Large Scale Attack on mTAN

The mobile variant of the Zeus malware has stolen big amounts of money. This has been expected. The banks must understand that in a world where non-experts use computers they have to offer good solutions, not the cheapest.

Severe Security Flaw in ATMs

Ross Anderson has published a severe security flaw in some ATM machines. The nonce sent from the ATM to the card in the process of authenticating the card is predictable. Therefor, an attacker can do the following: First, identify a vulnerable ATM and predict such a nonce. Second, send the nonce to the card of the victim using a fake POS terminal. Record the authentication answer from the card. Program a chip card with that answer. Third, replay that answer to the vulnerable ATM.
All kinds of details are given in the linked publication. It seems that this vulnerability has already been used in real frauds.
Such severe implementation issues cast big doubts on the whole EMV scheme. This could only happen because the certification process for the ATMs did not ensure the unpredictability of the nonces, where the security of the protocol depends on this unpredictability.

Online Payment Processors Don't Count Retries

A german TV station wanted to find out what happens if they enter random CVV numbers into the checkout page of e-commerce sites. Five out of six banks allowed them to try out CVV numbers until they found the right one. As this is a very very old security issue I am really surprised that this is possible. This becomes really unfortunate if this attack is combined with the new NFC credit cards where everyone can read the card holder data but not the CVV over NFC. Not using a retry counter for a NFC credit card is a really bad idea.

Attack against EMV Terminals

The German security company SRLabs claims that that they found several vulnerabilities in popular EMV terminals, including a buffer overrun and an open JTAG. If someone manipulates the user interface of the terminal it is quite easy to steal the PIN. Such a manipulation might happen by attacking a legitimate terminal or, even more easier, by presenting a user a fake terminal. The real issue is that the PIN is used as an authentication token wherever it is input. It would be much more safer to have a personal authentication device, like a cellphone. The users need to authenticate to their device with their preferred method, and the device would authenticate to the rest of the world with a cryptographic algorithm. This assumes that the users' device is secure, bur in contrast to the present situation the user can ensure the security of a personal device.

German Federal Trojan Suspected

The german hacker club CCC claims that they found a trojan malware used by german federal police (german source).
It seems that the software has many security issues and, even worse, has abilities which are illegal under german law.

The interesting question is now: Does it really originate from german authorities? Of course they deny that. And if so, how would one prove that? It seems that the trojan uses command servers outside of germany. At the moment it is unclear who operates these machines.

I do not expect that this will ever be resolved completely. It's way too embarrassing.

Update: The Bavarian Government accepted responsibility for the trojan. Antivirus vendors claim that it would be caught be heuristic malware detectors. Looks like there is an egg on someone's face.

Progress at Quantum Computing

NIST scientists have prepared a single qubit with an error rate, under 10^-4, that is low enough to enable error correction.

Because decoherence destroys the quantum information that is needed for the quantum algorithm that is supposed to run on the computer, scientists need to implement error correction to be able to implement a quantum algorithm. Therefore, this is an important step towards a working quantum computer.

The experiment which is published in the linked article achieved the low error rate by manipulating one trapped atom with microwaves instead of laser beams.

Experimental attack on mTAN

F-Secure reports (link in german) that the trojan SpyEye has a new attack on the mTAN online banking security system. Users of infected PCs are tricked into installing malware on their Symbian mobile phones.

In order to do so, the attacker needs the phone's IMEI number, which is not a security credential in itself, but a user should become suspicious nowadays if their bank wants to know their IMEI number. Therefore I suggest to categorize this attack as experimental.

The urgent question behind this is: why did the Symbian developers base the security of their operating system on IMEI numbers?