A New Way to STK Up Banks

With a wiretap, a computer and a little guile

It seemed harmless enough. The Britain-based Computer Fraud & Security Bulletin sponsored a "Think Like a Thief contest, encouraging readers to compete for a -L-100 ($215) prize by inventing plans for a computer-related fraud. But now there are international repercussions. In his winning entry, published in the Bulletin, Leslie Goldberg pinpointed an apparently fatal flaw in a new security technique recently proposed by major British banks and being considered by their foreign counterparts.

Goldberg, a London computer security expert, had been analyzing the new system, which is called the Standard Test Key (STK). Like existing systems, it was designed to check the accuracy of messages that authorize the transfer of money from one account in a bank to another. In these messages, some information --such as the names of the banks, the date and the total amount to be transferred--is given a code number, assigned by one of several methods. These numbers are added up to give a number called the Test Key at the end of the message. Any error in transmission or change in the message after it leaves the sending bank produces a different Test Key, which warns the receiving bank not to act until the discrepancy is resolved.

In the new STK system, designed to reduce the number of codes the banks have to keep track of, standardized (and easily obtainable) tables are used for the codes that designate the total amounts being transferred. For example, if Bank A has an account at Bank B and instructs Bank B to transfer sums totaling $191,975 from that account to three others, that total can be coded by checking the STK tables for the code for 191 (which is 5,580) and 975 (5,359). Adding the two code numbers produces a sum of 10,939, which, with other code numbers, adds up to give the STK.

What Goldberg discerned is that a little transposition could be profitable. The sum $975,191 would also result in the same two code numbers. But that would be $783,216 more than the $191,975 total of the amounts to be transferred to the three accounts. Thus, Goldberg figured, an electronic thief could add to the genuine message a fourth instruction: to transfer $783,216 to an account the thief had set up at Bank B just for that purpose. The STK code would be unchanged, and the bank would remain unsuspecting until it reconciled its account with the sending bank.

How can the thief perform his electronic wizardry? After opening his account at Bank B under a fictitious name, he taps into the correct transmission line. For a specialist, says Robert Jacobson, a Manhattan expert on high-technology fraud, this is as easy as tapping a telephone circuit. The thief then routes the transmissions between his bank and Bank A through a microcomputer programmed to calculate what additional amounts will result in the same code numbers as those in the genuine messages. When instructions come through to the thief s bank for a transfer of funds, the computer quickly adds an order that the thief's account be credited with an amount that leaves the STK code number unchanged.

Goldberg's discovery probably means that this STK will not be adopted as a standard in Britain or elsewhere. But existing systems are vulnerable too. Concludes Goldberg: "Anyone using a computer system today must take into account that the danger of fraud is very much there."

This file is automatically generated by a robot program, so viewer discretion is required.