Print
Discuss
Send to friend
RSS feedsSecurity experts have warned that PIN codes and card details held by cash machines may be at risk from unscrupulous bank employees.
The warning comes after research by two Cambridge University students proved that IBM's 4758 cryptographic co-processor, as used in many high street banking systems, could be hacked.
Security firm @stake said that many high street banks could only be vulnerable to an inside attack because the researchers admitted that the technique required around 20 minutes of uninterrupted access to the device. However, this still leaves data vulnerable to internal corruption.
A case in point is Graham Browne, former head of the encryption unit at Barclays, who was yesterday acquitted of attempting to extort £25m from the bank after threatening to expose confidential security information.
The research carried out by computing students Michael Bond and Richard Clayton revealed that, although the IBM 4758 is an extremely secure crytographic co-processor, it is possible by "a mixture of sleight of hand and raw processing power" to persuade the device to export all its DES and 3DES encryption keys.
"The attack can only be performed by an insider with physical access to the cryptographic co-processor, but they can act alone," the students said.
.They emphasised that the most likely source of attack would be from a corrupt high level employee, as a "standard off-the-shelf $995 FPGA evaluation board from Altera" is needed to brute force the encryption scheme.
However, using such a device is "a reasonably straightforward task that does not require specialist hardware design knowledge and, since the board is pre-built and comes with all the necessary connectors and tools, it is entirely suitable for amateur use", they said.
But industry experts have hit back at the claims. "You would have to be in a position to launch that attack and a lot of these systems won't have direct connections to the internet," said Mark Read, network security analyst at MIS Corporate Defence Solutions, highlighting the fact that an outsider attack is very unlikely.
IBM also claims the hack can only be done under strict laboratory conditions and is not possible in real bank systems. "Normal bank practice and procedure would prevent any possibility of launching such an attack," said a spokeswoman.
"This academic study is based on specific laboratory conditions. In the real world there are too many physical safeguards and authority protections for such an attack to be successful," she added.
But Bond and Clayton maintain that, until IBM fixes the Common Cryptographic Architecture software, "banks are vulnerable to a dishonest branch manager whose teenager has $995 and a few hours to spend in duplicating our work".
See also:
All Applications
del.icio.us
Digg this
reddit!
