Financial Cryptography 2014 – Ross Anderson – Cambridge University
I just gave a keynote talk entitled “EMV – Why Payment Systems Fail” summarising our last decade’s research on what goes wrong with Chip and PIN. There will be a paper on this out in a few months; meanwhile here’s our page of papers on bank security.
Rafik Ansari gave the first regular paper, on Digital check forgery attacks on client check truncation systems.
A check system typically had an untrusted part, that transports paper checks physically to the trusted part, where the checks are scanned and send electronically into clearing. Check fraud was $645m in 2012, 37% of all payment fraud. The Check 21 Act (2004) allowed remote deposit capture, and move to client truncation (photograph your checks to cash them) which however renders the fancy papers and inks useless. Rafik is an image processing guy, interested in attacks via the client software that takes the images and sends them to the bank. There is rapid advance in digital forgery tools; he discussed what can be done to cut and past handwriting on a background. To see whether it could be industrialised, he tapped into the camera and network APIs on an Android phone; he found he could alter amounts on cheques that were then successfully deposited. The banks used fairly crummy 80kb jpeg images to save badnwidth. They were notified following a responsible disclosure protocol. He mentioned some techniques that could be used for manipulation detection.
Steven Murdoch followed on Security protocols and evidence: where many payment systems fail (declaration: I’m a coauthor). Despite the fact that fraud victims are supposed to get their money back, the British Crime Survey shows that 44% don’t get their money back. Steven discussed how the Payment Services Directive was neutered by the insertion of “necessarily” in the Directive following lobbying by Barclays in 2002 to have their records considered definitive evidence. Yet technical failures and insider attacks abound; Steven described a case in Turkey where the bank records said the PIN was used but the shop receipt showed they were wrong. In the Job case, the bank got away with saying it could not supply the keys needed to verify ARQCs as they had no implemented system to extract them and such a system would compromise security in any case. He presented a series of principles for designing robust dispute resolution procedures, which can be summarised by saying that the dispute resolution mechanisms must be properly engineered and properly governed. It’s not reasonable to expect judges to invent systems and procedures on the fly, with little technical access or insight. He then discussed how these principles might be applied to EMV in an incremental way and requiring changes only by the card issuer, so that it’s deployable in practice. Finally, he applied the principles to other payment systems: phone banking systems fail miserably (as seen in the NatWest Getcash scheme); Sofortueberweising fails all but one of the principles, and Bitcoin fails all but two.
The third talk of the first session was by Tyler Moore on The Ghosts of Banking Past. What happens when a bank passes away? They found the website of “Mid-Valley Bank” in 2013, spotted the CEO had a CRT monitor, and found that MVB closed in 2004. Hundreds of banks close a year, whether from mergers or collapses. They found 3181 banks that closed 2003–2013; some had a redirect to the bank that acquired them, but in many other cases there were domain parking pages with syndicated ads, URLs blacklisted for malware distribution, a whole range of blog spam and blackhat SEO, and a number of relinquished domains. In total 47% were still owned by a bank, but the proportion drops off exponentially with age to a steady state of about 30%. Bank-owned domains are 3.5y old on average; spam domains about 6 and malware domains about 7.5. Statistical testing showed that time since closure, troubled circumstances at closure, and small bank size, are all significant (p < 0.001). Of 535 sites that died, 326 were resurrected; these were more likely to be big banks closed recently. Now businesses die all the time and their domains are bought by scavengers; in what cases is it justifiable to have restrictions on re-registration, and what should we do? Permanent cancellation would be heavyweight, to ensure permanence; it might be better to demand that banks and other players in regulated industries to pay registration fees many years in advance; or have a trusted repository to own them. Their recommendation is that regulators should tackle the problem.