Madrock

When considering Mobile Banking security and the associated risk, the an assessment approach depends greatly on the solution being created or provided.
Generally the approach is based on layered standards supporting and surrounding the technologies and techniques used.

Here are some things to consider.

Security assessments generally focuses on two main things.

1/ Sensitivity of the data
What is being sent. eg. Pin, credit card numbers, account balance, home address, bank account number, etc.
Data may not be sensitive to the bank, but may be considered by the client as sensitive.
etc……….

2/ Opportunity to access the data.
What medium is being used?
Is it easy to hack?
What encryption is being used?
Are all data paths secure (client and back end)?
Is there a 3rd party involved in the switching of the transactions?
etc………

Things to consider:

• Pin resets sent via SMS to client, should not be used as the only method of accessing accounts. An additional client specific (possibly static) pass word/phrase should be used in addition to a dynamically generated pin. SMS can be sniffed (depending on mode and location).
• If WAP is used, are all devices capable of encryption? If devices are not capable of encryption, do we deny access to these devices? If client side JAVA or intelligent device (win CE, etc), ensure this can not be compromised by a Trojan’s and other key logging techniques.
• Has the organisation considered client side certificates to verify the device prior to transactions being accepted? Consider multiple device and user identification methods (very solution dependant).
• Most mobile POS terminals encrypt the client entered Pin number, but do not encrypt everything within the transaction. If the transmission medium is compromised, we should consider if the encryption can be cracked and if unencrypted data is sensitive. Consider additional data encryption encapsulation i.e. use of all of message encryption (SSL, IPSEC) or use a terminal that utilises Derived Unique Key Per Transaction (DUKPT).
• Many banking applications have been affected by typical hacks such as session hijacking, SQL injection, non random session keys (client side and server side), etc… These typical hacks should be considered in your Secure SDLC and QA Processes once you are aware of the technology used and/or deployed.
• PBX systems and cabling distribution frames can have devices connected to collect transactions. Wireless devices are now being connected to these systems. The attacker sits in their car in the car park outside. This is often done in super markets.
• Wireless transaction gateways if not encrypted are easily collected by anyone within wireless range. 802.11 and other wireless/infra-red mediums are being used (assess the technology and medium being used).
• Has the organisation considered dynamic keys for mobile users? There are some very low cost SecureID type solutions available today, but customers need to have these devices on them when they want to do a transaction.

I have been recently working inside one of the larger Banks in Australia.
Through this work I have been looking at the controls and mechanisms surrounding the processing of credit and debit cards around the Asia Pacific.

I get perform many security architecture and payment systems assessments.
Over the years I have always considered the protection of the card data as one of the key considerations.

Until yesterday I had never seen an CVV or PVV decryption tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the text from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Hardware Security Module (HSM)  and BogoAtalla for Linksys emulation (simulation) tools. So I wonder if Eracom and Thales are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 Text ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a utility that will decrypt Encrypted PIN Blocks that have been produced via the DUKPT triple-DES method.  I used this for testing the output of some PIN Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a utility that will compute and verify PIN Verification Values that have been produced using the VISA PVV technique.  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn computations), creating and encrypting PIN blocks, decrypting and extracting PINs from encrypted PIN blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a utility that will compute Card Verification Values that have been produced using the VISA CVV technique.  MasterCard CVC uses the CVV algorithm, so it will work for that as well.  It will compute CVV, CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  Verification is simply comparing the computed value with what you have received, so there is no explicit verification function.

Atalla AKB Calculator (<- the actual file to download)

This is a utility that will both generate and decrypt Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla emulator (or simulator).  This software emulation (simulation) of the well-known Atalla Hardware Security Module (HSM) that is used by banks and processors for cryptographic operations, such as verifying/translating PIN blocks, authorising transactions by verifying
CVV/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing processing functions, and are using more modern schemes such as Visa PVV and DUKPT, and need to do generation, verification, and translation.

This runs as a listening socket server and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native hardware), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating PVV values and encrypting/decrypting plaintext PIN values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla emulator ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) development/test device.

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc