Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Program Developed to Break Into ATMs

NEW YORK -- A pair of Cambridge University computer graduate students have penetrated the security software used by IBM Corp. to protect bank ATM machines and e-commerce transactions, the school says.

The students, Mike Bond and Richard Clayton, developed a program that allowed them to defeat security measures on a laboratory computer equipped with the IBM security hardware and software that stores credit card numbers or cash machine PINs.

Officials at the British university said the students became the second group known to have cracked into a hardware device protected by the ultra-secure Data Encryption Standard, exposing a serious weakness in bank computer security that would allow a single employee to plunder accounts.

While taking the announcement seriously, IBM said Friday that the successful attack described by the students would not happen under a typical bank's security regimen.

Bond said the two began contacting IBM in April to alert them to the vulnerability, but that the company did not respond in a manner that led them to believe it was serious about repairing the flaw.

The pair then decided to publish their paper on the Internet, and Cambridge University announced the findings on its web site.

"I had the same information that a bank employee would have -- access to the instruction manuals, and remote access to a 4758," Bond said, referring to the IBM co-processor card that runs the encryption software used to secure personal banking data.

"It's a substantial risk and it needs to be fixed in the software," he said.

The 4758 co-processor and its operating software received the U.S. government's highest security rating in 1998. The device employs the Data Encryption Standard algorithm and is used by banks worldwide to secure and encrypt personal account information.

IBM sought to downplay the students' claim.

"The students have assumed the lack of a normal series of bank controls that would make this attack futile in anything but a laboratory environment," said Chris Holloway, an engineer with IBM's London-based financial services division.

"Nevertheless, we will address this issue with our customers in the immediate future," he added.

Bond said the process he and Clayton discovered would allow a single dishonest bank employee to plunder individual accounts after about two days' effort.

Normally, the IBM software requires multiple bank employees be present in order to gain access to a database containing the PIN numbers for bank accounts. Bond said his procedure would give access to the PIN database to a single employee.

The students built their own key-cracking device using an off-the-shelf kit. The device used the so-called "brute force" method of trying all possibilities to detect encryption keys. Cambridge said the pair shortened the time needed to find a match from 70 years to a single day by using a method Bond devised that attacked 16,384 keys at the same time.

To steal money, secret codes would have to be matched to bank account numbers and encoded onto forged magnetic stripe cards -- a process Bond described as simple.

"You reprogram the card with lots of different account numbers and plunder each account, one at a time," he said.

Bond said individual bank accounts should not be considered immediately vulnerable, however.

He said he hoped the publicity was aimed at increasing long-term safety by pressuring the banking security industry to use open encryption standards that can be examined and vetted by the computer science community.

"We made this public not so someone could plunder a bank, but so the hole could be fixed," Bond said. "It's an important issue for everyday people, that banks be open about their security. Otherwise it's protection through secrecy."

The only other known successful brute force attack on the DES algorithm took place in July. Then, a contest sponsored by a California data security firm, professional code breakers took almost three days to unwind the DES algorithm using a $250,000 computer.