 I thank you. This will be a technical talk, but it's a technical talk being delivered at DEF CON. So you take your chances. Am I close enough? I don't know. I think it works. Does it work? Great. Okay. What I said was this will be a technical talk, but it is a technical talk at DEF CON. So that makes it a little bit special. I'm going to talk about the ATM machines. That's where I get all my money. I don't know about you, but if I need some money louder, I think, well, okay, the ATM machines and the ATM system. I'll be talking about vulnerabilities. This is going to be good. Pay attention. I'm going to tell you how to avoid being cheated by the ATM system. People lose an amount of money that you just wouldn't believe. It isn't just millions per year. It's more than that. I don't have an accurate figure, but then I'm not a bank, so I don't care much. Of course, the other banks don't care much either. Now, here I am. I'm standing in front of one of these here ATM machines. And louder again, Lord. Well, okay. I'm standing at an ATM machine in the little town of Kirkenes, Norway. Now, most of you have probably never heard of Kirkenes, but it is the furthest north city in the world. It is an amount above the Arctic Circle that I just don't even know. A story about Kirkenes. It's hard to get any sleep there, because if you visit in June, the sun never goes down. Well, around midnight, I was walking around the town and talking loud and loud and louder. I was talking to a, well, I suppose, live there, and I asked her, what country is this? And she said, well, I'm not sure. And went on to say, well, Norway plows the snow. Does that answer your question? Well, partly it did, and partly it did not. But the point is that I wanted some money, and I went to an ATM machine in this, not God for a sake. I'm not going to be right to say that, but little town in extreme northern Norway, not very far from North Cape. North Cape, in fact, is the furthest north land in Europe. I wanted some money. Okay, so I go up to, yeah, hey. You've got to continually, during this, remember Willie Sutton. Willie Sutton was asked, why do you rob banks? And you know the answer. Yeah, you got it. Well, that's changed a little bit, and I'm talking about the slightly changed arrangements nowadays, that it's not any longer really, too, if the money is in the bank. The money is actually in the ATM machine. And if you go up to the bank on Friday afternoon before a three-day weekend, you will find that the ATM machines at the bank have a lot more money than the bank had at any time during the week. They really be a much tend to be really enormous. For a three-day weekend, having $10,000 in the ATM machine is simply not enough at most banks. Okay, so what I do is I stick a card into the ATM machine, and this is a card you're going to send out. I may need help. I'll appeal for help if this gets much worse. So I stick a card in the machine, and this is a card that was issued to me by my own bank in somewhere in central New Hampshire. Now the connection between extreme northern Norway and central New Hampshire is not particularly obvious. They are distant from almost any point of view that you take. The card that I was issued has a magnetic stripe on the back, and as it turns out, what's in that magnetic stripe is simply an address for the bank and some other information about the bank and the account associated with that card. That's on that magnetic stripe on the back, which you ought to learn more about from somebody else because there are some real problems associated with these stripes on the backs of cards. The machine then asks me for a pin and asks me how much money do I want? Being a fairly honest guy, I'll tell him I want a reasonable amount of money. If I was different, I would say, well, just give me all of it. Some people do that. Now the machine, after it's got the pin, gurgles for a while, and then in a surprisingly short period of time, usually of the order of 10, 20, 30 seconds at most, delivers the money to me. Since I was in Norway, of course it delivers Norwegian Kroner, whatever Kroner is, but I suppose in English it would be called a crown, but it's not that big a deal. So after I put my card in the machine, type in the four-digit pin, I walk away, and the machine is now happy and the transaction is completed after it delivered me my money. Now one question I have is that in this whole transaction where I inserted a card into the machine, typed in a pin, and undoubtedly there were messages going back and forth between various banks and things of that sort, a real question is what happened? And to some degree I'm going to leave that as a homework exercise for you. It's not easy. A surprising amount of attention has to be paid to actually who knew what at the beginning of this process and what they found out, what information they sent and what information they received, which I'll sum up by saying what happened is not particularly easy. In fact, obviously the bank in extreme northern Norway never heard of a bank in the boondocks of central New Hampshire, so somehow or other messages had to be transferred back and forth between these two entities, which are not from any other point of view, close to each other in any possible sense. And so you have to remember that it's not clear with these messages just who is sending it to who and what information is being sent. That's the thing you have to think about and I will help with that. Now the parties to this overall transaction are me, that's the guy standing in front of the ATM machine, the bank in Norway that owns the ATM machine and the bank in New Hampshire of which I am a customer. This is all not supposing that nobody was telling any lies or anything of that sort. It's all straight stuff. Now there are a number of requirements that are particularly obvious as this transaction goes on and the parties to this transaction have their own needs that may well not intersect when you do it. The customer, that's me, wants some money and does not want obviously the system to drain his checking account, which is the kind of thing that might happen. I mean you guys know about identity theft. Well this is the same general kind of thing, differently in detail but about the same in the general sense that you wind up with a heck of a lot less money and somebody else winds up with a heck of a lot more money. But the other, so I just want the money and I don't want the system to drain my checking account. I also probably don't want my pin to be broadcast all over the world. The pin is something I care about and I would prefer to keep that a little bit close to the chest. The bank in Norway has just distributed a thousand dollars or so, I'm sorry, a thousand crooner or so, and it wants some assurance that it's going to get back its money. And that's about it. I am not a customer of this bank so it doesn't care about me very much. It knows that I'm not a customer and it mostly cares about its own customers, not about me. The bank in New Hampshire, I am a customer of that bank. They want to keep me reasonably happy but they've got some other problems facing them. They have to make sure that I am really who I say I am and that I've actually got the money in the account to pay this amount out. So it doesn't want any responsibility for, for example, a customer. A customer is actually not the person that he claims he is or she. The bank in Norway simply wants the whole transaction to settle down with it not either gaining or losing any money. Again, I'm not a customer of that bank but it mainly wants to make sure that it is someday reimbursed for the money it gave me. It gave me a thousand, something or other, a thousand kronor and it wants to get that back somehow from the ATM system. Now the ATM system is a very large, very widespread system that exists all over the world in fact and I have used it in quite a few foreign countries including Norway. So there are three pieces here. There's the ATM machine that you're standing in front of. The ATM system that in some sense is worldwide or very nearly worldwide. I know that it works in almost any European country. I was in Hungary last week. I didn't try it there. I don't know what would have happened. I guess when I was staying in Budapest I asked, is the hotel air conditioned? The answer was, well, it has Hungarian air conditioning. Nice place, very pretty place. It does, and it's not a third world country by any means but it is not quite up to our standards for high range hotels. Okay, we have these parties to the transaction. Me, the ATM that I'm in front of, the bank that owns the ATM and then some network that I'm not going to describe. It would bore you to tears that actually connects all this together in a worldwide sense and I'll call that just the ATM network. It is important. Without that, you wouldn't be able to use the ATM card in a whole lot of places without the ATM network existing. Well, what does one have to do to make all this work out? When you type the pen into the ATM that you're standing near, right behind you, over your right or left shoulder, there is a person who is visually writing down the pen you type and you can easily see over your shoulder, fine, called shoulder surfing and that is actually a major loss to the financial system because that kind of thing happens much more than you would believe. It is not just millions of dollars, it is more than millions of dollars. And that is the first vulnerability I'd like to talk about and it is a serious vulnerability. I would advise you when you're at ATM and about to punch in your pen, just look over your shoulder, both shoulders, and see who's there copying it down. This is not unusual. It does not happen to me, but it has, for example, happened to my wife or someone managed to see what pinch he was typing in and used it to extract quite a lot of money from the system. There is normally some limit of the amount that you can get out of ATMs per day and that limit is designed so that you don't go broke if somebody steals your pen or your card. You just get a little bit poorer. So that is the first vulnerability. There are others. I was in, why am I talking about Norway? Well, because I spent a lot of time in Norway last year. I walked up to an ATM machine in the Bergen that's in Norway. I put it in my card. It told me to punch in my pen. I punched it in the pen. It gurgles for a while and then says, Sorry, we can't pay you. Eh? It's got all the information on my card which tells it all about my bank account. It's got my pen and now it tells me it's not going to complete the transaction. What I did may seem a bit extreme to you, but I called the police, told them, and also pointed out to the bank which arrived just behind the police that right near my right hand was a fire ax. And if it didn't give me my card back, I was going to use that fire ax. Actually, they caved in and gave me the card back and in fact no money had been withdrawn so the whole transaction ended just fine. But still, a fire ax did enter the negotiations. What does this say? Why don't my notes say at this point, Forklift truck. Forklift truck? Give that man a prize. Definitely. Forklift truck deserve to be at this point in the presentation because it is the principal tool for cheating ATM machines. You slide in, lift, slide it back, put it on, drive away, and at home all you need is a settling cutting torch and you have the thing open in 20 minutes. So Forklift trucks are part of... By the way, I have promised that I will tell you before the end of this talk important things you should do and not do when dealing with ATM machines because I mean to send you away a good deal more about the down-to-earth vulnerabilities of ATM machines. None of this high-flying theoretical stuff. Just things like Forklift trucks. And people do that. I can't estimate what the losses are to Forklift trucks but they do exist and it is mainly, in fact, an American habit. The Brits have a slightly different habit and that is, why am I all of a sudden louder? Somebody turned me up. The best deal at this point is you want to get money out of a ATM machine. You go to eBay and on eBay you buy an ATM machine. Hey, they'll sell it to you. They really are there and they don't cost very much. It's actually in the general range of $10,000 for an ATM machine. Now what you do is you install that ATM machine right over there in some obvious place where people pass by and the ATM machine is reprogrammed. It's not a difficult reprogramming job so that when somebody puts their card in, punches it in the pen, it says, Sorry, try again tomorrow. If you don't happen to have a fire axe, you've got a problem. But that is probably more the British scheme than the U.S. scheme. It doesn't matter very much. So what you have with this scheme is just you have a new machine. And I would advise you that if you see an ATM in a place where you've never seen one before, don't use it. Well, again, I'm giving advice, but what can I say? You want to take a look. In fact, in the town I live in, several times in the last month, in stores and restaurants that I normally go in, I've seen new ATM machines. I don't have any reason to believe they're fraudulent. On the other hand, I also don't have any reason to believe they're honest. So I typically do not use them. So pay some attention to the place that the machine is and if you run into a machine that you haven't seen before, it would be wise not to use it. Another problem associated with the whole business of ATM machines and it includes problems with debit cards and things of that sort also is the banks. Big deal, honest banks all over the world, but I mainly know it from the US and UK. If you point out to them that they did not give you the money that you deserved and you've got fraudulent charges on either debit card or checking out through the ATM machine, they will simply lie about what has happened. There's several famous cases, both in the US and in the UK, where it was perfectly clear that the problem was solved by the bank's software and the bank denied that it possibly could happen and simply said that if the customer is claiming to have lost money through an ATM machine or a debit card, that the customer is lying. One of these cases actually came to court and was well defended and the bank lost very big. They still try to do that, but they do it with much less success now because after one big case has gone against them, it makes it more difficult. What they did in the first case was actually filed a criminal complaint against a person that was complaining about the loss of money in the ATM system and that seems a little bit outrageous. I'd better finish all this technical stuff so I can give you all this valuable advice that you want. The way that the system works, the first thing that happens when you begin an ATM transaction is that the bank associated with the ATM machine you're using sends a message to the bank that issued the ATM and there is not much that needs to be said at that point and in fact essentially nothing is said. The message that goes from the ATM machine through the ATM network to the issuing bank simply says, hello, I've got a message for you. The response is that the bank dreams up an encryption key and sends that key back to the customer. This is fairly standard stuff nowadays in cryptography. There are any number of ways associated with the cryptographic schemes where encryption and decryption, one is much more difficult than the other, so dear so that all you need to do is send the one party to send a key to the other and now transmissions in the other direction become much, much easier and this is not only a common but almost universal practice in cryptography nowadays. Okay, look over your shoulder when you type in the pen. Important. Pay some attention to the place where you see the machine and if you recognize something as being a new machine go somewhere else. The stolen card is not a much terribly big deal. I don't know about you generally, but my bank won't only let me withdraw $200 per day through the ATM system, which means that the amount of loss is relatively limited. I mean that's annoying but not absolutely disastrous. Another piece of advice though is the ATM machines, mostly after they give you your money and that kind of good stuff and give you your card back one hopes, give you information in the form of a receipt. The receipt talking about what the account was, what the amount was, what the date was, things of that sort and my advice about that piece of paper, that receipt is don't leave it next to the machine. Don't simply drop it. Take it with you. Take it away from the machine, take it with you because that puts the, before did you key, which the same guy has just read over your shoulder is enough for him to drain a good deal of money out of your account. So when an effort receipt appears, take it with you, don't leave it at the machine and that makes it much more difficult and much more inconvenient for anyone to drain the account. The other advice is, I assume that some of you are going to need money in the next few days? No, almost certainly. I recommend that when you want money tomorrow and the day after, please get it from the ATM machine in the lobby of this hotel. And I don't need to talk anymore. Does anyone want to ask any questions or should I talk about something? I didn't talk at all about cryptography really and one of the reasons is that cryptography does not really come up as a prime problem. What the prime problem is, in fact, is key distribution. It's not the algorithm used in the encryption. It's who's got the key and where did that entity get the key is the problem. That's worth discussing and talking about. And I've run out of data. Thank you for coming. Unless there's any questions. I see no questions. Have a good day.