones. When the test succeeds, use the API PIN Test as in Sect. 6.3, allowing us to identify all digits of the U-PIN.

J Cryptogr Eng

6.4 The three key 3DES attack Cum deficerent gigantes.72 Coppersmith [46] and Bilham and Shamir [47] described differential cryptanalysis; attacks on encipherment algorithms which make use of the differences in information input can affect the resultant difference at the output. A related key attack is another variant of cryptanalysis where the operation of the encipherment is observed under different keys Kelsey et al. [49] have shown how it can be used for 3DES. We explain the attack following Chulow’s presentation [37, p. 38]. Let k1 and k1∗ = k1 +  be 56-bit keys and K1 and K2 be the 112-bit 3DES keys   K1 = (k1, k2, k3) K2 = k1∗ , k2, k3 . k1 = k1 ⊕ , (7) For plaintext X compute Y = 3DES (K1, X)   Y = DES k3, DES−1 (k2, DES(k1, X ))

(8a)

and X∗ = 3DES(K2, Y)    Y∗ = DES−1 k1∗ , DES−1 k2, DES−1 (k3, X )

(8b)

Then   Y∗ = DES−1 k1∗ , DES (k1, X)

(8c)

independent of k2 and k3. If  is known, the complexity of finding K1 is O (256 ). While the assumptions including a known  might be questionable, Bond [50,51] settled any debate in attacking the IBM Common Cryptographic Architecture (CCA) API of the IBM 4758 which Wikipedia described as: The IBM 4758 PCI Cryptographic Coprocessor is a secure cryptoprocessor implemented on a highsecurity, tamper resistant, programmable PCI board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed

security module (HSM) and the capability to execute some APIs. While I have a Bank of America VISA ATM-CARD, it is highly unlikely that I can get any access to any of their HSMs. The fruitful attacks outlined by Bond and Chulow would seem to be limited to insiders. Various researchers have proposed security improvements, which may or may not be beneficial. Whatever remedies to be made should be based on several general principles: • No additional demands will be made on ATM bankcard users; there are too many ATM cards in circulation to do otherwise. • No new APIs should be introduced as there is more than enough functionality available. Indeed as several papers suggest, too many. • There should there be only minimal changes to existing APIs to hopefully remove opportunities for misuse. • API changes and their effects on HSM must be mandatory and imposed by denying FIPS 140 certification to recalcitrant vendors, otherwise.73 • The ATM software will need to be modified in accordance with and in support of the API/HSM functionality changes. I suggest researching modifications to APIs to make the known attacks now impossible to carry out.74 Certification by FIPS and the benefit to the providers will be both the carrot and the stick. It is crucial and non-trivial to identify minimal effective changes to APIs in order to (i) not interfere with their needed tasks, but (ii) lessen the possible misuse of them to improperly strip away the secrecy an HSM is intended to achieve.

7 CODA The Computer Laboratory at Cambridge University (England) has a well-earned reputation for technical excellence in research and teaching. Andrew Hopper CBE FRS, FREng FIET is the Professor of Computer Technology, the Head of the University of Cambridge Computer Laboratory and an Honorary Fellow of Trinity Hall and Corpus Christi College, Cambridge.75 Its faculty76 includes Ross Anderson, a 1978

IBM withdrew from marketing the IBM 4758 PCI Cryptographic Coprocessor, effective March 31, 2005.

73

6.5 The bottom line

74

The successful attacks on the PIN–PAN authentication of an ATM transaction seem to require both access to an hardware

Normally I would never propose letting a governmental agency decide anything, but I do not see any viable alternative.

Perhaps, I should be more circumspect, adhering to Gilbert and Sullivan’s advice writing “well, hardly ever!” 75

Cambridge University consists of 31 colleges founded between the 13th and 20th centuries, but most before 1596. I am a great fan of age!

76 72

According to Google translate, “when Giants fall!?

The Computer Laboratory is an academic department within Cambridge University that encompasses Computer Science, along with

123

J Cryptogr Eng

graduate of Cambridge’s Trinity College, who perceptively observed that ATMs were the killer application that got cryptography into the commercial sector. This faculty has published many outstanding analyses of the vulnerabilities of ATM banking, as currently implemented and some enhancements being considered. I find no fault in either their direction or emphasis and am an admirer of their technical achievements. However, let us examine the ATM exposures in perspective. A 2013 Federal Reserve System report [52] states that in 2012, there were: • 5.8 billion ATM cash withdrawals in the US, and • the total value of all ATM transactions in 2012 was $0.67 trillion.

access. Credit card losses result from either the actual loss (by mislaying or theft) of the careless revealing of information. Also, if they are used for illegal purchases and the holder notifies the issuing bank, federal law limits your liability for unauthorized charges and the owner is off the hook. Acknowledgments I am in the debt of many people and wish to acknowledge with thanks their help; first, to the three current octogenarians who participated in the creation of the ATM machine. • James Goodfellow • Geoffrey Constable. • Donald C. Wetzel I located Mr. Wetzel’s postal address in a Google search, snail-mailed him a letter and he returned the call. My new English acquaintances were introduced to me by a new friend Bernardo Batiz-Lazo who has written extensively about the history, evolution and economics of the ATM. Finally, my thanks to Devesh Tiwari of Gemalto.com, who was kind enough to explain some technical points.

What is the burden imposed by ATM fraud? The same report shows that in 2012, there were:

References • 1.3 million unauthorized fraudulent ATM withdrawals, • the average values of fraudulent ATM transactions was $217, and • the total value of fraudulent ATM transactions was $0.3 billion, a loss rate of less than 0.05 %. Of course, a billion here, a billion there and before long, you cannot get a free toaster when you open a bank account. Of course, credit, debit and prepaid cards present a more serious problem.77 The same Magnus Opus shows that in 2012: • there were 122.8 billion total card (credit/debit/prepaid) transactions, • the total value of all transactions was $78.96 trillion, • the total number of fraudulent card transactions was 31.1 million, and • the value of all fraudulent card transactions was $6.1 billion, a loss rate of about 0.075 %. Several observations: the attacks on ATM cards are largely a consequence of the difficulty of evaluating all weaknesses in their implementing protocols and they require insider footnote 76 continued many aspects of Engineering, Technology and Mathematics. It consists of 41 academic staff, 29 support staff, 5 research fellows, 81 postdoctoral research workers and 119 PhD students. They have over 300 undergraduates studying for Part I, II and III of the Computer Science Tripos and 36 graduate students studying for the M.Phil in Advanced Computer Science. 77 The password (PW) and User_ID which I enter when first establishing a secure html connection to Vendor.com via SSL/TLS are not only chosen by me, but the PW is not related to the User_ID. Having authenticated myself, I use my credit card without any additional security-based hurdles to climb. This is not the case in an ATM/POS transaction where the two tokens (PAN and PIN) are related.

123

1. Bellis, M.: Automatic Teller Machines—ATM. http://inventors. about.com/od/astartinventions/a/atm.htm/ 2. McRobbie, L.R.: The ATM is dead. Long live the ATM! smithsonian.com, pp. 1–11 (January 8, 2015) 3. Miller, A.: Who invented the ATM machine? http://www. atminventor.com/ 4. Campbell-Kelley, M.: John Sheperd-Barron Obituary. In: The Guardian (May 23, 2010) 5. Bátez-Lazlo, B., Reid, R.J.K.: The development of cash dispensing technology in the UK. IEEE Ann. Hist. Comput. 33(3), 32–45 (2011) 6. Bátez-Lazlo, B., Reid, R.J.K.: Evidence from the Patent Record on the Development of Cash Dispensing Technology History of Telecommunications Conference, pp. 110–114 (2008) 7. Shimjian, L.G.: US Patent # 3,039,58. Subscriber controlled apparatus (April 9, 1959) 8. Simjian, L.: US Patent 3,038,157. Deposit exchange machine including image recording means, pp. 1–14 (Filed February 26, 1960) 9. Davies, A.I.O., Goodfellow, J.: US Patent 3,905,461. Access control equipment, pp. 1–8 (Filed May 1, 1967) 10. Constable, G.E.P.: US. Patent 3,673,571. Credit-and access-control equipment, pp. 1–7 (Filed November 17, 1970) 11. Constable, G.E.P.: US. Patent 3,892,948. Accesses or transaction control equipment, pp. 1–10 (Filed February 23, 1973) 12. Allison, D.K.: NMAH interview with Mr. Don Wetzel, pp. 1-30. http://americanhistory.si.edu/comphist/wetzel.htm#B (September 21, 1, 1995) 13. Kansas City Federal Reserve: A guide to the ATM and debit card industry, pp. 1–140. https://www.kansascityfed.org/publicat/PSR/ BksJournArticles/ATMPaper.pdf (2003) 14. Langford, S.: PIN Security: Management and Concerns. In: 1st CACR Information Security Workshop Secure Provision of Cryptographic Services Centre for Applied Cryptographic Research (CACR) University of Waterloo, Waterloo, Ontario, Canada (November 24, 1998) 15. Konheim, A.G.: The impetus to creativity (to appear in Cryptologia) (October 2015) 16. Konheim, A.G.: The early life of Horst Feistel (to appear in Cryptologia) (January 2016) 17. Feistel, H.: Cryptography and computer privacy. Sci. Am. 228(5), 15–23 (1973)

J Cryptogr Eng 18. Smith, J.L.: US Patent #3,796,830. Recirculating block cipher cryptographic system (Filed November 1971) 19. Sorkin, A.: LUCIFER: a cryptographic algorithm. Cryptologia 8(1), 22–41 (1984) 20. National Bureau of Standards “ Federal Information Processing Standards Publication 46–1, “Data Encryption Standard (DES)”, National Bureau of Standards, January 22, 1988; superseded by Federal Information Processing Standards Publication 46–2, December 30, 1993, and reaffirmed as FIPS PUB 46–3, October 25, 1999 21. IBM Corporation z/OS Cryptographic Services ICSF Application Programmer’s Guide: IBM PIN Algorithms SA22-7522-16b 22. Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1993 ACM conference on computer and communication security. 37(11), pp. 33–40 (1993) 23. Arthur, C.: How ATM Fraud Nearly Brought Down British Banking: Phantoms and Rogue Banks, pp. 1–9. http://www.theregister. co.uk/2005/10/21/phantoms_and_rogues/ (2005) 24. Cox, E.B.: Developing an Electronic Funds Transfer System: Incentives and Obstacles, pp. 15–45. https://www.bostonfed.org/ economic/conf/conf13/conf13c.pdf (1974) 25. Sienkiewicz, S.: The Evolution of EFT Networks from ATMs to New On-Line Debit Payment Products Workshop of the Payment Cards Center of the Federal Reserve Bank of Philadelphia on the evolution of the electronic funds transfer (EFT) industry, pp. 1–12. http://philadelphiafed.org/consumer-credit-and-payments/ payment-cards-Center/publications/discussion-papers/2002/ EFTNetworks_042002 (June 2001) 26. Konheim, A.G.: Cryptography: Primer. Wiley, New York (1981) 27. American National Standards Institute: ANSI X9.8-1:2003 Banking–Personal Identification Number Management and Security—Part 1: PIN protection principles and techniques for online PIN verification in ATM & POS systems 28. National Institute of Standards: Federal Information Processing Standards Publication 140-2. Security requirements for cryptographic modules. May 25, 2001; updated December 3, 2002 29. Snouffer, R., Lee, A., Oldehoeft, A.: A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140–1 and FIPS 140–2. NIST Special Publication 800-29, pp. 1–291 (June 2001) 30. Jpos.org: Some HSM basics and how they work. http://jpos.org/ wiki/HSM_basics. September 24 (2005) 31. Demaertelaere, F.: Hardware security modules. Atos worldwide, pp. 1–53. http://secappdev.org/handouts/2010/Filip% 20Demaertelaere/HSM.pdf (2010) 32. Hines, L., Hopkins, D., Kalibjian, J., Langford, S., Wierenga, S.: Hardware Security Module Use in Banking and Electronic Commerce Applications. Hewlett Packard Corporation http://www. openmpe.com/cslproceed/HPW04CD/papers/3327.pdf (2004) 33. Anderson, R., Bond, M., Clulow, J., Skorobogatov, S.: Cryptographic processor—a survey. Cambridge University Computer Laboratory Technical Report #641, pp. 1–19 (August 2005) 34. American National Standards Institute: ANSI X9.24-1: Retail financial services symmetric key management part 1: using symmetric techniques (10/13/09) 35. Tiwari, D.: How ATM plastic PIN money works. http://deveshtiwari.blogspot.com/ (2005) 36. Marvis.com: Derived unique key per transaction, DUPKT. www. maravis.com/library/derived-unique-key-per-transaction-dukpt/ (June 2009) 37. Chulow, J.: The design and analysis of cryptographic application programming interfaces for security devices. Master of Science in Mathematics Dissertation, University of Natal, Durham (South Africa) (2003) 38. RSA Laboratories, PKCS #11: Cryptographic Token Interface Standard, Version 2.2, pp. 1–407 (June 2004)

39. International Standards Organization: ISO 9564, ISO 9564— Banking Personal Identification Number Package (ISO 95641 (Banking) 2002; ISO 9564-3(Banking) 2003; ISO 95644(Banking) 2004; ISO 9564-1(Financial) 2011; ISO 95642(Financial) 2012) 40. Payment Card Industry (PCI): Security Council Standards Hardware Security Module (HSM) Security Requirements Version 1.0, pp. 26 (April 2009) 41. Visa.com: Visa Best Practices for Tokenization Version 1.0, pp. 1–4. http://usa.visa.com/download/merchants/tokenization_best_ practices.pdf (July 2010) 42. MasterCard: Transaction Processing Rules. In: Cryptographic Algorithms and Their Uses, Eracom Workshop 2004, 11 December 2014, pp. 1–246 (2004). http://www.mastercard.com/us/merchant/ pdf/TPR-Entire_Manual_public.pdf 43. Bond, M., Zelinski, P.: “Decimalisation Table Attacks for PIN Cracking. Cambridge University Computer Laboratory Technical Report #540, pp. 1–14 (2003) 44. Focardi, R., Luccio, F., Steel, G.: Blunting differential attacks on PIN processing APIs. In: Proceedings NordSec ’09 Proceedings of the 14th Nordic conference on secure IT systems: identity and privacy in the internet age, pp. 88–103 (2009) 45. Steel, G.: Formal analysis of PIN block attacks. Theor. Comput. Sci. 367(1–2), 257–270 (2006) 46. Coppersmith, D.: The Data Encryption Standard (DES) and its strength against attacks. IBM J. Res. Dev. 38(3), 243–250 (1994) 47. Bilham, E., Shamir, A.: Differential Cryptanalysis of DES-Like Cryptosystems Advances in Cryptology—CRYPTO ’90. SpringerVerlag, Berlin (1990) 48. Bond, M., Chulow, J.: Encrypted? Randomized? Compromised? Cryptogr. Algorithms Uses Eracom Workshop 2004, 140–151 (2004) 49. Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and triple-DES. International cryptology conference—CRYPTO, pp. 237–251 (1996) 50. Bond, M.: Extracting a 3DES key from an IBM 4758. http://www. cl.cam.ac.uk/~rnc1/descrack/ 51. Bond, M.: Attacks on cryptoprocessor transaction sets. In: Proceedings of the CHES 2001 workshop, Paris 2001, pp. 220–234. Springer Verlag LNCS 2162 (2001) 52. Federal Reserve System: The 2013 Federal Reserve Payments Study, pp. 1–43. https://www.frbservices.org/files/ communications/pdf/research/2013_payments_study_summary. pdf (December 19, 2013)

Alan G. Konheim attended the Polytechnic Institute of Brooklyn, receiving a B.E.E. in 1955 and a M.S. (Mathematics) in 1957. After receiving his Ph.D. in Mathematics at Cornell University in 1960, he joined the Mathematical Sciences Department at the IBM Yorktown Research Center. In 1982, seeking a sunnier climate, he left IBM joining the faculty of the Computer Science Department at the University of California in Santa Barbara. As Nelly Furtado’s song explains, “all good things come to an end” and Alan Konheim became Professor Emeritus in 2005.

123