Banc of America Article

http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html

Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.

The following things can then be assumed:

a) BoA's network has Microsoft SQL Servers on them.

b) BoA has not applied SP3 (available for a week) or the patch for this
particular problem (SQL Slammer) (available for many months).

c) somehow, this attack spawned on the public internet made it's way to
BoA's SQL servers, bypassing firewalls (did they have firewalls?).

Another article states, "Bank of America Corp., one of the nation's
largest banks, said many customers could not withdraw money from its
13,000 ATM machines because of technical problems caused by the attack. A
spokeswoman, Lisa Gagnon, said the bank restored service to nearly all
ATMs by late Saturday afternoon and that customers' money and personal
information had not been at risk."

Does anyone else, based upon the assumptions above, believe this statement
to be patently incorrect (specifically, the part about 'personal
information had not been at risk.') ?

I find these statement made by BoA, based upon assumptions which are
probably correct, to be very scary.

Comments?

-- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben --
-- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --

http://biz.yahoo.com/rb/030125/tech_virus_boa_1.html

Let's make the assumption that the outage of ATM's that BoA suffered was
caused by last nights 'SQL Slammer' virus.

The following things can then be assumed:

a) BoA's network has Microsoft SQL Servers on them.

Not necessarily. There's this statement from a BoA employee:

'"We have been impacted, and for a while customers could not use ATMs and
customer services could not access customer information," Gagnon said.'

While that's clear as mud, one could also infer that the network that they
depend on to interconnect their ATMs and branches was impacted by all the
garbage network being carried at the time. They don't disclose how these
atm's and branches are connected back to their datacenter(s?), but perhaps
someone had the bright idea of tunneling everything over something like
the Qwest network, which some here reported as being b0rked for quite some
time... Or perhaps they (or the VPN concentration gear) are in a shared
datacenter space where other customers bouncing this junk around trashed
the network within the datacenter. These days you can never make
assumptions about what passes for BCP.

Just another possibility... Mind you I'm not rushing out to open an
account with them.

C

FWIW:

http://www.washingtonpost.com/wp-dyn/articles/A57550-2003Jan28.html

"About 13,000 Bank of America cash machines had to be shut down. The
bank's ATMs sent encrypted information through the Internet, and when
the data slowed to a crawl, it stymied transactions, according to a
source, who said customer financial information was never in danger of
being stolen."

Or,

IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the transaction. I'd be willing to bet the
failure rate Saturday was high enough to cause concern that bank
customers (knowingly or innocently) could bypass the normal limits and
overdraw or otherwise negatively effect their accounts. So BoA decided
to shut down the system until the failure rate returned to 'normal.' Not
a bad thing, IMHO.

Best regards,

Date: Wed, 29 Jan 2003 07:20:35 -0800
From: Al Rowland

IIRC, the ATM system is similar to CC transactions. A best
effort is made to authorize against your account (Credit Card
or Banking) but if it fails and the transaction is within a
normal range (your daily card limit) the CC/ATM completes the
transaction.

Fail-open security on financial networks? Yucky.

Eddy

IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the transaction.

  Too bad it is not the case, but lets presume that it is. How does it
explain branches not being able to process direct withdrawals either?

  The incident on hand illustrates that the design of our financial
networks is broken. If a non sophisticated worm managed to create so many
problems, what is going to happen should a real attack be mounted against
the networks used by financial services?

Alex

Perhaps the bank bought VPN service with an SLA from a large network vendor. That SLA was not met due to network congestion. Said vendor will be responsible for reparations to the bank. That doesn't help the customers, of course. Now the bank COULD just use T-1 or faster circuits to all branches, but the network vendors are pushing VPNs (whether formed by IPSec tunnels, Frame Relay, MPLS, etc.) as cheaper alternatives. It would be foolish and irresponsible for the bank management to spend many times the amount of money.

Of course even the T-1 circuits can have problems. ATT did melt their telephony backbone on Martin Luther King Day some years back. So should the bank run their own fiber between branches to ensure they're OK in the event of an SS7 meltdown? Where do you draw the line? Which technology do YOU trust? Which can you afford?

Or,

IIRC, the ATM system is similar to CC transactions. A best effort is
made to authorize against your account (Credit Card or Banking) but if
it fails and the transaction is within a normal range (your daily card
limit) the CC/ATM completes the transaction.

So you're telling me that if I go to Kwik-E-Mart, cut the wires, put my
card with a $0 balance in it will happily let me withdraw money? Somehow
that doesn't sound right. How would it know my PIN, or would it assume I
entered it correctly? How would it know my daily card limit?

Charles

I believe specific account data is not kept on the local machine. I may
be wrong, not to mention the data strip on the card...

Nothing new. Look at what happened to the Chicago Board of Trade a few
years back. I wonder how WCOM reported the out-of-court settlement for
that one their books. ;0

The original NSI SI,
National-Security-Internet-(Survivable-Infrastructure), model was
replaced years ago by the BBC, Best-Business-Case model, puns intended.

Best regards,

Just for grins,

The PIN is on your card, likely encrypted, this based on the fact that
most ATMs will reject your card at the initial PIN prompt before you try
to execute any transaction, as is likely your balance and daily
withdrawal limit but the Kwik-E-Mart system might not have a way to see
that you've already withdrawn your daily limit from three other ATMs
etc. I use a not-my-bank ATM in the lobby at work and it doesn't
initiate the call (you can hear the modem dial) until you're beyond the
PIN screen and are actually requesting a transaction. My daily limit at
my home bank is significantly higher than my daily limit at
non-home-bank ATMs so that might be a local feature rather than hard
coded to your card. (or readable by the particular machine you're using,
who knows what your bank considers privacy or proprietary information.)

Just conjecture, no way to know how this specifically works without
looking at the BoA specific ATM code but I'd be willing to bet the code
errs on the side of customer convenience over absolute security. See
most software as examples.

Best regards,

We're off-topic now, so I won't go into detail, but the PIN is
sometimes on the card and sometimes not. There are different ways of
doing it. (If the sampling of cards in my wallet is representative,
then mostly, the PINs aren't on the card anymore (I still have one card
that has the PIN on the card).)

     -- Brett

Disclaimer: while I did work for a company that was (or would have been)
involved with CC transactions, I have never actually worked with CC
auth mechanisms; only discussed them with a housemate who worked on
$(MAJOR_CC_VENDOR)'s transaction/auth system.

The short answer is: yes.

The longer answer is: your PIN is on your card, the rest is recorded in the
ATM and syncronized when it has connectivity again. At which point, your
bank will be sending you a polite (or, for some amounts, not so polite)
request to pay the outstanding balance, the fees incurred for overdraft,
and other assorted charges.

Most of the financial world operates on a pair of fairly straightforward
principles:

1) It costs money to stop fraud. Unless and until the cost of fraud exceeds
   the cost of stopping the fraud, it is not profitable to attempt to stop
   the fraud (and, as a correllary, the effort put into stopping fraud
   is limited to that amount which produces a better-than-even return on
   investment). All major CC vendors simply budget for some amount of fraud
   every year; it's a known risk of the business model, and is accounted
   for.

2) Banks are, as a rule, care fairly little about whether you can withdraw
   money that you shouldn't be able to. ATM limits are largely about
   limiting the amount of damage done in the short term. What banks care
   about a very great deal is trying to make sure that that nothing,
   anywhere, in the entire system, can cause a transaction that doesn't
   have an audit trail - and spotting such things is (relatively) easy,
   because the books suddenly don't balance. Money may be information,
   but *within the system*, that information is checked, double-checked,
   cross-checked, and otherwise run through a really insane amount of
   effort to make sure you can't create money from nothing - and can't
   move it from one place to another without leaving some record of the
   movement. Thus, you can get physical cash from an ATM, if the system is
   out of sync, but as soon as it gets synced up again that will be linked
   back to your account. The bank only really cares, then, if your account
   happens to end up negative (and, as above, will take action in more
   concrete ways, to deal with the situation).

Anyone who actually cares about this is strongly advised to not take my
word on it, but go do the homework for yourself; most of this information
is available to a sufficiently curious searcher.

Your assumption is my account is at my local branch. Neither is my safe
deposit box. It's at a different, larger branch in the adjacent suburb.
My 'account' is likely in one of their corporate monoliths downtown,
hence the network connection. That's why my card works as well in
Virginia (my most recent trip) as it does at my local branch in LA. My
local ATM also needs access to other bank networks if they have any hope
of collecting that usury fee for not-my-bank customers using the teller.
It's about the Benjamins.

I completely agree with your second point but don't expect change until
outside forces affect change in the current business model. Just my 2�.

Best regards,

Al Rowland wrote:

The PIN is on your card ...

Not for any card I've ever owned. I've changed my PIN several times over the years, and the bank has never re-encoded my card or sent me a new card as a result of doing so.

Maybe some banks do store the PIN on the card, but I'm certain that it's in the server for ever bank I've used.

I use a not-my-bank ATM in the lobby at work and it doesn't
initiate the call (you can hear the modem dial) until you're beyond the
PIN screen and are actually requesting a transaction.

I'm not surprised. But the PIN is verified as a part of the transaction.

I've occasionally mistyped my PIN. The ATM takes the mistake and goes straight to the menu. It's only after requesting a transaction that it comes back with the "invalid PIN" message.

-- David

Halleluljah. A voice of knowledge as opposed to conjecture. Different
bank ATMs operate differently. There are online and offline modes.
The PIN may or may not be recorded on the card. Some of these
differences are due to the fact that not all financial institutions
were connected to interbank networks over two decades ago. And yes,
some banks' ATMs dispense limited amounts of cash while disconnected
from the network. This is a compromise between customer service and
fraud exposure. You won't be able to get rich that way. There are
plenty of resources on and offline related to magnetic stripe
cryptographic security and PIN verification methods such as Atalla
Identikey, Visa PW, IBM 3624, etc.

Those making the most noise should take a look at their own network
security, data security, and redundancy practices as they rail
against large financial networks and systems.

Regards,
Sharif

at Wednesday, January 29, 2003 6:35 PM, Al Rowland
<alan_r1@corp.earthlink.net> was seen to say:

The PIN is on your card, likely encrypted

IIRC, the actual answer is a bit simpler - an initial pin is
*calculated* from your account number (which *is* stored on the card)
and an offset (also on the card) is applied to give the pin you actually
type.

Just conjecture, no way to know how this specifically works without
looking at the BoA specific ATM code but I'd be willing to bet the
code errs on the side of customer convenience over absolute security.

Possibly. unfortunately (here in the uk at least) "the system" also
defaults to believing that only the registered owner could possibly use
the card - hence lots of cases over "phantom withdrawls" that the bank
refuses to refund. So customer convenience is ok provided it comes free
for the bank

Since nobody has given the correct information about the PIN on the card I
will give a very brief description.

There are two types of PIN, natural and customer selected.
The natural PIN is computed from the number on the card. The computation
involves one way crypto keys. I don't remember the algorithm. For this the
PIN that is stored on the card is 0000.

Now, when a customer selects a PIN, an offset is computed between the
natural PIN and selected PIN. This offset is stored on the card.

Based on this you can see that re-encoding is needed when you change the
PIN number, most ATM will do that re-encoding. So unless things have
changed in the last 4 years since I worked with this, you can not change
your PIN over the phone without physical contact by the bank with the
card.

Personally I carry a card without any logo as my ATM card, at one point I
had access to reader/encoder for mag strip cards and I programmed a blank
card with the info from my real ATM card. No encryption involved.

K

The last two banks I've used both allowed me to do it over telephone
banking.
-Paul