More Things You Really Shouldn't Know
The following technical synopsis was prepared by the Fraud Division of the U.S. Secret Service and obtained by 2600. While it is stated that this non-copyrighted information is not intended for the news media, it should be noted that it has been rather widely distributed within the industry. We feel our readers and the general public have the right to know the facts in this case, or at least the facts according to the Secret Service. For those that haven't seen it in the papers, the phone company referred to here is GTE.
On February 4, 1989, U.S. Secret Service agents arrested four individuals in Los Angeles and one in Lincoln, Nebraska, for producing counterfeited Automated Teller Machine (ATM) debit cards and for possession of access device-making equipment. When the defendants in Los Angeles were arrested they were in the process of encoding the counterfeit ATM cards with stolen bank account information.
The group was planning to travel to a number of cities throughout the United States to make cash withdrawals from ATMs linked to a specific nationwide ATM network. They made plans to travel in teams to different geographic areas of the country and to use disguises to defeat ATM surveillance cameras, while using each card to its daily maximum for three to five days.
The counterfeit cards were constructed of posterboard cut to the appropriate size and affixed with common magnetic tape. The tape was encoded with stolen cardholder account data on Track 2 for use in ATMs.
Seized concurrent with the arrests were a computer, an encoding device, and thousands of counterfeit ATM cards.
The defendants intended to execute the scheme over a five day period during February, 1989. "Test" cards had been successfully used in at least three cities, which netted the defendants about $5,000.
This case constitutes the first known attack of this magnitude on a major nationwide ATM network.
Bank officials interviewed after the arrests confirmed that the account numbers used in this case would have given the defendants access to the checking accounts, savings accounts, and any lines-of-credit available to the legitimate cardholders. An audit of those accounts revealed this scheme could have netted the defendants as much as five and one-half million dollars had all gone according to plan and had the scheme gone undetected.
One industry expert from outside the bank speculated that it is plausible someone could, using this scheme or one similar to it, access accounts and steal as much as $100 million if carried to the extreme and extended over a 30 day period with careful execution.
In the city where this conspiracy began, several national and regional ATM networks share a single telecommunications carrier which routes transactions between ATMs and banks.
In addition, the telecommunications company, through a subsidiary, maintains a number of ATMs in a proprietary network which they make available on a contractual basis for other networks to use as ATM outlets for their respective cards. Thus, the role of the subsidiary company is similar to that of any bank on the telecommunications network.
The mastermind of this scheme was a computer programmer employed by a well-established software company specializing in the design and implementation of ATM network software. His company was contracted by the telecommunications company to update and expand the existing proprietary network.
The primary defendant's function as a programmer was to implement software which drove ATMs and Point-of-Sale (POS) terminals on the proprietary network in order to make information compatible with, and therefore acceptable to, the main electronic switch maintained for all of the participating networks on the communications system. His position required him to have access to most of the technical data pertaining to software for both the proprietary ATM network as well as the main communications system on which all of the networks were mixed.
In keeping with established industry standards, the telephone carrier subsidiary in this case encrypted the Personal Identification Numbers (PINs) used in conjunction with ATM cards. This was done prior to transmitting data from the ATM across the proprietary system to the electronic switch where the transaction would be routed to the appropriate bank.
The system targeted in this case is typical of ATM networks found throughout the United States. When a cardholder accesses his account through use of a debit (or credit) card at an ATM machine, the customer is asked to key in his or her Personal Identification Number (PIN). The PIN is encrypted using the universal Data Encryption Standard (DES) method, employing an encryption key known only to the owners of the proprietary system to which that ATM belongs. The account number and other Track 2 data from the ATM card, encrypted PIN, and information about the requested transaction are then transmitted electronically to a switch maintained by a designated communications carrier.
At the electronic switch, messages from several proprietary systems are received and decrypted, using the same DES key as was used to encrypt the data. At that point the information is sorted by the destination bank and encrypted with the proper DES key provided by the destination bank. The transaction is then transmitted across the main communications line to the appropriate bank.
(Theoretically, upon receipt at the bank, the information is once again decrypted using the key supplied to the communications network. However, in practice this step may not actually take place as the recipient bank may elect to accept the encrypted version of the PIN and process it in its encrypted form.)
Upon receipt at the bank, the account is queried and a determination is made relative to authorization or denial of the requested transaction. The flow of information is reversed upon return of a message from the bank to the originating ATM.
To illustrate, if Bank A issues ATM cards and maintains their own ATMs at various locations, they are running a proprietary system. A communications carrier must be employed to tie the system together but since there are no other participating banks on the system, the sorting process at the previously described electronic switch need not take place - all transactions are directly between the ATMs and the bank. Even on a closed system such as this, the industry encourages the use of PIN encryption. Furthermore, DES is the preferred standard when PIN encryption is employed.
On the other hand, if Bank A elected to enjoy reciprocity with Bank B and Bank C, permitting transactions at all three banks' ATMs, then an electronic switch would be installed to sort and route transactions between all of the ATMs and Bank A, Bank B, and Bank C.
Transactions destined for Bank B or Bank C from ATMs owned and operated by Bank A would still be considered to be on the Bank A proprietary system until they reached the electronic switch, where they would be mixed and sorted by the destination bank. At that point, the proprietary ATM networks from Bank A, Bank B, and Bank C combine to share a common communications carrier, but the networks remain independent and do not share encryption keys. The function of the electronic communications switch is to sort the transactions, determine which encryption key to use and establish how to route the information to the destination.
The system abused in the case in which these arrests were made was similar to that previously described, with the communications carrier subsidiary functioning in the role of Bank A.
Specifically, the subsidiary owned a network of ATMs and, through a contractual arrangement, accepted debit/credit cards issued by various banks and honored by other networks. When a transaction was requested, the information was handled on the proprietary network until it reached a communications switch where it was decrypted then encrypted with the proper key for the destination bank, and fed into the main communications line used by all of the proprietary systems cooperating in this enterprise.
As a part of their routine business practice, the subsidiary recorded all transactions on the proprietary network before those transactions reached the electronic switch. The intended purpose was to create a transaction log from which all activities could be reconstructed should a system or other failure occur. The PINs remained encrypted in this recording process.
Either while performing his job, or merely by knowing where to look based on his intimate knowledge of the system, the scheme's mastermind discovered that the key used to encrypt PINs on the proprietary network was a default key, as opposed to a proprietary key selected by network officials. (A default key in an ATM machine encryption device is analogous to a common computer password installed by a mainframe computer manufacturer. Its intended purpose is for testing during the installation phase and it is expected that the default password will be removed once the system is installed and accepted by the buyer).
Upon making this accidental discovery, the programmer realized the value of this information and was able to refer to various software manuals and textbook literature to decipher the key.
The programmer knew data was routinely recorded to the transaction log and that he could access the data transmissions as they were being posted to the transaction log, and thereby "see" all transactions on the proprietary network. It was there, at the transaction log, that he copied account numbers and the encrypted PIN offsets onto his personal computer.
Note: While it is believed the information was copied in "real time," that is, concurrent with it being posted to the transaction log, it could have just as easily been done using another method. The programmer could have electronically copied data from the computer tape containing the transaction log and extracted the same information. Either method would have netted the same result.
At this point the programmer made a conscious decision, according to his post-arrest statement, to use account numbers from only one major bank. He said he did so because he believed that once the crime was discovered, suspicion would center on an internal problem within that bank.
After selecting a generous number of accounts from the targeted bank, the employee wrote a computer program to decrypt the PIN for each of those accounts. He was able to accomplish this using the default DES key. It was later learned that accounts from other banks were also used during the "testing" phase of the scheme and that those accounts and PINs were obtained in the same manner.
He also realized that the network would be reviewed for potential weaknesses once the crime was completed, so he reported the apparent oversight in using the default encryption key on the system and made recommendations to his superiors about how to remedy the situation. The remedies were put in place, ending his access to additional account data. He also accomplished his goal of shoring up the network so that there would be no apparent weakness in the system from which the information could have been obtained.
As an aside, it was noted by the investigating agents that the network in this case had been in operation when purchased by the communications company subsidiary. At the time of this writing it has not been established whether the default key was in use by the company from whom the subsidiary bought the network or whether a proprietary key had been in use.
Next, the defendants constructed counterfeit cards using posterboard cut to ATM card size, to which magnetic tape was mounted. The programmer then wrote a program which he used in conjunction with a magnetic encoding device "borrowed" from his office, to write the account number and other data to each of the counterfeit cards. The data was properly encoded in the appropriate positions on Track 2 of the magnetic stripe.
Among the data elements actually copied to the magnetic stripe were the Primary Account Number (PAN) and the PIN offset.
In systems where the PIN is assigned to a customer, the PIN is a direct derivative of the account number and the DES encryption algorithm and is referred to as a "natural" PIN. In systems where the customer selects his own PIN, the customer selected PIN would not match the "natural" PIN, so an offset number is used to resolve the difference. When the offset is added to the customer selected PIN, it will equal the "natural" PIN and the verification is made. Thus, in this case, an offset was necessary as the system was one in which the customers had selected their own PINs.
At the time of their arrests, the defendants were in possession of more than 7,400 account numbers with PINs and PIN offsets, all from the same bank. In fact, as previously mentioned, they were in the process of actually encoding the cards when arrested. Among the items seized during the search and arrest were the programmer's personal computer, an encoding device, and several thousand counterfeit cards in various stages of construction from uncut posterboard stock through finished, encoded cards.
Although a great deal of technology was compromised and used in the execution of this scheme, in the end this crime was one in which a trusted employee exploited his knowledge and position to manipulate and misuse the system.
The only true technical deficiency or error uncovered was that the default key was left in place when the proprietary network was absorbed. Presumably it had been in place since the system was first activated, although that has not been established as fact.
At the time of this writing, it is unknown who should have been responsible for replacing the default key with an active, proprietary key. Perhaps this oversight could have been prevented had a more thorough checklist been used by the communications company subsidiary when they absorbed the system, or by the previous owner of the network. Regardless, had the recognized protocol for securing the respective data been followed, this crime would not have been possible.
Human nature - greed, opportunity, and a willingness by the defendants to commit larceny - combined with human error in not properly installing and reviewing system safeguards account for the forming of this scheme. It is fortunate that the information came to light before the scheme was executed.
The central figure in this case is a high school graduate and was gainfully employed with a substantial salary. He stated that he was motivated, in part, by his desire to purchase an expensive home and did not want to wait as many years as it would take to save before he could acquire the property he had in mind. His wife is a co-defendant and she too had been gainfully employed with a good salary. Another of the defendants is a graduate of the Air Force Academy and has a Masters degree from a prominent university.
None of the defendants has a criminal record. All have been charged with several counts of violations of Title 18, United States Code, Section 1029, Access Device Fraud. As written, that law provides for substantial penalties. Each count of producing or using counterfeit cards carries a maximum sentence of 15 years imprisonment and a fine of $50,000. The same penalties apply to the possession of device-making equipment. The possession of fifteen or more counterfeit cards carries a maximum penalty of 10 years imprisonment and a $10,000 fine.
Ultimately, upon conviction of the defendants, the recently implemented Federal Sentencing Guidelines will determine the sentences in this case. Those guidelines take into account the actual and potential fraud losses in white-collar crimes such as this.
At the time of this writing, a superseding indictment is anticipated charging the defendants with multiple counts of 18USC1029.