The Motley Fool Discussion Boards

Previous Page

Personal Finances / Credit Cards and Consumer Debt

URL:  https://boards.fool.com/maracle-in-response-to-patzer-you-replied-sure-28676825.aspx

Subject:  Re: ATM spits out $$$$ in Vegas Date:  8/3/2010  5:36 PM
Author:  joelcorley Number:  298791 of 312954

maracle,

In response to Patzer you replied, Sure, it's feasible. At roughly 20x-25x the cost. Your local gas station and mini mart would never have an ATM if they needed more than a simple connection. As as you even point out, it takes nothing more than a VPN tunnel to secure an internet connection, a private data line is very close to useless.

This is probably picking nits; but I would argue that a conventional VPN tunnel might not be good enough for any communications channel tunneled over a public communications system that is relied on for a large number of banking transactions or can be used to gain physical access to a vault containing sizable quantities of currency.

A VPN connection obtains a cryptographically secure temporal key using the well-known Diffie-Hellman key exchange methodology. The method allows two parties to agree on a random cryptographic key without exposing the random numbers they used to reach that agreement, nor the agreed-upon number itself. Therefore an external observer cannot guess the temporal key from simple observation.

However, Diffie-Hellman does not address the man-in-the-middle problem. From a security standpoint, we assume the constants used to compute the temporal key are well-known, therefore, any hacker can stand between you and the end-device/server and participate in the key exchange process. This allows him to obtain a temporal key between you and his device and another between his device and the device you're trying to talk to. Once in the middle, his device can record all of the traffic.

All security protocols require something more than a Diffie-Hellman exchange to validate the connection in an attempt to thwart man-in-the-middle attacks. Usually it's some form of pre-shared key (PSK). The password you set up at your bank's website is an example. This key is not subsequently disclosed when you log in - it is only used to create a validation hash code. The hash-code is generally not computationally reversible, at least not in real-time. However, if the hacker has unrestricted access to the target device, PSKs present a serious problem - they usually lack enough entropy to circumvent a dictionary or other brute force attack. This is the real reason why websites and VPN systems usually lock out a user after a few failed log in attempts.

To try to increase the entropy in PSK systems, many add things like rotating passwords. I have an RSA token for my work's VPN. That token simply displays a 6-digit key that changes once/minute. However, the key is actually guessable. The token is simply rotating through a pre-determined sequence of codes. Should a hacker determine this sequence and at any point determine where you are in the sequence, he effectively has your password for all time.

The only truly secure methods for authenticating a connection require out-of-band authentication. That's where a token or some other method outside the regular communication channel is used to pass or validate a cryptographically secure (unguessable) master key between two devices. This key is then used in subsequent attempts to authenticate the temporal key. There are several ways to do this type of out-of-band authentication; but I'm not aware of any VPN systems that use any out-of-band authentication methods.

Most banks (and ATM manufacturers) would probably opt for a simple, out-of-the-box VPN; but I think that represents some risk for the ATM-owner. They make think the risk is acceptable; but I imagine the people making the decision probably aren't even aware of the issues...

BTW, All of this still assumes both devices themselves are not physically compromised... Once that happens, all bets are off.

- Joel
Copyright 1996-2020 trademark and the "Fool" logo is a trademark of The Motley Fool, Inc. Contact Us