Over here in Taiwan, there are big headlines about how ATMs were hacked and about NTD$70M were stolen, which, of course, caused widespread discussion on how they did it.

Anyway, just today I overheard a discussion, which went like the following:

A: So do you think it could be the part that does the communication with other banks that were compromised?
B: Most likely not. The communications are usually protected by strong encryption. If you use 128-bit encryption or higher, it would take loads of time to crack it.

This is a mistake that I often see. In a nutshell, the strength of the encryption itself does not equal the strength of the application.

For a simplified example, imagine two computers A and B, owned respectively by Alice and Bob. They send to each other messages encrypted with 256-bit AES (for crypto-geeks, let’s ignore the mode of operation now :)). While the attacker, Eve, can not read the encrypted messages directly, she might have found a exploit for the, say, web browser that Alice use. She can then utilize the exploit to gain access to Alice’s computer, without breaking the encryption.

A real life example is the notorious Heartbleed. While the SSL protocol nor the encryption had been broken, a missing bound check allowed the attacker to read out the memory contents of the victim.

So how exactly did they hack the ATMs? To be honest, I haven’t been following the news quite often recently. Besides, as outsiders we often don’t have that much information to start with. Another problem is that once you take the NTD$70M into account, many difficult methods suddenly become plausible. Hopefully, I can write another article once more information is obtained.