Wednesday, July 15, 2009

Abstract Hackery

I found myself intrigued by the security protocols failures outlined in the paper Programming Satan's Computer. The case studies are written in such a way that you don't need to be a security guru to appreciate the approach used to defeat what appears to be a secure system.

Consider this example:

A simple protocol failure allowed criminals to attack the automatic teller ma- chine systems of one of Britain's largest banks. This bank wished to o ffer an online service, so that customers could still get a limited amount of money when its mainframes were doing overnight batch processing. It therefore had the customer's personal identi cation number (PIN) encrypted and written to the magnetic strip on the card. The teller machines had a copy of the key, and so could check the PINs which customers entered.

However, a villain who had access to a card encoding machine discovered that he could alter the account number of his own card to someone else's, and then use his own PIN to withdraw money from the victim's account. He taught other villains how to do this trick; in due course the fraud led to at least two criminal trials, and to bad publicity which forced the bank to move to fully online processing [Lewi93].

It's a fun read, and the examples are abstract enough that there's room to apply them to problems you may be working on now.

Thanks to Lambda-the-Ultimate for the pointer.

No comments:

Post a Comment