Researchers: Chip and PIN Enables ‘Chip and Skim’

September 12, 2012

Researchers in the United Kingdom say they’ve discovered mounting evidence that thieves have been quietly exploiting design flaws in a security system widely used in Europe to prevent credit and debit card fraud at cash machines and point-of-sale devices.

The innards of a chip-and-PIN enabled card.

At issue is an anti-fraud system called EMV (short for Europay, MasterCard and Visa), more commonly known as “chip-and-PIN.” Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals. Chip-and-PIN is not yet widely supported in the United States, but the major card brands are pushing banks and ATM makers to support the technology within the next two to three years.

EMV standards call for cards to be authenticated to a payment terminal or ATM by computing several bits of information, including the charge or withdrawal amount, the date, and a so-called “unpredictable number”. But researchers from the computer laboratory at Cambridge University say they discovered that some payment terminals and ATMs rely on little more than simple counters, or incrementing numbers that are quite predictable.

“The current problem is that instead of having the random number generated by the bank, it’s generated by the merchant terminal,” said Ross Anderson, professor of security engineering at Cambridge, and an author of a paper being released this week titled, “Chip and Skim: Cloning EMV cards with the Pre-Play Attack.”

Anderson said that the failure to specify that merchant terminals should insist on truly *random* numbers, instead of merely non-repeating numbers — is at the crux of the problem.

“This leads to two potential failures: If the merchant terminal doesn’t a generate random number, you’re stuffed,” he said in an interview. “And the second is if there is some wicked interception device between the merchant terminal and the bank, such as malware on the merchant’s server, then you’re also stuffed.”

The “pre-play” aspect of the attack mentioned in the title of their paper refers to the ability to predict the unpredictable number, which theoretically allows an attacker to record everything from the card transaction and to play it back and impersonate the card in additional transactions at a future date and location.

Anderson and a team of other researchers at Cambridge launched their research more than nine months ago, when they first began hearing from European bank card users who said they’d been victimized by fraud — even though they had not shared their PIN with anyone. The victims’ banks refused to reimburse the losses, arguing that the EMV technology made the claimed fraud impossible. But the researchers suspected that fraudsters had discovered a method of predicting the supposedly unpredictable number implementation used by specific point-of-sale devices or ATMs models.

Continue reading

Microsoft Pushes Two Security Patches

September 11, 2012

Microsoft today issued security updates to fix at least two vulnerabilities in its software. The fixes are for enterprise components that are not widely installed, meaning that Windows home users will likely get away with not having to patch their operating system this month.

The first patch, MS12-061, applies to Microsoft Visual Studio Team Foundation Server. The other update, MS12-062, fixes a flaw in Microsoft Systems Management Server 2003 and Microsoft System Center Configuration Manager 2007.

Windows users who run Windows Update or Automatic Update may still find a few updates available, such as KB2736233, which disables certain potentially unsafe ActiveX components in Internet Explorer; or KB2735855, which is a stability hotfix for Windows 7 and Windows Server 2008 systems.

Microsoft is urging system administrators at organizations to test a soon-to-be mandatory patch (KB2661254) that will change the way Windows handles encryption keys. That patch is in apparent response to the weaknesses exploited by the Flame malware, which used it to successfully spoof the encryption algorithm used by Microsoft’s Remote Desktop and to install itself on Windows PCs. The update has been available since August but won’t be pushed out through Windows Update until October.

Advertisement

Donkey Express: Mules Take Over the Mail

September 10, 2012

This blog has featured several stories on reshipping scams, which recruit willing or unwitting U.S. citizens (“mules”) to reship abroad pricey items that are paid for with stolen credit cards. Today’s post highlights a critical component of this scheme: the black-market sale of international shipping labels fraudulently purchased from the U.S. Postal Service.

A service that automates creation of carded USPS labels.

USPS labels that are purchased via card fraud, known in the Underweb as simply “cc labels,” are an integral part of any reshipping scheme. So it should be no surprise that the leading proprietors in this obscure market run Atlanta Alliance, one of the largest and most established criminal reshipping rackets in the underground.

The service, at fe-ccshop.com, makes it simple for any reshipping scam operator to purchase international shipping labels at a fraction of their actual cost. For example, USPS Express Mail International labels for items 20 pounds or less that are headed from the United States to Russia start at about $75, but this service sells them for just $14. The same label for an item that weighs 25 pounds would cost upwards of $150 at the Post Office, but can be had through this service for just $19.

Customers fund their accounts with a virtual currency such as Liberty Reserve, and then enter the reshipping mule’s address in the “from” section and the fraudster’s in the “to:” field. Clicking the “make label” button causes the label to be paid for with a stolen credit card, and lets the customer print or save digital images of usable and new USPS international shipping labels.

Continue reading

Apple Releases Fix for Critical Java Flaw

September 5, 2012

Apple has issued an update for Mac OS X installations of Java that fixes at least one critical security vulnerability in the software.

If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.

Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads.

Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for an extended period of time.

Update, 8:14 p.m.: It looks like I may have misread Apple’s somewhat hazy advisory, which appears to state that this update addresses CVE-2012-4681, the Java flaw that was recently spotted in increasingly widespread attacks against Java 7 installations on Windows. Upon closer inspection, it looks like this patch applies just to CVE-2012-0547. The above blog post has been changed to reflect that. In any case, Mac users should not delay in updating (or better yet, removing) Java.

Continue reading

A Handy Way to Foil ATM Skimmer Scams

September 5, 2012

I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.

In February 2011, I wrote about geek gear used in a 2009 ATM skimmer incident at a Bank of America branch in California. The theft devices employed in that foiled attack included a card skimmer that fit over the real card acceptance slot, and a hidden ball camera.

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code. Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn’t quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.

Some readers may thinking, “Wait a minute: Isn’t it more difficult to use both hands when you’re withdrawing cash from a drive-thru ATM while seated in your car?” Maybe. You might think, then, that it would be more common to see regular walk-up ATM users observing this simple security practice. But that’s not what I found after watching 90 minutes of footage from another ATM scam that was recently shared by a law enforcement source. In this attack, the fraudster installed an all-in-one skimmer, and none of the 19 customers caught on camera before the scheme was foiled made any effort to shield the PIN pad.

Continue reading

Security Fix for Critical Java Flaw Released

August 30, 2012

Oracle has issued an urgent update to close a dangerous security hole in its Java software that attackers have been using to deploy malicious software. The patch comes amid revelations that Oracle was notified in April about this vulnerability and a number other other potentially unpatched Java flaws.

The patch fixes a critical flaw in the latest version of Java 7 that is now being widely exploited. Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious Web site.

The update brings Java 7 to Update 7, and appears to fix the flaw being exploited and several other security holes. Oracle also released a security update for systems running Java 6, which brings that version to Java 6 Update 35.

Today’s patches are emergency, out-of-schedule updates for Oracle, which previously was not planning to release security updates for Java until October. Although it may appear that Oracle responded swiftly to the discovery of extremely dangerous flaws in its software, Security Explorations — a research firm from Poland — says it alerted Oracle about this vulnerability and 30 others back in April. It’s not yet clear how many of those vulnerabilities were patched in this release.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” said Security Explorations CEO and founder Adam Gowdiak told The Register’s Neil McAllister. “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java [updates].”

Continue reading

Researchers: Java Zero-Day Leveraged Two Flaws

August 29, 2012

New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack.

Esteban Guillardoy, a developer at the security firm Immunity Inc., said the underlying vulnerability has been around since July 28, 2011.

“There are 2 different zero-day vulnerabilities used in this exploit,” Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of this bug class is that it provides 100% reliability and is multi-platform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353).”

ONE BILLION USERS AT RISK?

How many systems are vulnerable? Oracle Corp., which maintains Java, claims that more than 3 billion devices run Java. But how many of those systems run some version of Java 7 (all versions of Java 7 are vulnerable; this flaw does not exist in Java 6 versions).

To get an idea, I asked Secunia, whose Personal Software Inspector program runs on millions of PCs. Secunia said that out of a random sampling of 10,000 PSI users, 34.2 percent had some version of Java 7 installed. In the same data set, 56.4 percent of users had an update of Java 6 installed. Assuming that Secunia’s 10,000 user sample is representative of the larger population of computer users, more than a billion devices could be vulnerable to attack via this exploit.

Continue reading

Attackers Pounce on Zero-Day Java Exploit

August 27, 2012

Attackers have seized upon a previously unknown security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.

A Metasploit module developed to target this Java 0-day.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. “The price of such an exploit if it were sold privately would be about $100,000,” wrote Paunch, the nickname used by the BlackHole author.

Oracle is not scheduled to release another security update for Java until October. In the meantime, it’s a good idea to either unplug Java from your browser or uninstall it from your computer completely.

Continue reading

Dropbox Now Offers Two-Step Authentication

August 27, 2012

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee’s account exposed many Dropbox user email addresses.

Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the “Security” tab. Under account sign in, click the link next to “Two-step verification.” You’ll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm.

If you’re already familiar with the Google Authenticator app for Gmail’s two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted,  open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you’re done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Continue reading

New Adobe Flash Player Update Fixes 6 Flaws

August 21, 2012

For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.

Updates are available for Windows, Mac, Linux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android users should see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.3.31.230 for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).

To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”

Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR 3.4.0.2540. Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.