Security x.0

Designing experiences

The most insecure banking/sales terminal

14/07/08

The most insecure banking/sales terminal

Permalink 01:07:13 am, by Igor Drokov, in Security thoughts, Online payments, Internet banking  

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

  • Banknotes have watermarks and other security features to resist counterfeiting
  • Cheques require the account holder's signature
  • ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
  • Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

PermalinkPermalink2 comments
Post to del.icio.us Digg This

Comments, Pingbacks:

Comment from: Pass CISA [Visitor] · http://passcisa.blogspot.com
A real nice presentation.

Security of financial system involves two things.
1. Internal Security
2. External Security.

By Internal security I mean the sevices/mechanisms placed at internal level/at Bank's sytesm.

Some of the major technologies are:
1. Host Security Modules
2. Firewalls
3. Intrusion Detection/Prevention System
4. End point Secut\rity for all bank's internal sytem
5. Automated Patch Management.
6. Regular Audit and Pen Test
and many more....

By External Security means Security at Client/Customer's level.

My suggestion would be use of dynamic cryptograms which will act as One Time Token per transaction and should be purely based on Random Numbers and not based on Psuedo Random Numbers which will be too dfficult to be hacked.

I am currently in the process of writing article on Hack Proof Financial System.

Once again thanks for your nice article.

Pass CISA
CISA made Easy Team,
A CISA Preparation Blog
passcisa@gmail.com
http://passcisa.blogspot.com
PermalinkPermalink 17/07/08 @ 13:18
Comment from: Joachim [Visitor]
While Tetris would be a novelty in the ATM sector, there's prior art for a nice game of chess. Please enjoy the nice photo-story of a visit at a german mutual savings bank's ATM foyer done by some guys from the (in)famous german Chaos Computer Club...

http://ulm.ccc.de/old/projekte/bankomat/index.html

In short: yes it does run a standard OS (OS/2 in this case, windows is also common), yes you can easily break out to the shell and/or gui and yes, there is a chess program installed... although it wasn't the ATM, just the statement printer, but still...
PermalinkPermalink 25/11/08 @ 01:37

This post has 13 feedbacks awaiting moderation...

Leave a comment:

Your email address will not be displayed on this site.
Your URL will be displayed.

Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>
(Line breaks become <br />)
(Set cookies for name, email and url)
(Allow users to contact you through a message form (your email will NOT be displayed.))

About

A blog about user experiences of Internet security by Igor Drokov and Elena Punskaya.

Full disclosure: our company, Cronto, is working on securing banking transactions in a simple intuitive way.

Recent Posts

Search




Categories

Archives

XML Feeds

RSS 1.0 RSS 2.0 Atom
Feedburner
> Lijit Search

Security Blogs