%!PS-Adobe-2.0
%%Creator: dvips 5.47 Copyright 1986-91 Radical Eye Software
%%Title: Why.Cryptosystems.Fail.dvi
%%Pages: 13 1
%%BoundingBox: 0 0 596 843
%%EndComments
%%BeginProcSet: tex.pro
/TeXDict 200 dict def TeXDict begin /N /def load def /B{bind def}N /S /exch
load def /X{S N}B /TR /translate load N /isls false N /vsize 10 N /@rigin{
isls{[0 1 -1 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale
Resolution VResolution vsize neg mul TR matrix currentmatrix dup dup 4 get
round 4 exch put dup dup 5 get round 5 exch put setmatrix}N /@letter{/vsize 10
N}B /@landscape{/isls true N /vsize -1 N}B /@a4{/vsize 10.6929133858 N}B /@a3{
/vsize 15.5531 N}B /@ledger{/vsize 16 N}B /@legal{/vsize 13 N}B /@manualfeed{
statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N
/FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin
/FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array
/BitMaps X /BuildChar{CharBuilder}N /Encoding IE N end dup{/foo setfont}2
array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}
B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont
setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup
length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{
ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B
/ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0
N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S
dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0
ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice
ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 add]{ch-image}
imagemask restore}B /D{/cc X dup type /stringtype ne{]}if nn /base get cc ctr
put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf
div put}if put /ctr ctr 1 add N}B /I{cc 1 add D}B /bop{userdict /bop-hook
known{bop-hook}if /SI save N @rigin 0 0 moveto}N /eop{clear SI restore
showpage userdict /eop-hook known{eop-hook}if}N /@start{userdict /start-hook
known{start-hook}if /VResolution X /Resolution X 1000 div /DVImag X /IE 256
array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for}N /p /show load N
/RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X
/rulex X V}B /V statusdict begin /product where{pop product dup length 7 ge{0
7 getinterval(Display)eq}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 -.1
TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1
-.1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /a{
moveto}B /delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{
S p tail}B /c{-4 M}B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B
/j{3 M}B /k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w
}B /q{p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p
a}B /bos{/SS save N}B /eos{clear SS restore}B end
%%EndProcSet
TeXDict begin 1000 300 300 @start /Fa 28 120 df<006000C00380030007000E001E001C
003C0038007800780078007800F000F000F000F000F000F000F000F000F0007800780078007800
38003C001C001E000E0007000300038000C000600B257D9B11>40 D<C0006000380018001C000E
000F0007000780038003C003C003C003C001E001E001E001E001E001E001E001E001E003C003C0
03C003C00380078007000F000E001C00180038006000C0000B257E9B11>I<07F0001FFC003E3E
003C1E00780F00780F00780F00F80F80F80F80F80F80F80F80F80F80F80F80F80F80F80F80F80F
80F80F80F80F80780F00780F003C1E003E3E001FFC0007F00011187E9716>48
D<00C003C0FFC0FFC007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C0
07C007C007C07FFE7FFE0F187D9716>I<0FE0003FFC00787E00FC3F00FC1F00FC1F80FC0F8078
0F80001F80001F00001F00003E00007C0000780000E00001C1800381800601800C03801FFF003F
FF007FFF00FFFF00FFFF0011187E9716>I<07F0001FFC00383E007C3F007C1F007C1F007C3F00
383E00003E00007C0007F00007F000003C00001E00001F00001F80781F80FC1F80FC1F80FC1F00
F81F00703E003FFC000FF00011187E9716>I<000E00001E00003E00003E00007E0000FE0001FE
0003BE00073E00063E000C3E00183E00383E00703E00E03E00FFFFE0FFFFE0003E00003E00003E
00003E00003E0003FFE003FFE013187F9716>I<00F80007FE000F06001E0F003C1F003C1F0078
0E00780000F84000FBF800FFFE00FC0F00FC0F00F80F80F80F80F80F80F80F80780F80780F8078
0F003C0F001E1E000FFC0003F00011187E9716>54 D<07F0000FFC001C1E00380F00780F00780F
007C0F007F0F007FDE003FFC001FFC000FFE001FFF003DFF00787F80F01F80F00F80F00780F007
80F007007807003C1E001FFC0007F00011187E9716>56 D<07E0001FF8003C1C00781E00780F00
F80F00F80F00F80F80F80F80F80F80F80F80781F80781F803FFF800FEF80010F80000F00380F00
7C1F007C1E00783C003078001FF0000FC00011187E9716>I<78FCFCFCFC78000000000078FCFC
FCFC7806117D900C>I<00030000000780000007800000078000000FC000000FC000001FE00000
1FE000001FE0000033F0000033F0000063F8000061F80000E1FC0000C0FC0000C0FC000180FE00
01FFFE0003FFFF0003003F0003003F0006001F8006001F800E001FC0FFC0FFFCFFC0FFFC1E1A7F
9921>65 D<001FE02000FFF8E003F80FE007C003E01F8001E01F0000E03E0000E07E0000607C00
0060FC000060FC000000FC000000FC000000FC000000FC000000FC000000FC0000607C0000607E
0000603E0000C01F0000C01F80018007C0030003F80E0000FFFC00001FE0001B1A7E9920>67
D<FFFFC000FFFFF0000FC0FC000FC07E000FC03E000FC03F000FC03F000FC03F000FC03F000FC0
3E000FC07E000FC0FC000FFFF0000FFFE0000FC1F0000FC1F8000FC0FC000FC0FC000FC0FC000F
C0FC000FC0FC000FC0FC000FC0FC0C0FC07E1CFFFC3FF8FFFC1FF01E1A7E9921>82
D<7FFFFF807FFFFF80783F0780703F0380603F0180E03F01C0C03F00C0C03F00C0C03F00C0003F
0000003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F000000
3F0000003F0000003F0000003F0000003F00000FFFFC000FFFFC001A1A7E991F>84
D<FFF807FCFFF807FC0FC000C00FC000C007E0018007E0018007F0038003F0030003F8070001F8
060001F8060000FC0C0000FC0C0000FE1C00007E1800007F3800003F3000003FB000001FE00000
1FE000000FC000000FC000000FC0000007800000078000000300001E1A7F9921>86
D<7FFC7FF07FFC7FF007F00E0003F00C0003F8180001FC380000FC300000FE6000007FE000003F
C000003F8000001FC000000FC000000FE000000FF000001FF000003BF8000031FC000060FC0000
E0FE0001C07F0001803F0003803F8007001FC0FFE0FFFCFFE0FFFC1E1A7F9921>88
D<03FC000FFE001E1F003C1F007C1F00780E00F80000F80000F80000F80000F800007800007C00
003C01801F03000FFE0003F80011117F9014>99 D<001FE0001FE00003E00003E00003E00003E0
0003E00003E00003E003F3E00FFFE01E07E03C03E07803E07803E0F803E0F803E0F803E0F803E0
F803E0F803E07803E03C03E03E0FE00FFFFC03F3FC161A7F9919>I<03F0000FFC001E1E003C0F
00780700780780F80780FFFF80FFFF80F80000F800007800007C00003C01801F03000FFE0003F8
0011117F9014>I<07E3C01FFFE03C3CE0381CC0781E00781E00781E00781E00381C003C3C003F
F80037E0007000007000003FFE003FFF801FFFC07FFFC0F003E0F001E0F001E0F001E07C07C03F
FF8007FC0013197F9016>103 D<FF0000FF00001F00001F00001F00001F00001F00001F00001F
00001F0FF01F0FF01F07001F0E001F1C001F38001F70001FF8001FF8001F7C001F3E001F1F001F
0F001F0F801F07C0FFCFF8FFCFF8151A7F9917>107 D<FF00FF001F001F001F001F001F001F00
1F001F001F001F001F001F001F001F001F001F001F001F001F001F001F001F00FFE0FFE00B1A80
990C>I<FF1F81F800FF7FE7FE001FE3EE3E001F81F81F001F81F81F001F01F01F001F01F01F00
1F01F01F001F01F01F001F01F01F001F01F01F001F01F01F001F01F01F001F01F01F001F01F01F
00FFE7FE7FE0FFE7FE7FE023117F9026>I<FF1F00FF7FC01FC3C01F83E01F83E01F03E01F03E0
1F03E01F03E01F03E01F03E01F03E01F03E01F03E01F03E0FFE7FCFFE7FC16117F9019>I<03F8
000FFE003E0F803C07807803C07803C0F803E0F803E0F803E0F803E0F803E0F803E07803C07C07
C03E0F800FFE0003F80013117F9016>I<030003000300070007000F003F00FFF0FFF01F001F00
1F001F001F001F001F001F001F181F181F181F181F180FF003E00D187F9711>116
D<FF9FF1F8FF9FF1F83F07C0E01F07C0C01F07E0C01F8DE1C00F8DE1800F8DF18007D8F30007D8
FB0007F8FF0003F07E0003F07E0001E03C0001E03C0001E03C0000C018001D117F9020>119
D E /Fb 1 89 df<01FF83FE003C00F0003C00C0001C0080001E0100000E0200000E0400000708
00000710000007A0000003C0000003C0000001C0000003C0000007E0000004E0000008F0000010
700000207000004038000080380001003C0002001C0006001E001E001E00FF80FFC01F1A7F9920
>88 D E /Fc 42 122 df<70F8F8F8700505798414>46 D<07C00FE01C7038383018701C701CE0
0EE00EE00EE00EE00EE00EE00EE00EE00E701C701C383838381C700FE007C00F177E9614>48
D<0300070007000F003F00F7004700070007000700070007000700070007000700070007000700
07000700FFF0FFF00C177C9614>I<0FC03FF07838701CE01EE00EE00E400E000E001E001C003C
007800F001E003C007800F001E003C0E700EFFFEFFFE0F177E9614>I<0FC03FF07878703C701C
201C001C003C0038007807E007F00038001C001E000E400EE00EE01EF01C78383FF00FC00F177E
9614>I<00780000F80001B80001B8000338000338000638000E38000C38001C38003838003038
00703800E03800FFFF80FFFF8000380000380000380000380000380003FF8003FF8011177F9614
>I<7FFC7FFC700070007000700070007000700077C07FF07838701C001E000E000EE00EE00EE0
1EF03C78783FF00FC00F177E9614>I<01F007F80E1C1C1C381C78007000F000E000E7C0FFF0FC
38F01CF01EE00EF00EF00E700E701E381C3C381FF007C00F177E9614>I<E000FFFEFFFEE01CE0
380078007000E001E001C003C00380038007800700070007000F000E000E000E000E000E000E00
0F187E9714>I<0FE03FF8783C701CE00EE00EE00EE00E701C1EF003801FF03838701CE00EE00E
E00EE00EF01E701C38381FF007C00F177E9614>I<07C01FF03C787038F01CE01CE01EE00EE00E
F01E701E387E1FFE07CE000E001E001C003C7038707878F03FC01F000F177E9614>I<70F8F8F8
7000000000000070F8F8F8700510798F14>I<01C00003E00003E0000360000360000770000770
000770000770000630000E38000E38000E38000E38000E38001FFC001FFC001C1C001C1C003C1E
00380E00FE3F80FE3F8011177F9614>65 D<FFF800FFFE001C0F001C07001C03801C03801C0380
1C03801C07001C0F001FFE001FFE001C0F001C07001C03801C03801C03801C03801C03801C0700
1C0F00FFFE00FFFC001117809614>I<03C60FFE1C3E3C1E381E700E700EF00EE000E000E000E0
00E000E000E000F00E700E700E381E3C1C1C380FF003C00F177E9614>I<FFE000FFF800383C00
381E00380E00380700380700380700380380380380380380380380380380380380380380380380
380700380700380E00381E00383C00FFF800FFE00011177F9614>I<FFFF80FFFF801C03801C03
801C03801C03801C00001C00001C38001C38001FF8001FF8001C38001C38001C00001C00001C00
001C01C01C01C01C01C01C01C0FFFFC0FFFFC01217809614>I<FFFF80FFFF801C03801C03801C
03801C03801C00001C00001C38001C38001FF8001FF8001C38001C38001C00001C00001C00001C
00001C00001C00001C0000FF8000FF800011177F9614>I<FFFEFFFE0380038003800380038003
800380038003800380038003800380038003800380038003800380FFFEFFFE0F177E9614>73
D<FE3F80FE3F803E0E003B0E003B0E003B0E003B0E003B8E00398E00398E0039CE0039CE0039CE
0038CE0038CE0038EE00386E00386E00386E00386E00383E00FE3E00FE3E0011177F9614>78
D<1FF07FFC783C701CE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00E
701C783C7FFC1FF00F177E9614>I<FFF800FFFE001C0F001C07001C03801C03801C03801C0380
1C03801C07001C0F001FFE001FF8001C00001C00001C00001C00001C00001C00001C00001C0000
FF8000FF80001117809614>I<FFE000FFF800383C00381C00380E00380E00380E00380E00381C
00383C003FF8003FF000387800383C00381C00381C00381C00381C00381DC0381DC0381DC0FE0F
C0FE070012177F9614>82 D<0FCC3FFC787CF03CE03CE01CE01CF000F0007E003FE00FF801FC00
3C001E000EE00EE00EE00EF01CF83CFFF8C7E00F177E9614>I<1FC0007FF000707800203C0000
1C00001C0007FC001FFC007C1C00F01C00E01C00E01C00E01C00707C003FFF800F8F8011107E8F
14>97 D<FC0000FC00001C00001C00001C00001C00001C00001CF8001FFE001F0F001E07801C03
801C03C01C01C01C01C01C01C01C01C01C03C01E03801E07801F0F001FFE001CF8001217809614
>I<03F80FFC3C1C78087000F000E000E000E000E000F0007000780E3C1E0FFC03F00F107E8F14>
I<007E00007E00000E00000E00000E00000E00000E0007CE001FFE003C3E00781E00700E00F00E
00E00E00E00E00E00E00E00E00F00E00701E00781E003C3E001FFFC007CFC012177F9614>I<07
E01FF83C3C781C701EF00EE00EFFFEFFFEE000F0007000780E3C1E0FFC03F00F107E8F14>I<00
7C01FE03CE0384038003800380FFFEFFFE03800380038003800380038003800380038003800380
03807FFC7FFC0F177F9614>I<03000780078003000000000000000000FF80FF80038003800380
038003800380038003800380038003800380FFFEFFFE0F187D9714>105
D<FC0000FC00001C00001C00001C00001C00001C00001DFF801DFF801C3C001C78001CF0001DE0
001FC0001FE0001FE0001EF0001C70001C78001C3C001C1C00FF3F80FF3F8011177F9614>107
D<FF80FF8003800380038003800380038003800380038003800380038003800380038003800380
03800380FFFEFFFE0F177E9614>I<FB8E00FFFF803EFB803CF38038E38038E38038E38038E380
38E38038E38038E38038E38038E38038E380FEFBE0FEFBE01310808F14>I<FC7800FDFE001F8F
001E07001E07001C07001C07001C07001C07001C07001C07001C07001C07001C0700FF9FE0FF9F
E01310808F14>I<07C01FF03C78701C701CE00EE00EE00EE00EE00EE00E701C783C3C781FF007
C00F107E8F14>I<FCF800FFFE001F0F001E07801C03801C03C01C01C01C01C01C01C01C01C01C
03C01E03801E07801F0F001FFE001CF8001C00001C00001C00001C00001C00001C0000FF8000FF
80001218808F14>I<FF0F80FF3FC007F1C007C08007C000078000070000070000070000070000
070000070000070000070000FFFC00FFFC001210808F14>114 D<0FD87FF8E078C038C038F000
7F803FF007FC001EE00EE006F006F81CFFF8CFE00F107E8F14>I<07000700070007000700FFFC
FFFC07000700070007000700070007000700070E070E070E079E03FC00F00F157F9414>I<FC3F
00FC3F001C07001C07001C07001C07001C07001C07001C07001C07001C07001C07001C0F001E1F
000FFFE003E7E01310808F14>I<FF3F80FF3F801C1C001C1C001C1C000E1C000E38000E380007
380007300007300003700003700001E00001E00001E00001C00001C00001C00003800073800077
00007E00003C000011187F8F14>121 D E /Fd 60 122 df<0003FE000E03001C070018060038
0000380000700000700000700000700007FFFC00E01C00E03800E03800E03800E03801C07001C0
7001C07001C07001C0E403C0E40380E40380E4038068038030030000070000070000660000E600
00CC00007800001821819916>12 D<0000F0000308000604000E04000C04001C0C001C1C001C18
00380000380000380000380001FE0000700000700000700000E00000E00000E00000E00001C020
1FC0203FC04063F0C0C67F80781E00161A7D991D>36 D<183C3C1C08080810204080060B78990C
>39 D<1838783808101020204080050B7D830C>44 D<FF80FF80FF0009037D880E>I<3078F060
05047C830C>I<007C000186000303000603000C03801C03801C03803803803803803803807007
00700700700700700700E00E00E00E00E00E00E01C00E01C00E01800E0300060600030C0001F00
0011187C9714>48 D<000800180030007001F00E7000E000E000E000E001C001C001C001C00380
03800380038007000700070007000F00FFF00D187C9714>I<007C000186000203000403800483
800883801083801083801083801107001207000C0E00001C000030000060000180000200000C00
001001002001003C060067FE00C1FC0080F00011187D9714>I<003E0000C30001018002018004
81C00441C0088380048380070300000600000C0001F000001800000C00000C00000E00000E0060
0E00E01C00E01C0080380040300020E0001F800012187D9714>I<000300000380000700000700
000700000E00000E00000E00001C00001C0000180000300000300000600000C00000C600018E00
030E00021C00041C00081C00101C007FB800807F80003800003800007000007000007000007000
006000111F7F9714>I<03018003FF0003FC0002200004000004000004000004000008000009E0
000E1800081800001C00001C00001C00001C00201C00701C00E0380080300040700040E0002180
001E000011187C9714>I<001F000060800180800303800603800E00001C000018000038000039
F000721800740C00780E00700E00F00E00E00E00E00E00E00E00E01C00E01C0060380060700030
C0001F800011187C9714>I<09C04017E0801FF1803C1F00300200600600400400800C00000800
00180000300000300000700000600000E00000C00001C00001C000018000038000038000038000
07000003000012187B9714>I<007C000186000703000E03000C03801C03803803803803803803
80380780380700380F001817000C270007CE00000E00000C00001C00001800E03000E0600080C0
00C380003E000011187C9714>57 D<060F1E0C00000000000000003078F06008107C8F0C>I<00
00200000600000600000E00001E00001E000027000027000047000087000087000107000107000
207000207000407000807000FFF00100380100380200380400380400380C00381C0038FF01FF18
1A7E991D>65 D<03FFF800700E00700600700700E00700E00700E00700E00701C00E01C01C01C0
3801C07003FFE003807003803803801C07001C07001C07001C07001C0E00380E00380E00700E00
E01C03C0FFFF00181A7D991B>I<000F8200706200C01603801E07000C0E000C1C000C18000C38
0008300008700000700000E00000E00000E00000E00000E00020E00020E00020E0004060004060
00803001001006000C180003E000171A7A991B>I<03FFF80000700E00007007000070030000E0
018000E0018000E0018000E001C001C001C001C001C001C001C001C001C0038003800380038003
80038003800300070007000700070007000E0007000C000E001C000E0038000E0070000E00E000
1C038000FFFE00001A1A7D991D>I<03FFFF00700700700300700100E00100E00100E00100E001
01C08001C08001C08001C18003FF000381000381000381000702000700040700040700080E0008
0E00180E00100E00301C00E0FFFFE0181A7D991A>I<03FFFF00700700700300700100E00100E0
0100E00100E00101C08001C08001C08001C18003FF000381000381000381000702000700000700
000700000E00000E00000E00000E00001E0000FFE000181A7D9919>I<03FF1FF8007003800070
03800070038000E0070000E0070000E0070000E0070001C00E0001C00E0001C00E0001C00E0003
FFFC0003801C0003801C0003801C00070038000700380007003800070038000E0070000E007000
0E0070000E0070001C00E000FFC7FE001D1A7D991D>72 D<01FF80003800003800003800007000
00700000700000700000E00000E00000E00000E00001C00001C00001C00001C000038000038000
0380000380000700000700000700000700000E0000FFE000111A7E990F>I<00FFC0000E00000E
00000E00001C00001C00001C00001C000038000038000038000038000070000070000070000070
0000E00000E00000E00000E00061C000E1C000E180008380004700003C0000121A7C9914>I<03
FF8000700000700000700000E00000E00000E00000E00001C00001C00001C00001C00003800003
80000380000380000700000700100700100700200E00200E00600E00400E00C01C0380FFFF8014
1A7D9918>76 D<03F8001FC00078003C000078003C000078005C0000B800B80000B800B800009C
013800009C013800011C027000011C027000011C047000011C087000021C08E000021C10E00002
1C10E000021C20E000041C41C000041C41C000041C81C000041C81C000080F038000080F038000
080E038000180C038000380C070000FF083FF000221A7D9922>I<03F007F8007801C000780080
00780080009C0100009C0100009C0100008E0100010E0200010602000107020001070200020384
0002038400020384000201C4000401C8000401C8000400E8000400E8000800F000080070000800
70001800700038002000FF0020001D1A7D991D>I<001F8000706001C03003001806001C0E000C
1C000C18000E38000E30000E70000E70000EE0001CE0001CE0001CE00038E00038E00030E00070
E000E0E000C06001807003003806001C1C0007E000171A7A991D>I<03FFF800701C0070060070
0700E00700E00700E00700E00701C00E01C00E01C01C01C03803807003FF800380000380000700
000700000700000700000E00000E00000E00000E00001C0000FFC000181A7D991A>I<03FFF000
701C00700E00700700E00700E00700E00700E00701C00E01C01C01C03801C0E003FF800380C003
80600380700700700700700700700700700E00E00E00E00E00E10E00E21C0062FFC03C181A7D99
1C>82 D<003F1000609001807001007003002006002006002006002006000007000007C00003F8
0001FE00007F00000F80000380000180000180200180200180600300600300600600700C00C818
0087E000141A7D9916>I<3FFFFC381C0C201C04401C0440380480380480380480380400700000
700000700000700000E00000E00000E00000E00001C00001C00001C00001C00003800003800003
8000038000078000FFF800161A79991B>I<FF803F801C001C001C0008001C0010001C0010001C
0020001C0040001E0040000E0080000E0080000E0100000E0200000E0200000E0400000E0C0000
0E0800000E10000007100000072000000740000007400000078000000780000007000000060000
0006000000191A78991D>86 D<FF87FC3FC03C00E006001C00E004001C00E004001C01E008001C
03E008001C02E010001C04E030001C04E020001C08E040001C08E040001C10E080001C10E08000
1C20E100001C20E100001C40E200001C40E200001C80E400001D80E400001D00E800001E00F800
001E00F000001C00E000001C00E000001800C000001800C00000221A789926>I<FF803F801C00
0C001C0018001E0010000E0020000E0040000F00C0000700800007810000038200000384000003
C4000001C8000001D0000001E0000000E0000001C0000001C0000001C0000001C0000003800000
038000000380000003800000070000003FF00000191A78991D>89 D<0408102020404070F0F060
060B78990C>96 D<03CC0E2E181C381C301C701CE038E038E038E038C072C072C07260F261341E
180F107C8F14>I<7E000E000E000E001C001C001C001C00380038003BC03C3078307018701870
18E038E038E038E038C070C060C0E060C063801E000D1A7C9912>I<01F006080C181838301070
006000E000E000E000E000E008E010602030C01F000D107C8F12>I<001F800003800003800003
80000700000700000700000700000E00000E0003CE000E2E00181C00381C00301C00701C00E038
00E03800E03800E03800C07200C07200C0720060F2006134001E1800111A7C9914>I<01E00618
1C08380870087010FFE0E000E000E000E000E0086010602030C01F000D107C8F12>I<00070000
1980001B80003B0000300000300000700000700000700000700007FF0000E00000E00000E00000
E00000E00001C00001C00001C00001C00001C00003800003800003800003800003800007000007
0000070000660000E40000CC0000700000112181990C>I<00F300038B800607000E07000C0700
1C0700380E00380E00380E00380E00301C00301C00301C00183C0018780007B800003800003800
007000607000E0E000C1C0007F000011177E8F12>I<1F80000380000380000380000700000700
000700000700000E00000E00000E7C000F86001E07001E07001C07001C0700380E00380E00380E
00381C00701C80701C80703880703900E01900600E00111A7E9914>I<03070600000000000038
4C4E8E9C9C1C3838707272E2E4643808197C980C>I<1F8003800380038007000700070007000E
000E000E0E0E131C271C431C801F003C003F8039C038E070E270E270E270E4E0646038101A7E99
12>107 D<3F0707070E0E0E0E1C1C1C1C3838383870707070E4E4E4E46830081A7D990A>I<307C
1E00598663009E0783809E0703809C0703809C070380380E0700380E0700380E0700380E0E0070
1C0E40701C0E40701C1C40701C1C80E0380C80601807001A107C8F1F>I<307C005986009E0700
9E07009C07009C0700380E00380E00380E00381C00701C80701C80703880703900E01900600E00
11107C8F16>I<01F006180C0C180E300E700E600EE00EE00EE00CE01CE018E030606030C01F00
0F107C8F14>I<030F000590C009E0C009C06009C06009C0600380E00380E00380E00380E00701
C00701800703800703000E8E000E78000E00000E00001C00001C00001C00001C0000FF00001317
808F14>I<30F059189E389C189C009C0038003800380038007000700070007000E00060000D10
7C8F10>114 D<03E004300830187018601C001F801FC00FE000E00060E060E06080C041803E00
0C107D8F10>I<06000E000E000E000E001C001C00FFC01C003800380038003800700070007000
7000E100E100E100E200640038000A177C960D>I<38064C074E0E8E0E9C0E9C0E1C1C381C381C
381C7039703970393079389A0F0C10107C8F15>I<38184C1C4E1C8E0C9C0C9C0C1C0838083808
3808701070107020304018C00F000E107C8F12>I<380C304C0E384E1C388E1C189C1C189C1C18
1C381038381038381038381070702070702070704030704018B8800F0F0015107C8F19>I<078F
0008D18010F38020E18020E00020E00001C00001C00001C00001C000038200038200C38200E784
00C5880078F00011107E8F12>I<38064C074E0E8E0E9C0E9C0E1C1C381C381C381C7038703870
38307838F00F700070006060E0E1C0C18047003C0010177C8F13>I E /Fe
1 16 df<07801FE03FF07FF87FF8FFFCFFFCFFFCFFFCFFFCFFFC7FF87FF83FF01FE007800E107E
9013>15 D E /Ff 86 123 df<00FC7C0183C6070F8F060F0F0E0F060E07000E07000E07000E07
000E0700FFFFF0FFFFF00E07000E07000E07000E07000E07000E07000E07000E07000E07000E07
000E07000E07007F0FF07F0FF0181A809916>11 D<00FC00018200070700060F000E0F000E0600
0E00000E00000E00000E0000FFFF00FFFF000E07000E07000E07000E07000E07000E07000E0700
0E07000E07000E07000E07000E07007F0FE07F0FE0131A809915>I<00FF00038700070F00060F
000E07000E07000E07000E07000E07000E0700FFFF00FFFF000E07000E07000E07000E07000E07
000E07000E07000E07000E07000E07000E07000E07007F9FE07F9FE0131A809915>I<007C1F00
01C370C00703C0E0060781E00E0781E00E0380C00E0380000E0380000E0380000E038000FFFFFF
E0FFFFFFE00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E03
80E00E0380E00E0380E00E0380E07F8FE3FC7F8FE3FC1E1A809920>I<007E1FE001C170E00707
C1E0060781E00E0780E00E0380E00E0380E00E0380E00E0380E00E0380E0FFFFFFE0FFFFFFE00E
0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E0
0E0380E00E0380E07F8FE3FC7F8FE3FC1E1A809920>I<1C1C3C7060C0800607789913>19
D<60F0F0F0F0F0F060606060606060606060200000000060F0F060041A7D990B>33
D<60C0F1E0F9F068D0081008100810102010202040C1800C0B7F9913>I<0300030007C01FF03B
3873086304E31CE33CE33CF318F3007F003FC01FE00FF003F80338033C631CF31CF31CE31CC318
433833701FE00F80030003000E1E7E9B13>36 D<0E0003003100070030800E0060E01E00E05FFC
00E0401800E0403800E0407000E0406000E040E000E041C0006081800030838000310700000E0E
0000000C0700001C188000381840003030400070702000E0702000C0702001C070200380702003
007020070070200E0030400C0018401C001880180007001B1E7E9B20>I<01C000000320000006
1000000E1000000E1000000E1000000E1000000E2000000E2000000E40000007807F8007007F80
07001C00078010000B80100019C0200031E0200070E04000F0F08000F0798000F03D0000F01E00
80780F00807C3F83003FF1FF000F807C00191A7E991E>I<60F0F868080808101020C0050B7D99
0B>I<00800100020004000C00080018003000300030006000600060006000E000E000E000E000
E000E000E000E000E000E0006000600060006000300030003000180008000C0004000200010000
8009267D9B0F>I<8000400020001000180008000C000600060006000300030003000300038003
800380038003800380038003800380038003000300030003000600060006000C00080018001000
20004000800009267E9B0F>I<60F0F07010101020204080040B7D830B>44
D<FFC0FFC00A0280880D>I<60F0F06004047D830B>I<000C000C001C0018001800380030003000
700060006000E000C000C001C001800180038003000700060006000E000C000C001C0018001800
380030003000700060006000E000C000C0000E257E9B13>I<07E01C38381C381C700E700E700E
F00FF00FF00FF00FF00FF00FF00FF00FF00FF00F700E700E700E381C381C1C3807E010187F9713
>I<03000700FF00FF000700070007000700070007000700070007000700070007000700070007
00070007000700FFF0FFF00C187D9713>I<0F803FE060F0F078F83CF83CF83C703C003C007800
78007000E001C00180030006000C041804100420087FF8FFF8FFF80E187E9713>I<0F801FE030
F078707878787830780078007000E001C00F8000E000700038003C003C703CF83CF838F07860F0
3FE00F800E187E9713>I<00300030007000F000F0017002700670047008701070107020704070
C070FFFFFFFF0070007000700070007007FF07FF10187F9713>I<30183FF03FE03FC020002000
2000200020002FC03060207000380038003C003C703CF03CF03CE038407870F03FE00F800E187E
9713>I<01E007F00E381C783878383070007000F000F3C0FC60F830F038F03CF03CF03CF03C70
3C703C7038383838701FE007C00E187E9713>I<40007FFE7FFE7FFC4004800880108020002000
4000C0008001800180038003800380038007800780078007800780078003000F197E9813>I<07
801FE03870203860186018701878107E303F601FC00FE01BF031F8607CC01CC01CC00CC00CC008
601838301FE00F800E187E9713>I<07801FE0387070707038F038F038F03CF03CF03CF03C703C
307C18FC0F3C003C003800383078787078E071C03F801F000E187E9713>I<60F0F06000000000
0000000060F0F06004107D8F0B>I<60F0F060000000000000000060F0F0701010102020408004
177D8F0B>I<1FC020E04070E078F078F078607800F000E0018001000300020002000200020002
000200000000000000000006000F000F0006000D1A7E9912>63 D<000C0000000C0000000C0000
001E0000001E0000003F0000002F0000002F0000004F800000478000004780000083C0000083C0
000083C0000101E0000101E0000101E00003FFF00003FFF0000600F80004007800040078000800
3C001C003C00FF01FFC0FF01FFC01A1A7F991D>65 D<FFFF80FFFFE00F00F00F00780F003C0F00
3C0F003C0F003C0F003C0F00780F00700F01E00FFFC00F00F00F00380F003C0F001E0F001E0F00
1E0F001E0F001E0F003C0F003C0F00F8FFFFF0FFFFC0171A7F991B>I<003F0201FFC603E06E0F
001E1E000E1C0006380006780002780002700002F00000F00000F00000F00000F00000F0000070
00027800027800023800041C00041E00080F001803E07001FFC0003F00171A7E991C>I<FFFF80
00FFFFE0000F00F0000F0038000F001C000F000E000F000E000F000F000F0007000F0007800F00
07800F0007800F0007800F0007800F0007800F0007800F0007800F0007000F0007000F000F000F
000E000F001C000F003C000F00F800FFFFE000FFFF8000191A7F991D>I<FFFFF8FFFFF80F0038
0F00180F00080F000C0F00040F02040F02040F02000F06000FFE000FFE000F06000F02000F0200
0F02020F00020F00040F00040F00040F000C0F001C0F0038FFFFF8FFFFF8171A7F991A>I<FFFF
F0FFFFF00F00700F00300F00100F00180F00080F00080F02080F02000F02000F06000FFE000FFE
000F06000F02000F02000F02000F00000F00000F00000F00000F00000F0000FFF800FFF800151A
7F9919>I<003F020001FFC60003E06E000F001E001E000E001C00060038000600780002007800
020070000200F0000000F0000000F0000000F0000000F0000000F003FFC07003FFC078001E0078
001E0038001E001C001E001E001E000F001E0003E06E0001FFC600003F02001A1A7E991E>I<FF
F3FFC0FFF3FFC00F003C000F003C000F003C000F003C000F003C000F003C000F003C000F003C00
0F003C000FFFFC000FFFFC000F003C000F003C000F003C000F003C000F003C000F003C000F003C
000F003C000F003C000F003C000F003C00FFF3FFC0FFF3FFC01A1A7F991D>I<FFF0FFF00F000F
000F000F000F000F000F000F000F000F000F000F000F000F000F000F000F000F000F000F000F00
0F00FFF0FFF00C1A7F990E>I<0FFF0FFF00780078007800780078007800780078007800780078
0078007800780078007800787078F878F878F87070F021E01F80101A7F9914>I<FFF03FC0FFF0
3FC00F000E000F0008000F0010000F0020000F0040000F0080000F0100000F0200000F0400000F
0E00000F1F00000F6F00000F8780000F07C0000F03C0000F01E0000F01F0000F00F0000F007800
0F0078000F003C000F003E00FFF0FFC0FFF0FFC01A1A7F991E>I<FFF800FFF8000F00000F0000
0F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F0010
0F00100F00100F00300F00300F00200F00600F01E0FFFFE0FFFFE0141A7F9918>I<FF8001FFFF
8001FF0F8001F00BC002F00BC002F009E004F009E004F009E004F008F008F008F008F008F008F0
087810F0087810F0087810F0083C20F0083C20F0081E40F0081E40F0081E40F0080F80F0080F80
F0080F80F0080700F01C0700F0FF870FFFFF820FFF201A7F9923>I<FF007FC0FF807FC00FC00E
000BC0040009E0040009F0040008F0040008780400087C0400083C0400081E0400081F0400080F
0400080784000803C4000803C4000801E4000800F4000800F40008007C0008003C0008003C0008
001C001C000C00FF800C00FF8004001A1A7F991D>I<007F000001C1C000070070000E0038001C
001C003C001E0038000E0078000F0070000700F0000780F0000780F0000780F0000780F0000780
F0000780F0000780F000078078000F0078000F0038000E003C001E001C001C000E003800070070
0001C1C000007F0000191A7E991E>I<FFFF80FFFFE00F00F00F00780F00380F003C0F003C0F00
3C0F003C0F003C0F00380F00700F00E00FFFC00F00000F00000F00000F00000F00000F00000F00
000F00000F00000F0000FFF000FFF000161A7F991A>I<007F000001C1C000070070000E003800
1C001C003C001E0038000E0078000F0070000700F0000780F0000780F0000780F0000780F00007
80F0000780F0000780F00007807000070078000F0038000E003C1C1E001C221C000E4138000741
F00001E1C000007F80800001C0800000C0800000E1800000FF0000007F0000003E0000001C0019
217E991E>I<FFFE0000FFFFC0000F01E0000F00F0000F0070000F0078000F0078000F0078000F
0078000F0070000F00E0000F03C0000FFF00000F0380000F01E0000F00E0000F00F0000F00F000
0F00F0000F00F0000F00F0000F00F0000F00F0400F007040FFF03880FFF01F001A1A7F991C>I<
0FC21FF6383E700E6006E002E002E002F000F8007F803FF01FF80FFC01FE001E000F0007800780
078007C006E00EF81CDFF887E0101A7E9915>I<7FFFFF007FFFFF00701E0700401E0100401E01
00C01E0180801E0080801E0080801E0080001E0000001E0000001E0000001E0000001E0000001E
0000001E0000001E0000001E0000001E0000001E0000001E0000001E0000001E0000001E000003
FFF00003FFF000191A7F991C>I<FFF07FC0FFF07FC00F000E000F0004000F0004000F0004000F
0004000F0004000F0004000F0004000F0004000F0004000F0004000F0004000F0004000F000400
0F0004000F0004000F0004000F00040007000800078008000380100001E0600000FFC000001F00
001A1A7F991D>I<FFE01FC0FFE01FC01F0006000F0004000F0004000780080007800800078008
0003C0100003C0100003E0300001E0200001E0200000F0400000F0400000F84000007880000078
8000003D0000003D0000003D0000001E0000001E0000001E0000000C0000000C00001A1A7F991D
>I<FFC7FF0FF0FFC7FF0FF01E007801C01E007800800F007801000F007C01000F007C01000780
7C020007809E020007809E020003C09E040003C10F040003C10F040001E10F080001E30F880001
E207880000F207900000F607D00000F403D000007C03E000007C03E000007801E000003801C000
003801C000003000C0000010008000241A7F9927>I<FFE00FF0FFE00FF00F8003000780020003
C0040003E0040001E0080001F0180000F0100000F82000007C2000003C4000003E4000001E8000
001F8000000F0000000F0000000F0000000F0000000F0000000F0000000F0000000F0000000F00
0000FFF00000FFF0001C1A80991D>89 D<FEFEC0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0C0
C0C0C0C0C0C0C0C0C0C0C0C0C0FEFE07257D9B0B>91 D<1830204040804080810081008100B160
F9F078F030600C0B7B9913>I<FEFE060606060606060606060606060606060606060606060606
060606060606060606FEFE0725809B0B>I<183C66C38108057B9813>I<18204040808080B0F878
30050B7E990B>96 D<1FC00070600078700078380030380000380003F8001E3800383800783800
F03800F03880F03880F0788078FD801F1E0011107F8F13>I<FC0000FC00001C00001C00001C00
001C00001C00001C00001C00001C00001CF8001F0E001E07001C07801C03801C03C01C03C01C03
C01C03C01C03C01C03C01C03801C07001E07001B0C0010F000121A7F9915>I<07F00C1C383C38
3C7018F000F000F000F000F000F0007000380438080C1807E00E107F8F11>I<007E00007E0000
0E00000E00000E00000E00000E00000E00000E00000E0003CE000C3E00380E00380E00700E00F0
0E00F00E00F00E00F00E00F00E00F00E00700E00780E00381E001C2FC007CFC0121A7F9915>I<
07C01C7038387038701CF01CFFFCF000F000F000F0007000380438080C1807E00E107F8F11>I<
00F00398073C0E3C0E180E000E000E000E000E00FFC0FFC00E000E000E000E000E000E000E000E
000E000E000E000E007FE07FE00E1A80990C>I<0FCE1CF33872787878787878787838701CE02F
C02000200030003FF01FFC1FFE600FC003C003C003C0036006381C07E010187F8F13>I<FC0000
FC00001C00001C00001C00001C00001C00001C00001C00001C00001CF8001D0C001E0E001E0E00
1C0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E00FF9FC0FF9FC0121A7F
9915>I<18003C003C001800000000000000000000000000FC00FC001C001C001C001C001C001C
001C001C001C001C001C001C00FF80FF80091A80990A>I<00C001E001E000C000000000000000
000000000007E007E000E000E000E000E000E000E000E000E000E000E000E000E000E000E000E0
00E060E0F0E0F1C061803E000B2183990C>I<FC0000FC00001C00001C00001C00001C00001C00
001C00001C00001C00001C3F801C3F801C1C001C10001C20001C40001DC0001FE0001CE0001C70
001C78001C38001C1C001C1E00FF3FC0FF3FC0121A7F9914>I<FC00FC001C001C001C001C001C
001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C00FF80FF80
091A80990A>I<FC7C1F00FD8E63801E0781C01E0781C01C0701C01C0701C01C0701C01C0701C0
1C0701C01C0701C01C0701C01C0701C01C0701C01C0701C0FF9FE7F8FF9FE7F81D107F8F20>I<
FCF800FD0C001E0E001E0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E00
1C0E00FF9FC0FF9FC012107F8F15>I<07E01C38381C700E700EF00FF00FF00FF00FF00FF00F70
0E700E381C1C3807E010107F8F13>I<FCF800FF0E001E07001C07801C07801C03C01C03C01C03
C01C03C01C03C01C03C01C07801C07001E0F001F1C001CF0001C00001C00001C00001C00001C00
00FF8000FF800012177F8F15>I<03C2000E26003C1E00380E00780E00F00E00F00E00F00E00F0
0E00F00E00F00E00780E00780E00381E001C2E0007CE00000E00000E00000E00000E00000E0000
7FC0007FC012177F8F14>I<FDC0FE701EF01CF01C601C001C001C001C001C001C001C001C001C
00FFC0FFC00C107F8F0F>I<1F2060E04020C020C020F0007F003FC01FE000F080708030C030C0
20F0408F800C107F8F0F>I<04000400040004000C000C001C003FC0FFC01C001C001C001C001C
001C001C001C201C201C201C201C200E4003800B177F960F>I<FC7E00FC7E001C0E001C0E001C
0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E001C0E001C1E000C2FC007CFC012107F8F
15>I<FF1F80FF1F801C06001C04001E0C000E08000E080007100007100007900003A00003A000
01C00001C00001C00000800011107F8F14>I<FF3F9F80FF3F9F80380E06001C1604001C170400
1E170C000E2308000E2388000F239800074190000741D00003C1E0000380E0000380E0000180C0
000100400019107F8F1C>I<FF3F80FF3F801C1C000E100007200007600003C00001C00001E000
03E000027000043800083800181C00FC3FC0FC3FC012107F8F14>I<FF1F80FF1F801C06001C04
001E0C000E08000E080007100007100007900003A00003A00001C00001C00001C0000080000080
00010000610000F10000F20000E4000078000011177F8F14>I<7FF86070407040E041C041C003
80070007000E081C081C08381070107030FFF00D107F8F11>I E /Fg 45
122 270 300 dfs[<0001F001FBF807FBF80FFBF80F8BF81F89F01F80001F80001F80001F8000
1F80007FF9F8FFF9F8FFF9F81F81F81F81F81F81F81F81F81F81F81F81F81F81F81F81F81F81F8
1F81F81F81F81F81F81F81F81F81F81F81F80F81F8>21 30 128 157 22
12 D[<F8F8F8F8F8>5 5 124 132 12 46 D[<007000F007F07FF0FFF07BF003F003F003F003F0
03F003F003F003F003F003F003F003F003F003F003F003F003F003F003F003F003F07FFE7FFF7F
FE>16 30 125 157 21 49 D[<07F0001FFC003FFE007FFF007C3F80F01F80F01F80700FC0600F
C0200FC0000FC0000FC0000F80001F80001F00003F00007E00007C0000F80001F00003E0000780
000F00001F00001E00003C00007FFFC0FFFFC0FFFFC07FFFC0>18 30 126
157 21 I[<03F0000FFC001FFE003FFF007C3F00381F80101F80001F80001F80001F80001F0000
3F00007E0003FC0003F80003FE00003F00001F80000F80000FC0000FC0000FC0000FC0000FC040
0FC0601F80F81F80FFFF007FFE001FFC0007F000>18 31 126 157 21 I[<007F00007F0000FF
0000FF0001DF0001DF0003DF00039F00079F00079F000F1F000F1F001E1F001E1F003E1F003C1F
007C1F00781F00F81F00FFFFF0FFFFF0FFFFF0FFFFF0001F00001F00001F00001F00001F00001F
00>20 29 127 156 21 I[<3FFF007FFF007FFF007FFF007E00007E00007E00007E00007E0000
7E00007FF8007FFE007FFF007F1F807E0F807C0F80380FC0000FC0000FC0000FC0000FC0000FC0
200FC0600FC0701F80FC3F807FFF003FFE001FFC0007F000>18 30 126
156 21 I[<00F80003FC000FFC001FFC001F84003F00007E00007E00007C00007C0000FCF800FD
FE00FFFF00FF1F80FE0F80FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC07C0FC07C
0FC07E0F803E1F803FFF001FFE000FFC0003F800>18 31 126 157 21 I[<1FE07FF8FFFCF07C
607E407E007E007E00FE00FC01F803F003E007C007800780078007800780078000000000000000
000F800F800F800F800780>15 29 125 156 20 63 D[<007F000000FF800000FF800001FFC000
01FFC00001F7C00003F7E00003F7E00003E7E00007E3F00007E3F00007E3F00007C3F0000FC1F8
000FC1F8000F81F8001F80FC001F80FC001F80FC003FFFFE003FFFFE003FFFFE007FFFFF007E00
3F007E003F00FC003F80FC001F80FC001F80F8000F80>25 29 126 156
27 65 D[<003FE001FFFC07FFFC0FFFFC1FE0783F80183F00087F00007E00007E0000FC0000FC
0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC00007E00007E00007F00003F
00023F800E1FE03E0FFFFE07FFFE01FFF8003FE0>23 31 125 157 26 67
D[<7FFFC0FFFFC0FFFFC0FFFFC0FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FF
FF00FFFF00FFFF00FFFF00FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC
0000FC0000FC00007C0000>18 29 124 156 23 70 D[<7C003FFC003FFC003FFC003FFC003FFC
003FFC003FFC003FFC003FFC003FFC003FFC003FFFFFFFFFFFFFFFFFFFFFFFFFFC003FFC003FFC
003FFC003FFC003FFC003FFC003FFC003FFC003FFC003FFC003FFC003F7C003F>24
29 124 156 30 72 D[<7CFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFC7C
>6 29 124 156 13 I[<7E00007FFF0000FFFF0000FFFF8001FFFF8001FFFBC003DFFBC003DFFB
C003DFF9E0079FF9E0079FF9F00F9FF9F00F9FF8F00F1FF8F81F1FF8F81F1FF8781E1FF87C3E1F
F87C3E1FF83C3C1FF83E7C1FF81E781FF81E781FF81E781FF80FF01FF80FF01FF807E01FF807E0
1FF803C01F7800001F>32 29 124 156 37 77 D[<7E001FFF001FFF801FFF801FFFC01FFFC01F
FBE01FFBE01FF9F01FF9F01FF8F81FF8F81FF87C1FF87C1FF87C1FF83E1FF83E1FF81F1FF81F1F
F80F9FF80F9FF807DFF807DFF803FFF803FFF801FFF801FFF800FF78007F>24
29 124 156 30 I[<7FFE00FFFFC0FFFFE0FFFFF0FC07F0FC01F8FC01F8FC01F8FC01F8FC01F8
FC01F8FC01F8FC01F0FC07F0FFFFE0FFFFC0FFFF80FC0000FC0000FC0000FC0000FC0000FC0000
FC0000FC0000FC0000FC0000FC00007C0000>21 29 124 156 26 80 D[<7FFE00FFFFC0FFFFE0
FFFFF0FC03F0FC01F8FC01F8FC01F8FC01F8FC01F8FC01F8FC01F0FC07F0FFFFE0FFFFC0FFFE00
FC3F00FC1F80FC1F80FC0FC0FC0FC0FC07E0FC07E0FC03F0FC01F0FC01F8FC00FCFC00FC7C007C
>22 29 124 156 26 82 D[<03FC000FFF801FFFC03FFFC03E07C07C01807C00807C00807C0000
7C00007E00007F00003FF0003FFC001FFF000FFF8003FF8000FFC0000FC00007E00003E00003E0
4003E04003E06003E0F807C0FE0FC0FFFFC07FFF801FFF0003FC00>19 31
126 157 23 I[<7FFFFF80FFFFFF80FFFFFF80FFFFFF80003F0000003F0000003F0000003F0000
003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F00
00003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F0000003F
0000001F0000>25 29 126 156 27 I[<F000FF000FF801FF801FF801FF801FFC01EF801F7C01
E7803E7C03E7C03E7C03E7C03E7C03E7C03E3E03C7C07C3E07C3E07C3E07C3E07C3E07C3E07C1F
0783E0F81F0F81E0F81F0F81F0F81F0F81F0F80F0F01F0F00F8F00F1F00F9F00F9F00F9F00F9F0
079E00F9E0079E0079E007DE007BE007DE007BE003FC007FC003FC003FC003FC003FC003FC003F
C001F8001F80>40 29 127 156 39 87 D[<03FC001FFF003FFF803C0F80300FC0200FC0000FC0
007FC00FFFC03F8FC07E0FC0FC0FC0FC0FC0FC0FC0FC0FC07E3FC07FEFC03FCFC01F8FC0>18
19 127 146 20 97 D[<7C0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC00
00FC7C00FDFE00FFFF00FE1F80FC0F80FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0F
C0FC0FC0FC1F80FE1F80FFFF00FDFE007CF800>18 29 126 156 21 I[<07F01FFC3FFE7E0E7E
067C04FC00FC00FC00FC00FC00FC00FC007C007E017E0F3FFF1FFF07FC>16
19 126 146 18 I[<000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0
07CFC01FFFC03FFFC07E1FC07E0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0
FC0FC07C0FC07E1FC03FFFC01FEFC00FCFC0>18 29 126 156 21 I[<03F8000FFE001FFF003E
0F807E07807C07C0FC07C0FC07C0FFFFC0FFFFC0FC0000FC0000FC00007C00007E00803F03801F
FF800FFF8003FE00>18 19 127 146 19 I[<01FE07FE0FFE0F861F801F801F801F801F801F80
7FF0FFF0FFF01F801F801F801F801F801F801F801F801F801F801F801F801F801F801F800F80>
15 29 128 156 13 I[<0FF8F03FFFF07FFF707C1F00FC1F80FC1F80FC1F80FC1F80FC1F807C1F
007FFF003FFC002FF8006000007000007FFE007FFFC03FFFE03FFFE07FFFF0F001F0F000F0F000
F0F000F07C03E03FFFC01FFF8007FE00>20 28 127 146 21 I[<7C0000FC0000FC0000FC0000
FC0000FC0000FC0000FC0000FC0000FC0000FC3E00FCFF80FDFF80FF0FC0FE0FC0FC0FC0FC0FC0
FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC07C0FC0>18
29 126 156 21 I[<F8FCFCFCFCF800000000007CFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFC7C>
6 30 126 157 10 I[<7800F800F800F800F800F800F800F800F800F800F83FF87EF8FEF9FCFB
F8FFF0FFE0FFC0FFC0FFE0FFE0FFF0F9F8F8F8F8FCF87EF83FF83F781F>16
29 125 156 20 107 D[<7CFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFCFC
7C>6 29 126 156 10 I[<7C3F01F8FCFFC7FEFDFFCFFEFF07F83FFE07F03FFC07E03FFC07E03F
FC07E03FFC07E03FFC07E03FFC07E03FFC07E03FFC07E03FFC07E03FFC07E03FFC07E03FFC07E0
3FFC07E03F7C03E01F>32 19 126 146 33 I[<7C3E00FCFF80FDFF80FF0FC0FE0FC0FC0FC0FC
0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC07C0FC0>
18 19 126 146 21 I[<03FC000FFF003FFFC03F0FC07E07E07C03E0FC03F0FC03F0FC03F0FC03
F0FC03F0FC03F0FC03F07C03E07E07E07F0FE03FFFC00FFF0003FC00>20
19 127 146 21 I[<7C7C00FDFE00FFFF00FE1F80FC1F80FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0
FC0FC0FC0FC0FC0FC0FC0FC0FC1F80FE3F80FFFF00FDFE00FCF800FC0000FC0000FC0000FC0000
FC0000FC0000FC00007C0000>18 27 126 146 21 I[<07CFC01FEFC03FFFC07F1FC07E0FC0FC
0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC07E0FC07E1FC03FFFC01FEFC007
CFC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0000FC0>18 27
126 146 21 I[<7C60FDE0FDE0FFE0FF00FE00FE00FC00FC00FC00FC00FC00FC00FC00FC00FC00
FC00FC007C00>11 19 126 146 14 I[<0FF81FFE3FFE781E780478007E007FE03FF81FFC0FFC
03FE403E401EE01EF81EFFFC7FF80FE0>15 19 127 146 16 I[<1F003F003F003F003F007FF8
FFF8FFF83F003F003F003F003F003F003F003F003F003F003F003F003F103FF81FF80FC0>13
24 127 151 15 I[<7C0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0FC0
FC0FC0FC0FC0FC0FC0FC0FC0FC1FC0FC3FC07FEFC07FCFC01F8FC0>18 19
126 146 21 I[<F803C0F807C0FC07C07C0F807C0F807C0F803E1F003E1F003E1F001F3E001F3E
001F3E001FBE000FFC000FFC000FFC0007F80007F80003F000>18 19 127
146 19 I[<F00F00F0F81F81F0F81F81F07C1F81E07C3F83E07C3FC3E07C3BC3E03E3BC7C03E73
C7C03E73E7C03E73E7C01E71EF801F71EF801FE1FF801FE1FF800FE1FF000FE0FF000FC0FF0007
C07E00>28 19 127 146 28 I[<F80F80FC0F807E1F003F3F001F7E000FFC000FF80007F00003
F00003E00003F00007F8000FFC001F3E003E3E003E1F007C0F80FC0FC0F807C0>18
19 127 146 19 I[<F803C0FC07C07C07C07C0F803E0F803E0F803F1F001F1F001F1F000F9E00
0F9E0007BE0007BC0003FC0003FC0003F80001F80001F80000F00000F00001F00001E00043E000
7FC0007FC0007F80007E0000>18 27 127 146 19 I E /Fh 12 118 df<78FCFCFCFC78060677
8518>46 D<01C001C003C007C00FC03FC0FFC0FBC063C003C003C003C003C003C003C003C003C0
03C003C003C003C003C003C003C003C07FFEFFFF7FFE101C7C9B18>49 D<001F00003F00007F00
00770000F70001E70001C70003C7000787000707000E07001E07003C0700380700780700F00700
FFFFF8FFFFF8FFFFF8000700000700000700000700000700000700007FF000FFF8007FF0151C7F
9B18>52 D<00FC0003FE0007FF000F87801E03C03C3FC0387FC078FFE071E3E071C1E0F3C1E0E3
80E0E380E0E380E0E380E0E380E0E380E0F3C1E071C1C071E3C078FF80387F003C3E001E00E00F
83E007FFE003FF8000FE00131C7E9B18>64 D<0FF0001FFC003FFE003C1F00180F800007800007
8000FF800FFF803FFF807F87807C0780F00780F00780F00780F80F807C1F803FFFF81FFBF807F1
F815147E9318>97 D<01FE0007FF001FFF803F07803C0300780000780000F00000F00000F00000
F00000F00000F000007800007803C03C03C03F0FC01FFF8007FF0001FC0012147D9318>99
D<001C003E003E003E001C00000000000000000FFE1FFE0FFE001E001E001E001E001E001E001E
001E001E001E001E001E001E001E001E001E001E001E001E001E001E003E603CF07CFFF87FF03F
C00F277E9C18>106 D<FE0000FE0000FE00000E00000E00000E00000E00000E00000E3FF00E7F
F00E3FF00E07800E0F000E1E000E3C000E78000EF0000FF8000FFC000F9C000F1E000E0F000E07
800E03800E03C0FFC7F8FFC7F8FFC7F8151C7F9B18>I<7FF000FFF0007FF00000F00000F00000
F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F00000
F00000F00000F00000F00000F00000F00000F0007FFFE0FFFFF07FFFE0141C7E9B18>I<7DF1F0
00FFFBF8007FFFFC001F1F1C001E1E1C001E1E1C001C1C1C001C1C1C001C1C1C001C1C1C001C1C
1C001C1C1C001C1C1C001C1C1C001C1C1C001C1C1C001C1C1C007F1F1F00FFBFBF807F1F1F0019
14819318>I<7FC7E0FFDFF87FFFF803FC7803F03003F00003E00003E00003C00003C00003C000
03C00003C00003C00003C00003C00003C0007FFF00FFFF807FFF0015147F9318>114
D<7F0FE0FF1FE07F0FE00F01E00F01E00F01E00F01E00F01E00F01E00F01E00F01E00F01E00F01
E00F01E00F01E00F03E00F87E007FFFC03FFFE01FDFC1714809318>117
D E /Fi 33 122 df<70F8FCFC74040404080810102040060E7C840D>44
D<07F0001FFC00383F00600F00600780F007C0F807C0F803C0F803C02007C00007C0000780000F
00000F00001E00001C0000380000700000E0000180000300000200C00400C00800C01001C03FFF
807FFF80FFFF80FFFF80121D7E9C17>50 D<07F0001FFC00381E00780F007C0F807C0F807C0780
380F80000F80000F00000E00001C0000380003F000001C00000E00000F000007800007C00007C0
2007C0F807C0F807C0F80780F00F80600F00381E001FFC0007F000121D7E9C17>I<70F8F8F870
0000000000000000000070F8F8F87005147C930D>58 D<0003800000038000000380000007C000
0007C0000007C000000DE000000DE000000DE0000018F0000018F0000018F00000307800003078
000030780000603C0000603C0000603C0000C01E0000C01E0000FFFE0001FFFF0001800F000180
0F00030007800300078003000780070003C00F8003C0FFE03FFEFFE03FFE1F1F7F9E22>65
D<FFFFE000FFFFF80007803E0007801E0007801F0007800F8007800F8007800F8007800F800780
0F8007800F0007801F0007801E0007803C0007FFF80007803C0007801E0007800F0007800F8007
800780078007C0078007C0078007C0078007C0078007C00780078007800F8007801F0007803E00
FFFFFC00FFFFF0001A1F7E9E20>I<001FC040007FF0C001F01DC003C00FC0078003C00F0003C0
1E0001C03E0001C03C0000C07C0000C0780000C078000000F8000000F8000000F8000000F80000
00F8000000F8000000F800000078000000780000007C0000C03C0000C03E0000C01E0001800F00
01800780030003C0060001F81C00007FF800001FC0001A1F7D9E21>I<FFFFFF00FFFFFF000780
1F000780070007800300078003000780038007800180078001800780C1800780C1800780C00007
80C0000781C00007FFC00007FFC0000781C0000780C0000780C0000780C0600780C06007800060
078000C0078000C0078000C0078001C0078001C0078003C007800F80FFFFFF80FFFFFF801B1F7E
9E1F>69 D<000FE020007FF86001F81CE003E007E0078003E00F0001E01E0000E03E0000E03C00
00607C0000607C00006078000000F8000000F8000000F8000000F8000000F8000000F8000000F8
007FFC78007FFC7C0001E07C0001E03C0001E03E0001E01E0001E00F0001E0078001E003E003E0
01F80FE0007FFC60000FF0201E1F7D9E24>71 D<FFFE00FFFE0007800007800007800007800007
800007800007800007800007800007800007800007800007800007800007800007800007800007
800607800607800607800607800E07800E07800C07801C07803C0780FCFFFFFCFFFFFC171F7E9E
1C>76 D<FFFFE000FFFFF80007807C0007801E0007801F0007800F0007800F8007800F8007800F
8007800F8007800F8007800F0007801F0007801E0007807C0007FFF00007800000078000000780
000007800000078000000780000007800000078000000780000007800000078000000780000007
800000FFFC0000FFFC0000191F7E9E1F>80 D<003FC00000F0F00003C03C0007801E000F000F00
1E0007801E0007803C0003C03C0003C07C0003E0780001E0F80001F0F80001F0F80001F0F80001
F0F80001F0F80001F0F80001F0F80001F0F80001F0780001E07C0003E07C0003E03C0003C01E0F
07801E1087800F20CF0007A0DE0003E0FC0000F0F000003FF01000007010000070100000783000
00387000003FF000003FE000001FE000000FC0000007801C287D9E23>I<FFFF8000FFFFE00007
80F80007803C0007803E0007801E0007801F0007801F0007801F0007801F0007801F0007801E00
07803C00078078000780F00007FF80000781C0000780E0000780F0000780700007807800078078
000780780007807C0007807C0007807C0007807C0C07807E0C07803E0CFFFC1F18FFFC07E01E1F
7E9E21>I<07E0801FF9803C1F80300780700380E00380E00180E00180E00180F00000F0000078
00007F00003FF0001FFC000FFE0003FF00001F800007800003C00003C00001C0C001C0C001C0C0
01C0E00180E00380F00300FE0E00CFFC0083F800121F7D9E19>I<FFFC7FF8FFFC7FF807800780
078003000780030007800300078003000780030007800300078003000780030007800300078003
000780030007800300078003000780030007800300078003000780030007800300078003000780
0300078003000380060003C0060001C00C0000E01C0000783800003FF000000FC0001D1F7E9E22
>85 D<0FE0003838007C1C007C1E007C0F00380F00000F00000F0000FF00078F001E0F00380F00
780F00F00F30F00F30F00F30F01F30781F303867E00F83C014147E9317>97
D<0F0000FF0000FF00000F00000F00000F00000F00000F00000F00000F00000F00000F00000F3F
000F61C00F80E00F00700F00700F00380F00380F003C0F003C0F003C0F003C0F003C0F003C0F00
380F00380F00700F00700F80E00E41800C3F001620809F19>I<0003C0003FC0003FC00003C000
03C00003C00003C00003C00003C00003C00003C00003C003F3C0060FC01C07C03803C03803C070
03C07003C0F003C0F003C0F003C0F003C0F003C0F003C07003C07003C03803C03803C01C07C00E
1BFC03E3FC16207E9F19>100 D<03F0000E1C001C0E00380700380700700700700380F00380F0
0380FFFF80F00000F00000F000007000007000003801801801800C0300070E0001F80011147F93
14>I<03E1E00E3A701C1C70380E60780F00780F00780F00780F00780F00380E001C1C001E3800
33E0002000002000003000003000003FFE001FFF800FFFC03003E07000F0E00070E00070E00070
E000707000E03801C01E078003FC00141E7F9317>103 D<0E001F001F001F000E000000000000
000000000000000F007F007F000F000F000F000F000F000F000F000F000F000F000F000F000F00
0F000F00FFE0FFE00B1F809E0D>105 D<0F0000FF0000FF00000F00000F00000F00000F00000F
00000F00000F00000F00000F00000F0FF80F0FF80F07C00F07000F06000F0C000F18000F38000F
78000FFC000FBC000F1E000F1F000F0F000F0F800F07C00F03C00F03E0FFE7FCFFE7FC1620809F
18>107 D<0F00FF00FF000F000F000F000F000F000F000F000F000F000F000F000F000F000F00
0F000F000F000F000F000F000F000F000F000F000F000F000F00FFF0FFF00C20809F0D>I<0F0F
C07E00FF30E18700FF407203800F807C03C00F807C03C00F007803C00F007803C00F007803C00F
007803C00F007803C00F007803C00F007803C00F007803C00F007803C00F007803C00F007803C0
0F007803C00F007803C0FFF3FF9FFCFFF3FF9FFC2614809327>I<0F0F80FF31C0FF40E00F80F0
0F80F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F0
0F00F0FFF3FFFFF3FF1814809319>I<01F800070E001C03803801C03801C07000E07000E0F000
F0F000F0F000F0F000F0F000F0F000F07000E07000E03801C03801C01C0380070E0001F8001414
7F9317>I<0F3F00FF61C0FF80E00F00700F00700F00780F00380F003C0F003C0F003C0F003C0F
003C0F003C0F00380F00780F00700F00F00F80E00F41800F3F000F00000F00000F00000F00000F
00000F00000F0000FFF000FFF000161D809319>I<0F3CFF46FF8F0F8F0F860F000F000F000F00
0F000F000F000F000F000F000F000F000F00FFF0FFF01014809312>114
D<0F9030F06070E030E030E030F000FF007FC03FE01FF003F80078C038C038C038E030E030D060
8F800D147E9312>I<06000600060006000E000E000E001E003FF8FFF81E001E001E001E001E00
1E001E001E001E001E001E181E181E181E181E180E10073003E00D1C7F9B12>I<0F00F0FF0FF0
FF0FF00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F0
0F00F00F01F00701F00386FF00F8FF1814809319>I<FFC7F8FFC7F81F01E00F01C00F01800F01
8007830007830007830003C60003C60003EE0001EC0001EC0001FC0000F80000F8000070000070
0000700015147F9318>I<FFC7F8FFC7F81F01E00F01C00F01800F018007830007830007830003
C60003C60003EE0001EC0001EC0001FC0000F80000F80000700000700000700000600000600000
600070C000F8C000F98000F980006300003C0000151D7F9318>121 D E
/Fj 15 122 df<0000FF00100007FFE030001FC07070003E001CF000FC0006F001F00003F003E0
0003F007E00001F00FC00000F00F800000F01F800000703F000000703F000000703F000000307F
000000307E000000307E00000030FE00000000FE00000000FE00000000FE00000000FE00000000
FE00000000FE00000000FE00000000FE000000007E000000007E000000307F000000303F000000
303F000000303F000000601F800000600F800000600FC00000C007E00000C003E000018001F000
030000FC000600003E000C00001FC078000007FFE0000000FF8000242B7DA92B>67
D<FFFFFFFF00FFFFFFFF0007F0007F0003F0000F0003F000078003F000038003F000038003F000
018003F000018003F000018003F000018003F00000C003F00300C003F00300C003F003000003F0
03000003F003000003F007000003F00F000003FFFF000003FFFF000003F00F000003F007000003
F003000003F003000003F003000003F003000003F003000003F000000003F000000003F0000000
03F000000003F000000003F000000003F000000003F000000003F000000003F000000007F80000
00FFFFF00000FFFFF0000022297EA827>70 D<FFFF83FFFC07FFC0FFFF83FFFC07FFC00FF0003F
C000FE0007E0001F8000380003F0001F8000380003F0001FC000300003F0000FC000300003F800
0FC000700001F8001FE000600001F8001FE000600001FC001FE000600000FC001FE000C00000FC
0033F000C00000FC0033F000C000007E0033F0018000007E0061F8018000007E0061F801800000
3F0061F8030000003F00E1FC030000003F00C0FC030000003F80C0FC070000001F81C0FE060000
001F81807E060000001FC1807E0E0000000FC1807E0C0000000FC3003F0C0000000FC3003F0C00
000007E3003F1800000007E6001F9800000007E6001F9800000003F6001FB000000003FC000FF0
00000003FC000FF000000003FC000FF000000001FC000FE000000001F80007E000000001F80007
E000000000F80007C000000000F00003C000000000F00003C00000000070000380000000006000
018000003A2A7FA83D>87 D<07FC00001FFF80003E07C0003F01E0003F01F0003F00F8001E00F8
000000F8000000F8000000F800001FF80001FFF80007F8F8001F80F8003F00F8007C00F8007C00
F800F800F860F800F860F800F860F800F860F801F8607C03F8603F067FC01FFC7F8003F01F001B
1A7E991E>97 D<007E0003FF800783E00F00F01E00F03C00783C00787C003C78003CF8003CFFFF
FCFFFFFCF80000F80000F80000F80000F800007800007C00003C000C3E000C1E00180F803007E0
6001FFC0007F00161A7E991B>101 D<07C00000FFC00000FFC000000FC0000007C0000007C000
0007C0000007C0000007C0000007C0000007C0000007C0000007C0000007C0000007C0000007C0
000007C1F80007C7FE0007DC1F0007F81F0007F00F8007E00F8007E00F8007C00F8007C00F8007
C00F8007C00F8007C00F8007C00F8007C00F8007C00F8007C00F8007C00F8007C00F8007C00F80
07C00F8007C00F8007C00F8007C00F8007C00F80FFFE7FFCFFFE7FFC1E2A7FA921>104
D<07000F801FC01FC01FC00F8007000000000000000000000000000000000007C07FC07FC00FC0
07C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007
C0FFFCFFFC0E2980A810>I<07C0FFC0FFC00FC007C007C007C007C007C007C007C007C007C007
C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C0
07C007C007C007C007C007C007C0FFFEFFFE0F2A80A910>108 D<07C1FC01FC00FFC7FE07FE00
FFCE1F0E1F000FD80F980F8007F007F007C007E007E007C007E007E007C007C007C007C007C007
C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C0
07C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007C007
C007C007C007C007C007C007C007C0FFFE7FFE7FFEFFFE7FFE7FFE2F1A7F9932>I<007F000001
FFC00007C1F0000F0078001E003C003C001E003C001E0078000F0078000F00F8000F80F8000F80
F8000F80F8000F80F8000F80F8000F80F8000F80F8000F8078000F007C001F003C001E003C001E
001E003C000F00780007C1F00001FFC000007F0000191A7E991E>111 D<07C3F800FFCFFE00FF
DC1F0007F0078007E007C007C003E007C001E007C001F007C001F007C000F807C000F807C000F8
07C000F807C000F807C000F807C000F807C000F807C001F007C001F007C001E007C003E007E007
C007F00F8007D83F0007CFFC0007C3F00007C0000007C0000007C0000007C0000007C0000007C0
000007C0000007C0000007C0000007C00000FFFE0000FFFE00001D267F9921>I<07CF80FFDFE0
FFF1E00FE3F007E3F007E3F007C1E007C00007C00007C00007C00007C00007C00007C00007C000
07C00007C00007C00007C00007C00007C00007C00007C00007E000FFFF00FFFF00141A7F9917>
114 D<07F8C01FFFC03C07C07803C07001C0F000C0F000C0F800C0FC0000FF80007FF8003FFE00
1FFF000FFF8001FFC0000FE0C003E0C003E0E001E0E001E0E001E0F001C0F803C0FE0780C7FE00
83F800131A7E9918>I<00C00000C00000C00000C00001C00001C00001C00003C00007C0000FC0
001FC000FFFF80FFFF8007C00007C00007C00007C00007C00007C00007C00007C00007C00007C0
0007C00007C00007C00007C0C007C0C007C0C007C0C007C0C007C0C007C0C003E18001E18000FF
00007C0012257FA417>I<FFF81FF8FFF81FF80FC007C007C0078007C0030007E0070003E00600
03E0060001F00C0001F00C0001F81C0000F8180000F81800007C3000007C3000007E3000003E60
00003E6000001FC000001FC000001FC000000F8000000F8000000F800000070000000700000006
000000060000000E0000000C0000300C0000FC180000FC180000FC300000FC70000078E000003F
C000001F0000001D267F9920>121 D E end
%%EndProlog
%%BeginSetup
%%Feature: *Resolution 300
TeXDict begin @a4
%%EndSetup
%%Page: 1 1
bop 646 42 a Fj(Wh)n(y)21 b(Cryptosystems)d(F)-5 b(ail)822
157 y Fi(Ross)16 b(Anderson)642 213 y(Univ)o(ersit)o(y)e(Computer)f(Lab)q
(oratory)578 269 y(P)o(em)o(brok)o(e)g(Street,)i(Cam)o(bridge)e(CB2)i(3QG)681
326 y(Email:)i Fh(rja14@cl.cam.ac.uk)-76 688 y Fg(Abstract)-76
815 y Ff(Designers)c(of)e(cryptographic)j(systems)e(are)g(at)f(a)g(disadv)n
(an)o(tage)j(to)-76 857 y(most)f(other)h(engineers,)g(in)g(that)f
(information)i(on)e(ho)o(w)g(their)h(sys-)-76 898 y(tems)e(fail)h(is)f(hard)g
(to)g(get:)k(their)d(ma)r(jor)f(users)g(ha)o(v)o(e)g(traditionall)q(y)-76
940 y(b)q(een)18 b(go)o(v)o(ernmen)o(t)f(agencies,)i(whic)o(h)f(are)f(v)o
(ery)g(secretiv)o(e)g(ab)q(out)-76 981 y(their)d(mistak)o(es.)-20
1071 y(In)h(this)g(article,)h(w)o(e)e(presen)o(t)h(the)g(results)h(of)e(a)g
(surv)o(ey)i(of)e(the)-76 1113 y(failure)20 b(mo)q(des)f(of)f(retail)i
(banking)h(systems,)f(whic)o(h)f(constitute)-76 1154 y(the)13
b(next)g(largest)g(application)j(of)c(cryptology)m(.)18 b(It)12
b(turns)h(out)g(that)-76 1196 y(the)f(threat)f(mo)q(del)i(commonly)f(used)g
(b)o(y)g(cryptosystem)g(designers)-76 1237 y(w)o(as)f(wrong:)16
b(most)10 b(frauds)i(w)o(ere)e(not)h(caused)h(b)o(y)f(cryptanalysis)i(or)-76
1279 y(other)k(tec)o(hnical)h(attac)o(ks,)f(but)f(b)o(y)h(implemen)o(tation)i
(errors)e(and)-76 1320 y(managemen)o(t)g(failures.)27 b(This)16
b(suggests)h(that)f(a)g(paradigm)i(shift)-76 1362 y(is)d(o)o(v)o(erdue)g(in)f
(computer)h(securit)o(y;)g(w)o(e)f(lo)q(ok)h(at)f(some)g(of)g(the)g(al-)-76
1403 y(ternativ)o(es,)f(and)f(see)f(some)h(signs)g(that)g(this)g(shift)g(ma)o
(y)f(b)q(e)h(getting)-76 1445 y(under)i(w)o(a)o(y)m(.)-76 1590
y Fg(1)41 b(Intro)q(duction)-76 1717 y Ff(Cryptology)m(,)15
b(the)f(science)g(of)g(co)q(de)g(and)g(cipher)h(systems,)e(is)i(used)-76
1759 y(b)o(y)g(go)o(v)o(ernmen)o(ts,)h(banks)f(and)h(other)f(organisations)i
(to)e(k)o(eep)g(in-)-76 1800 y(formation)h(secure.)22 b(It)14
b(is)i(a)e(complex)i(sub)r(ject,)f(and)h(its)f(national)-76
1842 y(securit)o(y)j(o)o(v)o(ertones)g(ma)o(y)f(in)o(v)o(est)g(it)g(with)h(a)
e(certain)i(amoun)o(t)f(of)-76 1883 y(glamour,)d(but)g(w)o(e)e(should)j(nev)o
(er)f(forget)f(that)g(information)i(secu-)-76 1925 y(rit)o(y)g(is)f(at)g
(heart)g(an)g(engineering)j(problem.)j(The)14 b(hardw)o(are)h(and)-76
1966 y(soft)o(w)o(are)g(pro)q(ducts)i(whic)o(h)g(are)e(designed)j(to)d(solv)o
(e)i(it)f(should)h(in)-76 2008 y(principle)f(b)q(e)d(judged)h(in)g(the)f
(same)g(w)o(a)o(y)g(as)g(an)o(y)g(other)g(pro)q(ducts:)-76
2050 y(b)o(y)g(their)h(cost)f(and)h(e\013ectiv)o(eness.)-20
2140 y(Ho)o(w)o(ev)o(er,)9 b(the)g(practice)h(of)f(cryptology)i(di\013ers)f
(from,)f(sa)o(y)m(,)h(that)-76 2181 y(of)h(aeronautical)j(engineering)f(in)f
(a)f(rather)h(striking)h(w)o(a)o(y:)i(there)d(is)-76 2223 y(almost)g(no)f
(public)h(feedbac)o(k)g(ab)q(out)f(ho)o(w)g(cryptographic)i(systems)-76
2264 y(fail.)-20 2354 y(When)j(an)f(aircraft)g(crashes,)h(it)f(is)g(fron)o(t)
f(page)i(news.)21 b(T)m(eams)-76 2396 y(of)16 b(in)o(v)o(estigators)j(rush)e
(to)f(the)h(scene,)g(and)g(the)f(subsequen)o(t)i(en-)1020 688
y(quiries)e(are)e(conducted)h(b)o(y)g(exp)q(erts)f(from)g(organisations)j
(with)d(a)1020 729 y(wide)i(range)g(of)f(in)o(terests)h(-)f(the)h(carrier,)g
(the)g(insurer,)h(the)e(man-)1020 771 y(ufacturer,)k(the)e(airline)j(pilots')
f(union,)h(and)e(the)g(lo)q(cal)h(a)o(viation)1020 812 y(authorit)o(y)m(.)28
b(Their)17 b(\014ndings)i(are)d(examined)i(b)o(y)f(journalists)h(and)1020
854 y(p)q(oliticia)q(ns,)23 b(discussed)d(in)g(pilots')g(messes,)g(and)f
(passed)h(on)f(b)o(y)1020 896 y(\015ying)c(instructors.)1076
986 y(In)i(short,)g(the)g(\015ying)h(comm)o(unit)o(y)g(has)g(a)e(strong)h
(and)h(insti-)1020 1028 y(tutionalised)f(learning)f(mec)o(hanism.)21
b(This)15 b(is)f(p)q(erhaps)h(the)f(main)1020 1070 y(reason)i(wh)o(y)m(,)g
(despite)h(the)f(inheren)o(t)h(hazards)g(of)e(\015ying)j(in)e(large)1020
1111 y(aircraft,)k(whic)o(h)e(are)h(main)o(tained)h(and)f(piloted)h(b)o(y)e
(fallible)j(h)o(u-)1020 1153 y(man)11 b(b)q(eings,)h(at)e(h)o(undreds)i(of)e
(miles)i(an)e(hour)h(through)h(congested)1020 1194 y(airspace,)g(in)e(bad)g
(w)o(eather)g(and)h(at)e(nigh)o(t,)j(the)d(risk)i(of)e(b)q(eing)j(killed)1020
1236 y(on)h(an)h(air)f(journey)h(is)g(only)g(ab)q(out)g(one)f(in)h(a)f
(million.)1076 1327 y(In)18 b(the)g(crypto)h(comm)o(unit)o(y)m(,)h(on)f(the)f
(other)g(hand,)i(there)f(is)1020 1368 y(no)g(suc)o(h)h(learning)h(mec)o
(hanism.)35 b(The)19 b(history)h(of)f(the)g(sub)r(ject)1020
1410 y(\([K1],)12 b([W1]\))h(sho)o(ws)g(the)g(same)h(mistak)o(es)g(b)q(eing)h
(made)e(o)o(v)o(er)g(and)1020 1451 y(o)o(v)o(er)18 b(again;)j(in)e
(particular,)i(p)q(o)q(or)d(managemen)o(t)h(of)e(co)q(deb)q(o)q(oks)1020
1493 y(and)f(cipher)h(mac)o(hine)g(pro)q(cedures)g(enabled)h(man)o(y)e(comm)o
(unica-)1020 1534 y(tion)e(net)o(w)o(orks)f(to)g(b)q(e)g(brok)o(en.)18
b(Kahn)13 b(relates,)h(for)f(example)h([K1,)1020 1576 y(p)d(484],)h(that)f
(Norw)o(a)o(y's)g(rapid)h(fall)g(in)g(the)g(second)g(w)o(orld)f(w)o(ar)g(w)o
(as)1020 1617 y(largely)16 b(due)e(to)g(the)g(fact)f(that)h(the)g(British)i
(Ro)o(y)o(al)f(Na)o(vy's)e(co)q(des)1020 1659 y(had)k(b)q(een)g(solv)o(ed)h
(b)o(y)f(the)g(German)g(Beobac)o(h)o(tungsdien)q(st)i(-)d(us-)1020
1700 y(ing)e(exactly)g(the)f(same)g(tec)o(hniques)i(that)e(the)g(Ro)o(y)o(al)
h(Na)o(vy's)f(o)o(wn)1020 1742 y(`Ro)q(om)g(40')g(had)h(used)f(against)i
(German)o(y)f(in)f(the)h(previous)g(w)o(ar.)1076 1833 y(Since)h(w)o(orld)g(w)
o(ar)f(t)o(w)o(o,)g(a)g(curtain)h(of)f(silence)i(has)f(descended)1020
1874 y(on)k(go)o(v)o(ernmen)o(t)h(use)f(of)f(cryptograph)o(y)m(.)36
b(This)20 b(is)f(not)g(surpris-)1020 1916 y(ing,)d(giv)o(en)f(not)g(just)g
(the)f(cold)i(w)o(ar,)e(but)h(also)h(the)e(reluctance)i(of)1020
1957 y(bureaucrats)h(\(in)f(whatev)o(er)f(organisation\))j(to)d(admit)h
(their)g(fail-)1020 1999 y(ures.)31 b(But)17 b(it)h(do)q(es)g(put)g(the)g
(cryptosystem)g(designer)h(at)f(a)f(se-)1020 2040 y(v)o(ere)10
b(disadv)n(an)o(tage)j(compared)e(with)g(engineers)h(w)o(orking)f(in)g(other)
1020 2082 y(discipli)q(nes;)23 b(the)18 b(p)q(ost-w)o(ar)f(y)o(ears)i(are)e
(precisely)j(the)e(p)q(erio)q(d)h(in)1020 2123 y(whic)o(h)d(mo)q(dern)h
(cryptographic)h(systems)e(ha)o(v)o(e)g(b)q(een)g(dev)o(elop)q(ed)1020
2165 y(and)f(brough)o(t)g(in)o(to)g(use.)20 b(It)14 b(is)h(as)f(if)g(acciden)
o(t)i(rep)q(orts)e(w)o(ere)g(only)1020 2206 y(published)k(for)d
(piston-engine)q(d)j(aircraft,)e(and)g(the)g(causes)g(of)f(all)1020
2248 y(jet)e(aircraft)g(crashes)h(w)o(ere)f(k)o(ept)g(a)g(state)g(secret.)
1020 2395 y Fg(2)41 b(Automatic)12 b(T)m(eller)h(Machines)1020
2523 y Ff(T)m(o)i(disco)o(v)o(er)i(out)e(ho)o(w)h(mo)q(dern)g(cryptosystems)h
(are)e(vulnerable)1020 2564 y(in)20 b(practice,)h(w)o(e)d(ha)o(v)o(e)i(to)f
(study)g(their)h(use)f(elsewhere.)36 b(After)1020 2606 y(go)o(v)o(ernmen)o
(t,)13 b(the)g(next)g(biggest)g(applicatio)q(n)i(is)e(in)g(banking,)h(and)
1020 2647 y(ev)o(olv)o(ed)i(to)f(protect)g(automatic)h(teller)f(mac)o(hines)h
(\(A)m(TMs\))e(from)1020 2689 y(fraud.)p eop
%%Page: 2 2
bop -20 -34 a Ff(In)15 b(some)g(coun)o(tries)i(\(including)h(the)d(USA\),)g
(the)g(banks)h(ha)o(v)o(e)-76 7 y(to)f(carry)h(the)f(risks)h(asso)q(ciated)h
(with)e(new)g(tec)o(hnology)m(.)25 b(F)m(ollo)o(w-)-76 49 y(ing)13
b(a)f(legal)h(preceden)o(t,)g(in)g(whic)o(h)f(a)g(bank)h(customer's)f(w)o
(ord)g(that)-76 90 y(she)j(had)f(not)g(made)h(a)f(withdra)o(w)o(al)h(w)o(as)f
(found)h(to)f(out)o(w)o(eigh)h(the)-76 132 y(banks')f(exp)q(erts')g(w)o(ord)f
(that)g(she)h(m)o(ust)f(ha)o(v)o(e)h(done)g([JC],)d(the)i(US)-76
173 y(F)m(ederal)k(Reserv)o(e)f(passed)g(regulations)j(whic)o(h)d(require)h
(banks)f(to)-76 215 y(refund)c(all)h(disputed)h(transactions)f(unless)g(they)
f(can)g(pro)o(v)o(e)g(fraud)-76 256 y(b)o(y)f(the)f(customer)h([E].)e(This)i
(has)f(led)h(to)f(some)h(minor)g(abuse)g(-)f(mis-)-76 298 y(represen)o
(tations)j(b)o(y)f(customers)f(are)g(estimated)h(to)f(cost)g(the)g(a)o(v)o
(er-)-76 339 y(age)j(US)e(bank)i(ab)q(out)g($15,000)g(a)f(y)o(ear)h([W2])e(-)
h(but)h(it)f(has)h(help)q(ed)-76 381 y(promote)k(the)g(dev)o(elopmen)o(t)i
(of)d(securit)o(y)i(tec)o(hnologies)i(suc)o(h)d(as)-76 422
y(cryptology)d(and)f(video.)-20 513 y(In)h(Britain,)h(the)f(regulators)h(and)
g(courts)f(ha)o(v)o(e)g(not)g(y)o(et)g(b)q(een)-76 555 y(so)h(demanding,)j
(and)d(despite)i(a)e(parliamen)o(tary)i(commission)g(of)-76
596 y(enquiry)c(whic)o(h)e(found)h(that)f(the)g(PIN)f(system)i(w)o(as)e
(insecure)i([J1],)-76 638 y(bank)o(ers)19 b(simply)h(den)o(y)e(that)g(their)g
(systems)h(are)e(ev)o(er)h(at)g(fault.)-76 679 y(Customers)12
b(who)g(complain)i(ab)q(out)e(debits)h(on)f(their)h(accoun)o(ts)f(for)-76
721 y(whic)o(h)j(they)f(w)o(ere)f(not)h(resp)q(onsible)i(-)d(so-called)j
(`phan)o(tom)e(with-)-76 762 y(dra)o(w)o(als')g(-)f(are)g(told)h(that)f(they)
h(are)f(lying,)i(or)e(mistak)o(en,)h(or)f(that)-76 804 y(they)f(m)o(ust)h(ha)
o(v)o(e)f(b)q(een)h(defrauded)g(b)o(y)f(their)h(friends)g(or)f(relativ)o(es.)
-20 895 y(The)k(most)f(visible)j(result)f(in)f(the)g(UK)f(has)h(b)q(een)g(a)g
(string)g(of)-76 936 y(court)k(cases,)h(b)q(oth)f(civil)h(and)f(criminal.)38
b(The)19 b(pattern)h(whic)o(h)-76 978 y(emerges)g(leads)g(us)f(to)g(susp)q
(ect)h(that)f(there)g(ma)o(y)g(ha)o(v)o(e)h(b)q(een)f(a)-76
1019 y(n)o(um)o(b)q(er)14 b(of)f(miscarriages)i(of)e(justice)g(o)o(v)o(er)h
(the)f(y)o(ears.)-20 1146 y Fe(\017)19 b Ff(A)d(teenage)h(girl)i(in)e(Ash)o
(ton)g(under)h(Lyme)f(w)o(as)g(con)o(victed)18 1188 y(in)e(1985)g(of)g
(stealing)h Fd($)p Ff(40)g(from)e(her)h(father.)22 b(She)15
b(pleaded)18 1229 y(guilt)o(y)k(on)f(the)g(advice)h(of)e(her)h(la)o(wy)o(ers)
g(that)g(she)g(had)g(no)18 1271 y(defence,)11 b(and)g(then)g(disapp)q(eared;)
i(it)e(later)g(turned)g(out)g(that)18 1312 y(there)e(had)h(b)q(een)h(nev)o
(er)f(b)q(een)g(a)f(theft,)h(but)g(merely)g(a)g(clerical)18
1354 y(error)j(b)o(y)g(the)g(bank)h([MBW])-20 1424 y Fe(\017)19
b Ff(A)c(She\016eld)i(p)q(olice)g(sergean)o(t)f(w)o(as)f(c)o(harged)h(with)g
(theft)f(in)18 1466 y(No)o(v)o(em)o(b)q(er)e(1988)g(and)g(susp)q(ended)h(for)
f(almost)g(a)g(y)o(ear)f(after)18 1507 y(a)17 b(phan)o(tom)i(withdra)o(w)o
(al)g(to)q(ok)f(place)h(on)f(a)g(card)g(he)g(had)18 1549 y(con\014scated)e
(from)f(a)g(susp)q(ect.)25 b(He)14 b(w)o(as)h(luc)o(ky)i(in)f(that)f(his)18
1590 y(colleagues)j(trac)o(k)o(ed)f(do)o(wn)f(the)g(lady)i(who)e(had)h(made)f
(the)18 1632 y(transaction)d(after)f(the)g(disputed)i(one;)f(her)f(ey)o
(ewitness)h(tes-)18 1673 y(timon)o(y)h(cleared)g(him)-20 1744
y Fe(\017)19 b Ff(Charges)c(of)f(theft)h(against)h(an)f(elderly)h(lady)g(in)g
(Plymouth)18 1786 y(w)o(ere)8 b(dropp)q(ed)i(after)f(our)g(enquiries)i(sho)o
(w)o(ed)e(that)g(the)g(bank's)18 1827 y(computer)k(securit)o(y)i(systems)e(w)
o(ere)g(a)g(sham)o(bles)-20 1898 y Fe(\017)19 b Ff(In)9 b(East)h(Anglia)i
(alone,)f(w)o(e)e(are)h(curren)o(tly)h(advising)h(la)o(wy)o(ers)18
1939 y(in)19 b(t)o(w)o(o)g(cases)h(where)f(p)q(eople)i(are)e(a)o(w)o(aiting)h
(trial)h(for)e(al-)18 1981 y(leged)14 b(thefts,)f(and)h(where)f(the)h
(circumstances)h(giv)o(e)f(reason)18 2022 y(to)c(b)q(eliev)o(e)i(that)e
(`phan)o(tom)h(withdra)o(w)o(als')h(w)o(ere)e(actually)i(to)18
2064 y(blame.)-20 2191 y(Finally)m(,)i(in)f(1992,)f(a)g(large)g(class)h
(action)g(got)f(underw)o(a)o(y)h(in)f(the)-76 2232 y(High)h(Court)f(in)h
(London)g([MB],)f(in)h(whic)o(h)g(h)o(undreds)g(of)f(plain)o(ti\013s)-76
2274 y(seek)18 b(to)f(reco)o(v)o(er)h(damages)h(from)e(v)n(arious)i(banks)g
(and)f(building)-76 2315 y(so)q(cieties.)23 b(W)m(e)15 b(w)o(ere)f(retained)h
(b)o(y)g(the)g(plain)o(ti\013s)i(to)d(pro)o(vide)i(ex-)-76
2357 y(p)q(ert)e(advice,)i(and)f(accordingly)h(conducted)g(some)e(researc)o
(h)h(dur-)-76 2398 y(ing)i(1992)g(in)o(to)g(the)f(actual)h(and)g(p)q(ossible)
h(failure)g(mo)q(des)e(of)g(au-)-76 2440 y(tomatic)f(teller)g(mac)o(hine)g
(systems.)20 b(This)14 b(in)o(v)o(olv)o(ed)j(in)o(terviewing)-76
2481 y(former)c(bank)g(emplo)o(y)o(ees)h(and)f(criminals,)i(analysing)h
(statemen)o(ts)-76 2523 y(from)c(plain)o(ti\013s)j(and)d(other)h(victims)g
(of)f(A)m(TM)f(fraud,)h(and)h(searc)o(h-)-76 2564 y(ing)19
b(the)f(literature.)34 b(W)m(e)18 b(w)o(ere)f(also)i(able)g(to)f(dra)o(w)g
(on)g(exp)q(eri-)-76 2606 y(ence)13 b(gained)g(during)h(the)e(mid-80's)h(on)g
(designing)i(cryptographic)-76 2647 y(equipmen)o(t)e(for)d(the)h(\014nancial)
i(sector,)e(and)h(advising)h(clien)o(ts)f(o)o(v)o(er-)-76 2689
y(seas)i(on)f(its)g(use.)1076 -34 y(W)m(e)h(shall)i(no)o(w)f(examine)g(some)f
(of)g(the)h(w)o(a)o(ys)f(in)h(whic)o(h)g(A)m(TM)1020 7 y(systems)h(ha)o(v)o
(e)h(actually)h(b)q(een)e(defrauded.)27 b(W)m(e)16 b(will)h(then)f(com-)1020
49 y(pare)h(them)h(with)f(ho)o(w)g(the)g(designers)i(though)o(t)f(their)g
(pro)q(ducts)1020 90 y(migh)o(t)c(in)g(theory)g(b)q(e)f(vulnerable,)j(and)e
(see)f(what)h(lessons)g(can)g(b)q(e)1020 132 y(dra)o(wn.)32
b(Some)19 b(material)g(has)g(had)g(to)f(b)q(e)g(held)h(bac)o(k)g(for)f(legal)
1020 173 y(reasons,)e(and)g(in)f(particular)i(w)o(e)e(do)g(not)g(iden)o(tify)
i(all)f(the)f(banks)1020 215 y(whose)d(mistak)o(es)g(w)o(e)f(discuss.)18
b(This)13 b(information)g(should)g(b)q(e)f(pro-)1020 256 y(vided)h(b)o(y)e
(witnesses)h(at)f(trial,)i(and)e(its)h(absence)g(here)g(should)h(ha)o(v)o(e)
1020 298 y(no)g(e\013ect)h(on)f(the)g(p)q(oin)o(ts)i(w)o(e)d(wish)i(to)f(mak)
o(e.)1020 444 y Fg(3)41 b(Ho)o(w)12 b(A)m(TM)i(F)o(raud)f(T)m(ak)o(es)g
(Place)1020 572 y Ff(W)m(e)f(will)h(start)f(with)g(some)g(simple)h(examples)h
(whic)o(h)e(indicate)i(the)1020 614 y(v)n(ariet)o(y)h(of)e(frauds)h(that)g
(can)g(b)q(e)g(carried)g(out)g(without)h(an)o(y)f(great)1020
655 y(tec)o(hnical)g(sophistication)q(,)g(and)f(the)e(bank)i(op)q(erating)h
(pro)q(cedures)1020 697 y(whic)o(h)j(let)f(them)g(happ)q(en.)27
b(F)m(or)16 b(the)g(time)h(b)q(eing,)g(w)o(e)f(ma)o(y)g(con-)1020
738 y(sider)10 b(that)g(the)g(magnetic)g(strip)h(on)e(the)h(customer's)g
(card)g(con)o(tains)1020 780 y(only)h(his)f(accoun)o(t)g(n)o(um)o(b)q(er,)g
(and)g(that)f(his)i(p)q(ersonal)g(iden)o(ti\014cation)1020
821 y(n)o(um)o(b)q(er)h(\(PIN\))e(is)i(deriv)o(ed)g(b)o(y)g(encrypting)h
(this)e(accoun)o(t)h(n)o(um)o(b)q(er)1020 863 y(and)h(taking)h(four)e(digits)
i(from)e(the)g(result.)18 b(Th)o(us)12 b(the)g(A)m(TM)g(m)o(ust)1020
904 y(b)q(e)17 b(able)i(to)e(p)q(erform)g(this)h(encryption)h(op)q(eration,)h
(or)d(to)g(c)o(hec)o(k)1020 946 y(the)c(PIN)g(in)h(some)f(other)g(w)o(a)o(y)g
(\(suc)o(h)h(as)f(b)o(y)g(an)g(online)i(enquiry\).)1020 1088
y Fg(3.1)40 b(Some)12 b(simple)g(examples)1065 1179 y Ff(1.)18
b(Man)o(y)e(frauds)f(are)g(carried)h(out)f(with)h(some)f(inside)h(kno)o(wl-)
1113 1220 y(edge)k(or)e(access,)j(and)e(A)m(TM)f(fraud)h(turns)g(out)g(to)g
(b)q(e)g(no)1113 1262 y(exception.)29 b(Banks)17 b(in)g(the)f(English)i(sp)q
(eaking)h(w)o(orld)d(dis-)1113 1303 y(miss)k(ab)q(out)f(one)g(p)q(ercen)o(t)g
(of)f(their)i(sta\013)f(ev)o(ery)g(y)o(ear)f(for)1113 1345
y(discipli)q(na)q(ry)i(reasons,)e(and)g(man)o(y)f(of)g(these)g(sac)o(kings)i
(are)1113 1386 y(for)12 b(p)q(ett)o(y)g(thefts)f(in)h(whic)o(h)h(A)m(TMs)e
(can)h(easily)h(b)q(e)f(in)o(v)o(olv)o(ed.)1113 1428 y(A)f(bank)h(with)f
(50,000)h(sta\013,)f(whic)o(h)h(issued)g(cards)g(and)f(PINs)1113
1469 y(through)17 b(the)e(branc)o(hes)i(rather)f(than)f(b)o(y)h(p)q(ost,)g
(migh)o(t)g(ex-)1113 1511 y(p)q(ect)10 b(ab)q(out)g(t)o(w)o(o)f(inciden)o(ts)
j(p)q(er)d(business)j(da)o(y)e(of)f(sta\013)g(steal-)1113 1552
y(ing)14 b(cards)g(and)g(PINs.)1158 1630 y Fe(\017)19 b Ff(In)11
b(a)h(recen)o(t)g(case,)g(a)g(housewife)h(from)e(Hastings,)i(Eng-)1196
1672 y(land,)20 b(had)g(money)f(stolen)g(from)f(her)h(accoun)o(t)g(b)o(y)g(a)
1196 1713 y(bank)d(clerk)f(who)h(issued)g(an)f(extra)h(card)f(for)g(it.)23
b(The)1196 1755 y(bank's)10 b(systems)g(not)g(only)h(failed)g(to)f(prev)o(en)
o(t)g(this,)h(but)1196 1796 y(also)k(had)h(the)f(feature)g(that)g(whenev)o
(er)g(a)g(cardholder)1196 1838 y(got)i(a)h(statemen)o(t)g(from)f(an)h(A)m
(TM,)e(the)i(items)g(on)g(it)1196 1879 y(w)o(ould)c(not)g(subsequen)o(tly)j
(app)q(ear)d(on)g(the)g(full)h(state-)1196 1921 y(men)o(ts)e(sen)o(t)h(to)g
(the)g(accoun)o(t)g(address.)20 b(This)14 b(enabled)1196 1962
y(the)k(clerk)i(to)e(see)g(to)h(it)g(that)f(she)h(did)g(not)g(get)g(an)o(y)
1196 2004 y(statemen)o(t)c(sho)o(wing)i(the)e(thefts)g(he)h(had)g(made)f
(from)1196 2045 y(her)e(accoun)o(t.)1196 2094 y(This)g(w)o(as)f(one)h(of)g
(the)f(reasons)i(he)f(managed)g(to)g(mak)o(e)1196 2135 y(43)g(withdra)o(w)o
(als)j(of)d Fd($)p Ff(200)h(eac)o(h;)g(the)g(other)g(w)o(as)f(that)1196
2177 y(when)j(she)h(did)h(at)e(last)i(complain,)h(she)e(w)o(as)f(not)h(b)q
(e-)1196 2218 y(liev)o(ed.)22 b(In)14 b(fact)g(she)g(w)o(as)g(sub)r(jected)h
(to)f(harrassmen)o(t)1196 2260 y(b)o(y)j(the)h(bank,)h(and)f(the)g(thief)f(w)
o(as)h(only)g(disco)o(v)o(ered)1196 2301 y(b)q(ecause)f(he)g(su\013ered)g(an)
g(attac)o(k)f(of)g(conscience)i(and)1196 2343 y(o)o(wned)13
b(up)h([RM].)1158 2398 y Fe(\017)19 b Ff(T)m(ec)o(hnical)i(sta\013)e(also)i
(steal)f(clien)o(ts')g(money)m(,)h(kno)o(w-)1196 2440 y(ing)14
b(that)f(complain)o(ts)i(will)g(probably)g(b)q(e)e(ignored.)19
b(A)o(t)1196 2481 y(one)11 b(bank)h(in)g(Scotland,)h(a)e(main)o(tenance)i
(engineer)f(\014t-)1196 2523 y(ted)18 b(an)g(A)m(TM)f(with)h(a)g(handheld)j
(computer,)e(whic)o(h)1196 2564 y(recorded)c(customers')g(PINs)g(and)g
(accoun)o(t)g(n)o(um)o(b)q(ers.)1196 2606 y(He)k(then)h(made)g(up)g(coun)o
(terfeit)h(cards)f(and)g(lo)q(oted)1196 2647 y(their)c(accoun)o(ts)h([C1])e
([C2].)25 b(Again,)17 b(customers)g(who)1196 2689 y(complained)h(w)o(ere)d
(stonew)o(alled;)j(and)e(the)g(bank)g(w)o(as)p eop
%%Page: 3 3
bop 100 -34 a Ff(publicly)12 b(criticised)g(for)e(this)g(b)o(y)g(one)g(of)f
(Scotland's)i(top)100 7 y(la)o(w)i(o\016cers.)62 64 y Fe(\017)19
b Ff(One)h(bank)h(issues)h(tellers)g(with)f(cards)g(with)f(whic)o(h)100
105 y(they)10 b(can)g(withdra)o(w)g(money)g(from)f(branc)o(h)i(A)m(TMs)e(and)
100 147 y(debit)14 b(an)o(y)f(customer)h(accoun)o(t.)k(This)13
b(ma)o(y)h(b)q(e)f(con)o(v)o(e-)100 188 y(nien)o(t)k(when)f(the)g(teller)h
(station)g(cash)f(runs)g(out,)h(but)100 230 y(could)d(lead)g(the)f(sta\013)h
(in)o(to)g(temptation.)62 286 y Fe(\017)19 b Ff(One)c(bank)h(had)g(a)f(w)o
(ell)h(managed)h(system,)e(in)h(whic)o(h)100 328 y(the)f(information)j
(systems,)e(electronic)h(banking)h(and)100 369 y(in)o(ternal)c(audit)f
(departmen)o(ts)g(co)q(op)q(erated)h(to)e(enforce)100 411 y(tigh)o(t)e(dual)h
(con)o(trol)f(o)o(v)o(er)g(unissued)h(cards)f(and)g(PINs)f(in)100
452 y(the)i(branc)o(hes.)17 b(This)11 b(k)o(ept)g(ann)o(ual)i(theft)d(losses)
i(do)o(wn,)100 494 y(un)o(til)17 b(one)e(da)o(y)h(a)g(proteg)o(\023)-18
b(e)16 b(of)f(the)g(deput)o(y)h(managing)100 535 y(director)10
b(sen)o(t)g(a)f(circular)j(to)d(all)i(branc)o(hes)f(announcing)100
577 y(that)15 b(to)g(cut)h(costs,)g(a)f(n)o(um)o(b)q(er)h(of)f(dual)i(con)o
(trol)f(pro-)100 618 y(cedures)h(w)o(ere)f(b)q(eing)i(ab)q(olished,)i
(including)f(that)e(on)100 660 y(cards)f(and)f(PINs.)24 b(This)16
b(w)o(as)f(done)h(without)g(consul-)100 701 y(tation,)g(and)f(without)g
(taking)h(an)o(y)f(steps)h(to)e(actually)100 743 y(sa)o(v)o(e)j(money)h(b)o
(y)g(reducing)h(sta\013.)31 b(Losses)18 b(increased)100 784
y(tenfold;)11 b(but)f(managers)g(in)g(the)f(a\013ected)h(departmen)o(ts)100
826 y(w)o(ere)15 b(un)o(willing)j(to)d(risk)h(their)g(careers)g(b)o(y)g
(making)g(a)100 867 y(fuss.)21 b(This)15 b(seems)f(to)g(b)q(e)h(a)f(t)o
(ypical)i(example)g(of)e(ho)o(w)100 909 y(computer)i(securit)o(y)g(breaks)g
(do)o(wn)g(in)g(real)g(organisa-)100 950 y(tions.)18 1030 y(Most)d(thefts)g
(b)o(y)g(sta\013)h(sho)o(w)f(up)g(as)h(phan)o(tom)g(withdra)o(w)o(als)18
1072 y(at)8 b(A)m(TMs)g(in)i(the)f(victim's)h(neigh)o(b)q(ourho)q(o)q(d.)19
b(English)11 b(banks)18 1113 y(main)o(tain)16 b(that)e(a)g(computer)g
(securit)o(y)h(problem)h(w)o(ould)f(re-)18 1155 y(sult)20 b(in)g(a)f(random)h
(distribution)i(of)d(transactions)i(round)18 1196 y(the)c(coun)o(try)m(,)h
(and)f(as)g(most)g(disputed)i(withdra)o(w)o(als)g(hap-)18 1238
y(p)q(en)14 b(near)g(the)g(customer's)g(home)g(or)f(place)i(of)e(w)o(ork,)h
(these)18 1279 y(m)o(ust)g(b)q(e)h(due)g(to)g(cardholder)h(negligence)h
([BB].)d(Th)o(us)h(the)18 1321 y(pattern)c(of)g(complain)o(ts)i(whic)o(h)f
(arises)g(from)e(thefts)h(b)o(y)g(their)18 1362 y(o)o(wn)16
b(sta\013)h(only)h(tends)f(to)g(reinforce)g(the)g(banks')g(compla-)18
1404 y(cency)c(ab)q(out)h(their)g(systems.)-31 1475 y(2.)19
b(Outsiders)13 b(ha)o(v)o(e)g(also)h(enjo)o(y)o(ed)f(some)f(success)h(at)g
(attac)o(king)18 1517 y(A)m(TM)f(systems.)62 1596 y Fe(\017)19
b Ff(In)e(a)g(recen)o(t)g(case)g(at)g(Winc)o(hester)i(Cro)o(wn)d(Court)h(in)
100 1638 y(England)c([RSH],)d(t)o(w)o(o)g(men)i(w)o(ere)e(con)o(victed)j(of)e
(a)g(sim-)100 1679 y(ple)g(but)f(e\013ectiv)o(e)i(scam.)k(They)11
b(w)o(ould)g(stand)g(in)g(A)m(TM)100 1721 y(queues,)h(observ)o(e)g
(customers')f(PINs,)g(pic)o(k)i(up)e(the)g(dis-)100 1762 y(carded)17
b(A)m(TM)g(tic)o(k)o(ets,)h(cop)o(y)f(the)g(accoun)o(t)h(n)o(um)o(b)q(ers)100
1804 y(from)13 b(the)h(tic)o(k)o(ets)g(to)g(blank)h(cards,)f(and)g(use)g
(these)g(to)100 1845 y(lo)q(ot)g(the)f(customers')g(accoun)o(ts.)100
1894 y(This)j(tric)o(k)g(had)g(b)q(een)g(used)h(\(and)f(rep)q(orted\))g(sev)o
(eral)100 1936 y(y)o(ears)g(previously)i(at)e(a)g(bank)g(in)h(New)e(Y)m(ork.)
25 b(There)100 1977 y(the)10 b(culprit)h(w)o(as)f(an)g(A)m(TM)g(tec)o
(hnician,)i(who)e(had)h(b)q(een)100 2019 y(\014red,)h(and)h(who)g(managed)g
(to)f(steal)i(o)o(v)o(er)e($80,000)h(b)q(e-)100 2060 y(fore)19
b(the)h(bank)g(saturated)h(the)e(area)h(with)g(securit)o(y)100
2102 y(men)13 b(and)h(caugh)o(t)f(him)h(in)g(the)f(act.)100
2151 y(These)h(attac)o(ks)h(w)o(ork)o(ed)f(b)q(ecause)h(the)g(banks)g(prin)o
(ted)100 2192 y(the)f(full)h(accoun)o(t)f(n)o(um)o(b)q(er)h(on)f(the)g(A)m
(TM)f(tic)o(k)o(et,)i(and)100 2234 y(b)q(ecause)i(there)e(w)o(as)h(no)g
(cryptographic)i(redundancy)100 2275 y(on)d(the)h(magnetic)h(strip.)25
b(One)15 b(migh)o(t)h(ha)o(v)o(e)g(though)o(t)100 2317 y(that)9
b(the)g(New)f(Y)m(ork)g(lesson)i(w)o(ould)g(ha)o(v)o(e)f(b)q(een)h(learned,)
100 2358 y(but)h(no:)17 b(in)12 b(England,)h(the)e(bank)h(whic)o(h)g(had)g(b)
q(een)g(the)100 2400 y(main)h(victim)h(in)g(the)f(Winc)o(hester)h(case)f
(only)h(stopp)q(ed)100 2441 y(prin)o(ting)g(the)f(full)g(accoun)o(t)g(n)o(um)
o(b)q(er)g(in)g(mid)g(1992,)g(af-)100 2483 y(ter)i(the)g(author)h(replicated)
i(the)d(fraud)h(on)f(television)100 2524 y(to)c(w)o(arn)g(the)g(public)i(of)d
(the)i(risk.)17 b(Another)11 b(bank)h(con-)100 2566 y(tin)o(ued)i(prin)o
(ting)i(it)d(in)o(to)h(1993,)g(and)f(w)o(as)g(pillori)q(ed)j(b)o(y)100
2607 y(journalists)f(who)f(managed)g(to)f(forge)h(a)f(card)h(and)g(use)100
2649 y(it)f([L1].)1158 -34 y Fe(\017)19 b Ff(Another)e(tec)o(hnical)i(attac)o
(k)e(relies)i(on)e(the)g(fact)g(that)1196 7 y(most)g(A)m(TM)f(net)o(w)o(orks)
h(do)g(not)h(encrypt)f(or)g(authen-)1196 49 y(ticate)k(the)g(authorisation)i
(resp)q(onse)f(to)e(the)h(A)m(TM.)1196 90 y(This)c(means)g(that)g(an)g(attac)
o(k)o(er)g(can)g(record)h(a)e(`pa)o(y')1196 132 y(resp)q(onse)d(from)e(the)h
(bank)h(to)e(the)h(mac)o(hine,)h(and)g(then)1196 173 y(k)o(eep)i(on)h(repla)o
(ying)h(it)f(un)o(til)h(the)e(mac)o(hine)i(is)e(empt)o(y)m(.)1196
215 y(This)9 b(tec)o(hnique,)i(kno)o(wn)f(as)f(`jac)o(kp)q(otting',)h(is)g
(not)f(lim-)1196 256 y(ited)16 b(to)g(outsiders)i(-)e(it)g(app)q(ears)h(to)f
(ha)o(v)o(e)h(b)q(een)f(used)1196 298 y(in)j(1987)f(b)o(y)h(a)f(bank's)h(op)q
(erations)h(sta\013,)f(who)f(used)1196 339 y(net)o(w)o(ork)d(con)o(trol)i
(devices)g(to)f(jac)o(kp)q(ot)g(A)m(TMs)f(where)1196 381 y(accomplices)g(w)o
(ere)e(w)o(aiting.)1158 437 y Fe(\017)19 b Ff(Another)9 b(bank's)g(systems)h
(had)f(the)g(feature)g(that)g(when)1196 479 y(a)15 b(telephone)h(card)g(w)o
(as)f(en)o(tered)g(at)g(an)h(A)m(TM,)e(it)h(b)q(e-)1196 520
y(liev)o(ed)j(that)f(the)g(previous)i(card)e(had)g(b)q(een)h(inserted)1196
562 y(again.)i(Cro)q(oks)14 b(sto)q(o)q(d)g(in)g(line,)h(observ)o(ed)g
(customers')1196 603 y(PINs,)k(and)g(help)q(ed)g(themselv)o(es.)35
b(This)19 b(sho)o(ws)f(ho)o(w)1196 645 y(ev)o(en)j(the)f(most)h(obscure)h
(programming)g(error)f(can)1196 686 y(lead)14 b(to)f(serious)h(problems.)1158
743 y Fe(\017)19 b Ff(P)o(ostal)10 b(in)o(terception)i(is)e(rec)o(k)o(oned)h
(to)e(accoun)o(t)i(for)e(30\045)1196 784 y(of)20 b(all)h(UK)f(pa)o(ymen)o(t)h
(card)g(losses)g([A1],)g(but)g(most)1196 826 y(banks')14 b(p)q(ostal)h(con)o
(trol)g(pro)q(cedures)g(are)f(dismal.)21 b(F)m(or)1196 867
y(example,)c(in)g(F)m(ebruary)g(1992)f(the)g(author)h(ask)o(ed)f(for)1196
909 y(an)g(increased)j(card)d(limit:)26 b(the)16 b(bank)i(sen)o(t)e(not)h
(one,)1196 950 y(but)11 b(t)o(w)o(o,)g(cards)g(and)h(PINs)f(through)h(the)f
(p)q(ost.)17 b(These)1196 992 y(cards)c(arriv)o(ed)i(only)f(a)f(few)f(da)o
(ys)i(after)f(in)o(truders)h(had)1196 1033 y(got)g(hold)i(of)f(our)g
(apartmen)o(t)g(blo)q(c)o(k's)h(mail)g(and)f(torn)1196 1075
y(it)e(up)h(lo)q(oking)h(for)e(v)n(aluables.)1196 1124 y(It)19
b(turned)h(out)g(that)f(this)h(bank)h(did)f(not)g(ha)o(v)o(e)g(the)1196
1165 y(systems)d(to)g(deliv)o(er)i(a)d(card)i(b)o(y)f(registered)h(p)q(ost,)g
(or)1196 1207 y(to)13 b(send)h(it)g(to)g(a)f(branc)o(h)h(for)g(collection.)21
b(Surely)15 b(they)1196 1248 y(should)10 b(ha)o(v)o(e)f(noticed)i(that)e(man)
o(y)g(of)f(their)i(Cam)o(bridge)1196 1290 y(customers)j(liv)o(e)h(in)f
(colleges,)h(studen)o(t)f(residences)h(and)1196 1331 y(apartmen)o(t)g
(buildings)i(whic)o(h)e(ha)o(v)o(e)g(no)f(secure)h(p)q(ostal)1196
1373 y(deliv)o(eries;)e(and)e(that)f(most)g(of)g(the)g(new)g(studen)o(ts)h
(op)q(en)1196 1414 y(bank)16 b(accoun)o(ts)g(at)f(the)g(start)g(of)g(the)g
(academic)i(y)o(ear)1196 1456 y(in)11 b(Octob)q(er,)g(when)g(large)g(n)o(um)o
(b)q(ers)g(of)f(cards)h(and)h(PIN)1196 1497 y(mailers)i(are)f(left)h(lying)h
(around)f(on)f(staircases)i(and)e(in)1196 1539 y(pigeonholes.)1158
1595 y Fe(\017)19 b Ff(T)m(est)8 b(transactions)j(ha)o(v)o(e)e(b)q(een)g
(another)h(source)f(of)g(trou-)1196 1637 y(ble.)29 b(There)17
b(w)o(as)f(a)h(feature)g(on)g(one)g(mak)o(e)g(of)g(A)m(TM)1196
1678 y(whic)o(h)e(w)o(ould)h(output)f(ten)g(banknotes)i(when)e(a)f(four-)1196
1720 y(teen)f(digit)i(sequence)f(w)o(as)g(en)o(tered)f(at)h(the)f(k)o(eyb)q
(oard.)1196 1761 y(One)c(bank)g(prin)o(ted)i(this)e(sequence)h(in)g(its)f
(branc)o(h)h(man-)1196 1803 y(ual,)g(and)f(three)g(y)o(ears)h(later)f(there)g
(w)o(as)g(a)f(sudden)j(spate)1196 1844 y(of)g(losses.)18 b(These)13
b(w)o(en)o(t)e(on)i(un)o(til)h(all)f(the)f(banks)i(using)1196
1886 y(the)c(mac)o(hine)h(put)f(in)h(a)f(soft)o(w)o(are)g(patc)o(h)g(to)g
(disable)i(the)1196 1927 y(transaction.)1158 1984 y Fe(\017)19
b Ff(The)9 b(fastest)g(gro)o(wing)h(mo)q(dus)g(op)q(erandi)h(is)f(to)f(use)g
(false)1196 2025 y(terminals)14 b(to)e(collect)h(customer)g(card)f(and)h(PIN)
f(data.)1196 2067 y(A)o(ttac)o(ks)i(of)f(this)i(kind)h(w)o(ere)d(\014rst)h
(rep)q(orted)h(from)f(the)1196 2108 y(USA)h(in)i(1988;)g(there,)g(cro)q(oks)f
(built)i(a)e(v)o(ending)h(ma-)1196 2150 y(c)o(hine)c(whic)o(h)g(w)o(ould)g
(accept)g(an)o(y)g(card)f(and)h(PIN,)e(and)1196 2191 y(disp)q(ense)18
b(a)f(pac)o(k)o(et)h(of)e(cigarettes.)30 b(They)17 b(put)g(their)1196
2233 y(in)o(v)o(en)o(tion)c(in)f(a)f(shopping)j(mall,)e(and)g(harv)o(ested)g
(PINs)1196 2275 y(and)j(magnetic)h(strip)g(data)f(b)o(y)g(mo)q(dem.)23
b(A)15 b(more)f(re-)1196 2316 y(cen)o(t)f(instance)i(of)e(this)i(in)f
(Connecticut)h(got)e(substan-)1196 2358 y(tial)h(press)g(publicit)o(y)j
([J2],)12 b(and)i(the)g(tric)o(k)g(has)g(spread)1196 2399 y(to)g(other)h
(coun)o(tries)h(to)q(o:)21 b(in)15 b(1992,)h(criminals)h(set)e(up)1196
2441 y(a)h(mark)o(et)g(stall)i(in)e(High)h(Wycom)o(b)q(e,)h(England,)g(and)
1196 2482 y(customers)13 b(who)g(wished)g(to)g(pa)o(y)g(for)g(go)q(o)q(ds)g
(b)o(y)g(credit)1196 2524 y(card)h(w)o(ere)g(ask)o(ed)i(to)e(swip)q(e)h(the)g
(card)f(and)h(en)o(ter)g(the)1196 2565 y(PIN)10 b(at)h(a)h(terminal)g(whic)o
(h)g(w)o(as)f(in)h(fact)f(ho)q(ok)o(ed)i(up)e(to)1196 2607
y(a)j(PC.)g(A)o(t)h(the)f(time)i(of)e(writing,)i(British)h(banks)e(had)1196
2648 y(still)g(not)e(w)o(arned)g(their)h(customers)g(of)e(this)i(threat.)p
eop
%%Page: 4 4
bop -31 -34 a Ff(3.)19 b(The)d(p)q(oin)o(t)i(of)f(using)h(a)f(four-digit)h
(PIN)e(is)h(that)g(someone)18 7 y(who)h(\014nds)i(or)f(steals)g(another)h(p)q
(erson's)g(A)m(TM)e(card)h(has)18 49 y(a)c(c)o(hance)h(of)e(only)j(one)e(in)h
(ten)g(thousand)g(of)f(guessing)i(the)18 90 y(PIN,)12 b(and)i(if)g(only)h
(three)e(attempts)h(are)f(allo)o(w)o(ed,)i(then)f(the)18 132
y(lik)o(eliho)q(o)q(d)g(of)c(a)g(stolen)h(card)g(b)q(eing)g(misused)h(should)
g(b)q(e)e(less)18 173 y(than)f(one)h(in)g(3,000.)16 b(Ho)o(w)o(ev)o(er,)9
b(some)h(banks)g(ha)o(v)o(e)g(managed)18 215 y(to)g(reduce)i(the)f(div)o
(ersit)o(y)h(of)f(a)g(four-digit)h(PIN)f(to)f(m)o(uc)o(h)h(less)18
256 y(than)i(10,000.)18 b(F)m(or)12 b(example:)62 336 y Fe(\017)19
b Ff(They)14 b(ma)o(y)h(ha)o(v)o(e)g(a)f(sc)o(heme)h(whic)o(h)g(enables)h
(PINs)e(to)100 377 y(b)q(e)f(c)o(hec)o(k)o(ed)h(b)o(y)f(o\017ine)h(A)m(TMs)f
(and)g(p)q(oin)o(t-of-sale)i(de-)100 419 y(vices)g(without)g(these)f(devices)
i(ha)o(ving)f(a)f(full)i(encryp-)100 460 y(tion)j(capabilit)o(y)m(.)35
b(F)m(or)18 b(example,)i(customers)f(of)f(one)100 502 y(bank)g(get)f(a)g
(credit)h(card)g(PIN)f(with)h(digit)g(one)g(plus)100 544 y(digit)c(four)f
(equal)h(to)f(digit)i(t)o(w)o(o)d(plus)i(digit)h(three,)e(and)100
585 y(a)h(debit)h(card)g(PIN)e(with)i(one)f(plus)i(three)e(equals)i(t)o(w)o
(o)100 627 y(plus)10 b(four.)15 b(This)10 b(means)f(that)g(cro)q(oks)h(could)
g(use)f(stolen)100 668 y(cards)k(in)g(o\017ine)g(devices)h(b)o(y)f(en)o
(tering)h(a)e(PIN)g(suc)o(h)h(as)100 710 y(4455.)62 766 y Fe(\017)19
b Ff(In)c(early)h(1992,)g(another)g(bank)g(sen)o(t)f(its)h(cardholders)100
808 y(a)g(letter)h(w)o(arning)h(them)e(of)h(the)f(dangers)i(of)e(writing)100
849 y(their)j(PIN)f(on)g(their)i(card,)f(and)g(suggested)h(instead)100
891 y(that)d(they)g(conceal)h(the)f(PIN)g(in)g(the)g(follo)o(wing)i(w)o(a)o
(y)100 932 y(and)10 b(write)f(it)h(do)o(wn)g(on)g(a)f(distinctiv)o(e)j(piece)
f(of)e(squared)100 974 y(cardb)q(oard,)14 b(whic)o(h)g(w)o(as)f(designed)i
(to)e(b)q(e)h(k)o(ept)f(along-)100 1015 y(side)h(the)f(A)m(TM)f(card)i(in)f
(a)g(w)o(allet)h(or)f(purse.)100 1064 y(Supp)q(ose)k(y)o(our)f(PIN)f(is)h
(2256.)25 b(Cho)q(ose)16 b(a)g(four-letter)100 1106 y(w)o(ord,)g(sa)o(y)h(`)p
Fc(blue)p Ff('.)24 b(W)m(rite)17 b(these)g(four)f(letters)h(do)o(wn)100
1147 y(in)e(the)f(second,)g(second,)h(\014fth)f(and)h(sixth)g(columns)g(of)
100 1189 y(the)e(card)g(resp)q(ectiv)o(ely:)p 100 1265 660
2 v 99 1307 2 42 v 107 1307 V 130 1294 a Fc(1)p 171 1307 V
44 w(2)p 235 1307 V 45 w(3)p 300 1307 V 44 w(4)p 364 1307 V
44 w(5)p 429 1307 V 45 w(6)p 493 1307 V 44 w(7)p 558 1307 V
45 w(8)p 622 1307 V 44 w(9)p 686 1307 V 45 w(0)p 751 1307 V
759 1307 V 100 1309 660 2 v 99 1350 2 42 v 107 1350 V 171 1350
V 194 1338 a(b)p 235 1350 V 300 1350 V 364 1350 V 429 1350
V 493 1350 V 558 1350 V 622 1350 V 686 1350 V 751 1350 V 759
1350 V 100 1352 660 2 v 99 1393 2 42 v 107 1393 V 171 1393
V 194 1381 a(l)p 235 1393 V 300 1393 V 364 1393 V 429 1393
V 493 1393 V 558 1393 V 622 1393 V 686 1393 V 751 1393 V 759
1393 V 100 1395 660 2 v 99 1436 2 42 v 107 1436 V 171 1436
V 235 1436 V 300 1436 V 364 1436 V 387 1424 a(u)p 429 1436
V 493 1436 V 558 1436 V 622 1436 V 686 1436 V 751 1436 V 759
1436 V 100 1438 660 2 v 99 1480 2 42 v 107 1480 V 171 1480
V 235 1480 V 300 1480 V 364 1480 V 429 1480 V 452 1467 a(e)p
493 1480 V 558 1480 V 622 1480 V 686 1480 V 751 1480 V 759
1480 V 100 1481 660 2 v 100 1575 a Ff(No)o(w)e(\014ll)i(up)f(the)g(empt)o(y)g
(b)q(o)o(xes)g(with)g(random)h(letters.)100 1616 y(Easy)m(,)d(isn't)h(it?)17
b(Of)9 b(course,)i(there)f(ma)o(y)g(b)q(e)g(only)h(ab)q(out)100
1658 y(t)o(w)o(o)d(dozen)i(four-letter)g(w)o(ords)f(whic)o(h)h(can)g(b)q(e)f
(made)h(up)100 1699 y(using)16 b(a)e(giv)o(en)i(grid)f(of)f(random)h
(letters,)g(so)g(a)f(thief)s('s)100 1741 y(c)o(hance)f(of)f(b)q(eing)i(able)f
(to)g(use)g(a)f(stolen)i(card)e(has)h(just)100 1783 y(increased)h(from)f(1)g
(in)h(3,333)f(to)g(1)g(in)h(8.)62 1839 y Fe(\017)19 b Ff(One)14
b(small)h(institution)i(issued)e(the)f(same)g(PIN)f(to)h(all)100
1880 y(its)c(customers,)g(as)f(a)h(result)g(of)f(a)g(simple)i(programming)100
1922 y(error.)35 b(In)19 b(y)o(et)h(another,)h(a)e(programmer)h(arranged)100
1963 y(things)c(so)g(that)f(only)h(three)g(di\013eren)o(t)g(PINs)f(w)o(ere)g
(is-)100 2005 y(sued,)i(with)g(a)f(view)g(to)g(forging)i(cards)e(b)o(y)h(the)
f(thou-)100 2047 y(sand.)26 b(In)16 b(neither)h(case)f(w)o(as)g(the)g
(problem)i(detected)100 2088 y(un)o(til)e(some)g(considerable)i(time)d(had)h
(passed:)22 b(as)15 b(the)100 2130 y(liv)o(e)d(PIN)e(mailers)i(w)o(ere)e(sub)
r(jected)i(to)e(strict)h(handling)100 2171 y(precautions,)16
b(no)f(mem)o(b)q(er)g(of)f(sta\013)h(ev)o(er)g(got)g(hold)g(of)100
2213 y(more)e(than)g(his)h(o)o(wn)f(p)q(ersonal)i(accoun)o(t)f(mailer.)-31
2292 y(4.)19 b(Some)c(banks)i(do)f(not)f(deriv)o(e)i(the)f(PIN)f(from)g(the)g
(accoun)o(t)18 2334 y(n)o(um)o(b)q(er)e(b)o(y)g(encryption,)h(but)e(rather)h
(c)o(hose)g(random)g(PINs)18 2375 y(\(or)h(let)i(the)f(customers)h(c)o(ho)q
(ose)f(them\))g(and)h(then)f(encrypt)18 2417 y(them)f(for)f(storage.)20
b(Quite)15 b(apart)f(from)f(the)h(risk)h(that)f(cus-)18 2458
y(tomers)e(ma)o(y)h(c)o(ho)q(ose)g(PINs)g(whic)o(h)g(are)g(easy)g(to)f
(guess,)h(this)18 2500 y(has)g(a)g(n)o(um)o(b)q(er)h(of)f(tec)o(hnical)i
(pitfalls.)62 2580 y Fe(\017)k Ff(Some)f(banks)g(hold)h(the)f(encrypted)h
(PINs)e(on)h(a)g(\014le.)100 2621 y(This)k(means)f(that)g(a)g(programmer)h
(migh)o(t)g(observ)o(e)100 2663 y(that)10 b(the)h(encrypted)g(v)o(ersion)h
(of)e(his)h(o)o(wn)f(PIN)g(is)h(\(sa)o(y\))1196 -34 y Fc(132AD6409)o(BC)o
(A43)o(31)o Ff(,)k(and)i(searc)o(h)g(the)g(database)h(for)1196
7 y(all)c(other)f(accoun)o(ts)h(with)g(the)f(same)g(PIN.)1158
57 y Fe(\017)19 b Ff(One)9 b(large)i(UK)e(bank)h(ev)o(en)g(wrote)f(the)h
(encrypted)h(PIN)1196 98 y(to)j(the)g(card)h(strip.)22 b(It)14
b(to)q(ok)h(the)f(criminal)j(fraternit)o(y)1196 140 y(\014fteen)d(y)o(ears)h
(to)g(\014gure)g(out)g(that)f(y)o(ou)h(could)h(c)o(hange)1196
181 y(the)11 b(accoun)o(t)i(n)o(um)o(b)q(er)f(on)g(y)o(our)g(o)o(wn)f(card's)
h(magnetic)1196 223 y(strip)i(to)f(that)h(of)f(y)o(our)h(target,)f(and)h
(then)g(use)g(it)g(with)1196 264 y(y)o(our)f(o)o(wn)g(PIN)g(to)g(lo)q(ot)h
(his)f(accoun)o(t.)1196 310 y(In)c(fact,)g(the)h(Winc)o(hester)h(pair)f(used)
g(this)g(tec)o(hnique)h(as)1196 351 y(w)o(ell,)i(and)g(one)f(of)g(them)h
(wrote)f(a)g(do)q(cumen)o(t)i(ab)q(out)f(it)1196 393 y(whic)o(h)d(app)q(ears)
g(to)g(ha)o(v)o(e)g(circulated)h(in)f(the)g(UK)f(prison)1196
434 y(system)i([S];)f(and)h(there)g(are)g(curren)o(tly)h(t)o(w)o(o)f(other)g
(men)1196 476 y(a)o(w)o(aiting)j(trial)g(for)e(conspiring)k(to)c(defraud)i
(this)f(bank)1196 517 y(b)o(y)g(forging)h(cards.)1113 585 y(F)m(or)f(this)h
(reason,)g(VISA)f(recommends)h(that)f(banks)h(should)1113 627
y(com)o(bine)g(the)e(customer's)g(accoun)o(t)h(n)o(um)o(b)q(er)f(with)h(the)f
(PIN)1113 668 y(b)q(efore)i(encryption)h([VSM].)d(Not)h(all)h(of)f(them)g
(do.)1065 732 y(5.)18 b(Despite)f(all)g(these)e(horrors,)i(Britain)g(is)f(b)o
(y)f(no)h(means)g(the)1113 774 y(coun)o(try)f(w)o(orst)f(a\013ected)h(b)o(y)f
(card)h(forgery)m(.)20 b(That)14 b(dubious)1113 815 y(honour)i(go)q(es)g(to)e
(Italy)i([L2],)e(where)h(losses)h(amoun)o(t)f(to)g(al-)1113
857 y(most)10 b(0.5\045)g(of)g(A)m(TM)f(turno)o(v)o(er.)17
b(Banks)11 b(there)f(are)g(basically)1113 898 y(su\013ering)15
b(from)e(t)o(w)o(o)g(problems.)1158 966 y Fe(\017)19 b Ff(The)g(\014rst)g(is)
h(a)f(plague)i(of)e(b)q(ogus)h(A)m(TMs)f(-)g(devices)1196 1008
y(whic)o(h)13 b(lo)q(ok)h(lik)o(e)g(real)f(A)m(TMs,)f(and)h(ma)o(y)g(ev)o(en)
g(b)q(e)f(real)1196 1049 y(A)m(TMs,)d(but)g(whic)o(h)h(are)f(programmed)h(to)
f(capture)h(cus-)1196 1091 y(tomers')f(card)h(and)g(PIN)f(data.)16
b(As)9 b(w)o(e)g(sa)o(w)h(ab)q(o)o(v)o(e,)g(this)1196 1132
y(is)j(nothing)i(new)e(and)h(should)g(ha)o(v)o(e)g(b)q(een)g(exp)q(ected.)
1158 1182 y Fe(\017)19 b Ff(The)11 b(second)i(is)g(that)f(Italy's)g(A)m(TMs)f
(are)h(generally)j(of-)1196 1223 y(\015ine.)30 b(This)17 b(means)h(that)f(an)
o(y)o(one)h(can)f(op)q(en)h(an)f(ac-)1196 1265 y(coun)o(t,)h(get)f(a)g(card)h
(and)f(PIN,)g(mak)o(e)g(sev)o(eral)h(dozen)1196 1306 y(copies)f(of)f(the)g
(card,)g(and)h(get)f(accomplices)i(to)e(dra)o(w)1196 1348 y(cash)21
b(from)f(a)h(n)o(um)o(b)q(er)g(of)f(di\013eren)o(t)i(A)m(TMs)e(at)h(the)1196
1389 y(same)d(time.)32 b(This)19 b(is)f(also)h(nothing)h(new;)g(it)e(w)o(as)g
(a)1196 1431 y(fa)o(v)o(ourite)d(mo)q(dus)g(op)q(erandi)h(in)g(Britain)g(in)f
(the)f(early)1196 1472 y(1980's)f([W3].)1020 1609 y Fg(3.2)40
b(Mo)o(re)12 b(complex)g(attacks)1020 1721 y Ff(The)18 b(frauds)h(whic)o(h)f
(w)o(e)g(ha)o(v)o(e)h(describ)q(ed)h(so)e(far)g(ha)o(v)o(e)g(all)h(b)q(een)
1020 1762 y(due)12 b(to)f(fairly)h(simple)h(errors)f(of)f(implemen)o(tation)j
(and)e(op)q(eration.)1020 1804 y(Securit)o(y)k(researc)o(hers)f(ha)o(v)o(e)g
(tended)h(to)e(consider)i(suc)o(h)f(blunders)1020 1845 y(unin)o(teresting,)21
b(and)e(ha)o(v)o(e)f(therefore)g(concen)o(trated)h(on)f(attac)o(ks)1020
1887 y(whic)o(h)h(exploit)g(more)f(subtle)h(tec)o(hnical)h(w)o(eaknesses.)32
b(Banking)1020 1928 y(systems)14 b(ha)o(v)o(e)f(a)g(n)o(um)o(b)q(er)h(of)f
(these)g(w)o(eaknesses)h(to)q(o.)1076 2016 y(Although)f(high-tec)o(h)g(attac)
o(ks)e(on)h(banking)h(systems)f(are)f(rare,)1020 2057 y(they)j(are)f(of)g(in)
o(terest)h(from)f(the)g(public)i(p)q(olicy)g(p)q(oin)o(t)g(of)e(view,)g(as)
1020 2099 y(go)o(v)o(ernmen)o(t)j(initiati)q(v)o(es)i(suc)o(h)e(as)g(the)f
(EC's)g(Information)i(T)m(ec)o(h-)1020 2140 y(nology)c(Securit)o(y)g(Ev)n
(aluation)h(Criteria)f([ITSEC])d(aim)i(to)f(dev)o(elop)1020
2182 y(a)j(p)q(o)q(ol)h(of)e(ev)n(aluated)j(pro)q(ducts)f(whic)o(h)g(ha)o(v)o
(e)f(b)q(een)g(certi\014ed)h(free)1020 2223 y(of)e(kno)o(wn)g(tec)o(hnical)i
(lo)q(opholes.)1076 2311 y(The)d(basic)g(assumptions)i(b)q(ehind)g(this)e
(program)g(are)g(that)g(im-)1020 2352 y(plemen)o(tation)23
b(and)e(op)q(eration)h(will)g(b)q(e)e(essen)o(tially)k(error-free,)1020
2394 y(and)12 b(that)g(attac)o(k)o(ers)g(will)h(p)q(ossess)g(the)e(tec)o
(hnical)j(skills)g(whic)o(h)e(are)1020 2435 y(a)o(v)n(ailable)17
b(in)d(a)g(go)o(v)o(ernmen)o(t)h(signals)h(securit)o(y)f(agency)m(.)20
b(It)13 b(w)o(ould)1020 2477 y(therefore)g(seem)g(to)f(b)q(e)h(more)g(relev)n
(an)o(t)h(to)f(military)i(than)e(civilian)1020 2518 y(systems,)g(although)i
(w)o(e)e(will)h(ha)o(v)o(e)g(more)f(to)g(sa)o(y)g(on)h(this)f(later.)1076
2606 y(In)i(order)h(to)f(understand)i(ho)o(w)e(these)h(sophisticated)i(attac)
o(ks)1020 2647 y(migh)o(t)c(w)o(ork,)f(w)o(e)g(m)o(ust)h(lo)q(ok)h(at)e
(banking)i(securit)o(y)g(systems)f(in)g(a)1020 2689 y(little)h(more)e
(detail.)p eop
%%Page: 5 5
bop -76 -34 a Fg(3.2.1)39 b(Ho)o(w)12 b(A)m(TM)i(encryption)f(w)o(o)o(rks)-76
78 y Ff(Most)i(A)m(TMs)g(op)q(erate)g(using)h(some)g(v)n(arian)o(t)g(of)e(a)h
(system)g(dev)o(el-)-76 119 y(op)q(ed)j(b)o(y)f(IBM,)f(whic)o(h)i(is)g(do)q
(cumen)o(ted)g(in)f([MM].)f(This)i(uses)f(a)-76 161 y(secret)c(k)o(ey)m(,)g
(called)i(the)e(`PIN)g(k)o(ey',)f(to)h(deriv)o(e)h(the)g(PIN)e(from)h(the)-76
202 y(accoun)o(t)h(n)o(um)o(b)q(er,)g(b)o(y)f(means)h(of)e(a)h(published)k
(algorithm)e(kno)o(wn)-76 244 y(as)10 b(the)h(Data)f(Encryption)i(Standard,)g
(or)e(DES.)g(The)g(result)i(of)d(this)-76 285 y(op)q(eration)k(is)g(called)g
(the)f(`natural)g(PIN';)f(an)g(o\013set)h(can)g(b)q(e)g(added)-76
327 y(to)e(it)g(in)h(order)f(to)g(giv)o(e)g(the)g(PIN)g(whic)o(h)g(the)g
(customer)g(m)o(ust)g(en)o(ter.)-76 368 y(The)h(o\013set)f(has)h(no)g(real)g
(cryptographic)i(function;)f(it)f(just)g(enables)-76 410 y(customers)16
b(to)f(c)o(ho)q(ose)h(their)f(o)o(wn)g(PIN.)f(Here)h(is)h(an)f(example)h(of)
-76 451 y(the)d(pro)q(cess:)22 561 y Fc(Account)k(number:)213
b(8807012345)o(691)o(71)o(5)22 603 y(PIN)19 b(key:)351 b(FEFEFEFEFE)o(FEF)o
(EF)o(E)22 644 y(Result)18 b(of)g(DES:)234 b(A2CE126C69)o(AEC)o(82)o(D)22
686 y(Result)18 b(decimali)o(sed)o(:)134 b(0224126269)o(042)o(82)o(3)22
727 y(Natural)17 b(PIN:)273 b(0224)22 769 y(Offset:)370 b(6565)22
810 y(Customer)17 b(PIN:)253 b(6789)-20 962 y Ff(It)18 b(is)g(clear)h(that)f
(the)g(securit)o(y)h(of)f(the)g(system)g(dep)q(ends)i(on)-76
1003 y(k)o(eeping)d(the)e(PIN)f(k)o(ey)h(absolutely)j(secret.)23
b(The)14 b(usual)j(strategy)-76 1045 y(is)g(to)g(supply)i(a)d(`terminal)i(k)o
(ey')f(to)g(eac)o(h)g(A)m(TM)f(in)h(the)g(form)f(of)-76 1086
y(t)o(w)o(o)h(prin)o(ted)j(comp)q(onen)o(ts,)f(whic)o(h)g(are)f(carried)h(to)
e(the)h(branc)o(h)-76 1128 y(b)o(y)d(t)o(w)o(o)f(separate)i(o\016cials,)g
(input)g(at)f(the)f(A)m(TM)g(k)o(eyb)q(oard,)j(and)-76 1169
y(com)o(bined)g(to)f(form)f(the)h(k)o(ey)m(.)24 b(The)16 b(PIN)f(k)o(ey)m(,)h
(encrypted)g(under)-76 1211 y(this)i(terminal)g(k)o(ey)m(,)g(is)f(then)h(sen)
o(t)f(to)f(the)h(A)m(TM)f(b)o(y)i(the)e(bank's)-76 1252 y(cen)o(tral)e
(computer.)-20 1340 y(If)h(the)g(bank)g(joins)h(a)f(net)o(w)o(ork,)g(so)g
(that)h(customers)f(of)g(other)-76 1382 y(banks)20 b(can)e(use)h(its)g(A)m
(TMs,)f(then)h(the)g(picture)g(b)q(ecomes)g(more)-76 1423 y(complex)11
b(still.)18 b(`F)m(oreign')10 b(PINs)g(m)o(ust)g(b)q(e)g(encrypted)h(at)f
(the)g(A)m(TM)-76 1465 y(using)h(a)f(`w)o(orking')g(k)o(ey)g(it)g(shares)g
(with)g(its)g(o)o(wn)f(bank,)i(where)f(they)-76 1506 y(are)15
b(decrypted)g(and)h(immediately)h(re-encrypted)e(using)h(another)-76
1548 y(w)o(orking)e(k)o(ey)g(shared)g(with)f(the)g(card)h(issuing)h(bank.)-20
1636 y(These)i(w)o(orking)i(k)o(eys)e(in)h(turn)g(ha)o(v)o(e)g(to)f(b)q(e)g
(protected,)i(and)-76 1677 y(the)12 b(usual)h(arrangemen)o(t)g(is)g(that)f(a)
g(bank)h(will)g(share)f(a)g(`zone)g(k)o(ey')-76 1719 y(with)i(other)g(banks)h
(or)e(with)h(a)g(net)o(w)o(ork)g(switc)o(h,)g(and)g(use)g(this)g(to)-76
1760 y(encrypt)h(fresh)f(w)o(orking)h(k)o(eys)g(whic)o(h)f(are)g(set)g(up)h
(eac)o(h)f(morning.)-76 1802 y(It)h(ma)o(y)h(also)g(send)g(a)g(fresh)f(w)o
(orking)i(k)o(ey)f(ev)o(ery)f(da)o(y)h(to)g(eac)o(h)f(of)-76
1843 y(its)f(A)m(TMs,)e(b)o(y)h(encrypting)i(it)f(under)f(the)h(A)m(TM's)e
(terminal)i(k)o(ey)m(.)-20 1932 y(A)9 b(m)o(uc)o(h)g(fuller)h(description)i
(of)c(banking)j(securit)o(y)f(systems)g(can)-76 1973 y(b)q(e)h(found)g(in)h
(b)q(o)q(oks)g(suc)o(h)f(as)f([DP])h(and)g([MM],)f(and)h(in)g(equipmen)o(t)
-76 2015 y(man)o(uals)19 b(suc)o(h)e(as)g([VSM])f(and)i([NSM].)e(All)i(w)o(e)
e(really)j(need)e(to)-76 2056 y(kno)o(w)10 b(is)h(that)f(a)g(bank)h(has)f(a)g
(n)o(um)o(b)q(er)h(of)f(k)o(eys)g(whic)o(h)h(it)g(m)o(ust)f(k)o(eep)-76
2098 y(secret.)27 b(The)17 b(most)f(imp)q(ortan)o(t)i(of)e(these)h(is)g(of)f
(course)h(the)g(PIN)-76 2139 y(k)o(ey)m(,)12 b(as)f(an)o(y)o(one)h(who)g
(gets)f(hold)i(of)e(this)h(can)f(forge)h(a)f(card)h(for)f(an)o(y)-76
2181 y(customer's)k(accoun)o(t;)h(but)f(other)g(k)o(eys)g(\(suc)o(h)g(as)g
(terminal)h(k)o(eys,)-76 2222 y(zone)i(k)o(eys)f(and)h(w)o(orking)g(k)o
(eys\))f(could)h(also)g(b)q(e)f(used,)i(together)-76 2264 y(with)12
b(a)f(wiretap,)h(to)f(\014nd)h(out)g(customer)f(PINs)g(in)h(large)h(n)o(um)o
(b)q(ers.)-20 2352 y(Keeping)k(k)o(eys)g(secret)e(is)i(only)g(part)f(of)f
(the)h(problem.)27 b(They)-76 2393 y(m)o(ust)19 b(also)h(b)q(e)f(a)o(v)n
(ailable)i(for)e(use)g(at)g(all)h(times)f(b)o(y)g(authorised)-76
2435 y(pro)q(cesses.)36 b(The)19 b(PIN)f(k)o(ey)h(is)h(needed)g(all)g(the)f
(time)h(to)e(v)o(erify)-76 2476 y(transactions,)e(as)f(are)f(the)h(curren)o
(t)g(w)o(orking)g(k)o(eys;)g(the)g(terminal)-76 2518 y(k)o(eys)e(and)f(zone)h
(k)o(eys)f(are)g(less)h(critical,)h(but)e(are)g(still)i(used)f(once)f(a)-76
2559 y(da)o(y)i(to)f(set)g(up)g(new)g(w)o(orking)h(k)o(eys.)-20
2647 y(The)d(original)j(IBM)d(encryption)i(pro)q(ducts,)g(suc)o(h)e(as)h(PCF)
f(and)-76 2689 y(the)k(3848,)g(did)g(not)g(solv)o(e)g(the)g(problem:)21
b(they)15 b(only)g(did)h(the)e(en-)1020 -34 y(cryption)j(step,)e(and)h(left)f
(the)g(other)h(manipulations)i(to)d(a)g(main-)1020 7 y(frame)20
b(computer)g(program,)i(whic)o(h)e(eac)o(h)g(bank)h(had)f(to)g(write)1020
49 y(anew)f(for)g(itself.)36 b(Th)o(us)19 b(the)g(securit)o(y)i(dep)q(ended)f
(on)g(the)f(skill)1020 90 y(and)13 b(in)o(tegrit)o(y)h(of)e(eac)o(h)h(bank's)
g(system)g(dev)o(elopmen)o(t)h(and)f(main-)1020 132 y(tenance)h(sta\013.)1076
222 y(The)9 b(standard)i(approac)o(h)g(no)o(w)o(ada)o(ys)f(is)g(to)f(use)g(a)
h(device)g(called)1020 264 y(a)15 b(securit)o(y)h(mo)q(dule.)23
b(This)16 b(is)f(basically)j(a)d(PC)f(in)i(a)e(safe,)h(and)h(it)1020
305 y(is)f(programmed)h(to)f(manage)h(all)g(the)f(bank's)g(k)o(eys)g(and)h
(PINs)e(in)1020 347 y(suc)o(h)h(a)f(w)o(a)o(y)g(that)h(the)f(mainframe)i
(programmers)f(only)h(ev)o(er)e(see)1020 388 y(a)e(k)o(ey)g(or)g(PIN)g(in)g
(encrypted)i(form.)i(Banks)d(whic)o(h)g(b)q(elong)g(to)f(the)1020
430 y(VISA)j(and)i(Mastercard)f(A)m(TM)f(net)o(w)o(orks)h(are)g(supp)q(osed)h
(to)f(use)1020 471 y(securit)o(y)g(mo)q(dules,)h(in)f(order)f(to)g(prev)o(en)
o(t)h(an)o(y)g(bank)g(customer's)1020 513 y(PIN)c(b)q(ecoming)i(kno)o(wn)e
(to)g(a)g(programmer)h(w)o(orking)g(for)f(another)1020 554
y(bank)17 b(\(the)g(Mastercard)g(securit)o(y)h(requiremen)o(ts)g(are)e
(quoted)h(in)1020 596 y([MM];)12 b(for)h(VISA)g(see)g([VSM]\).)1020
738 y Fg(3.2.2)39 b(Problems)12 b(with)h(encryption)g(p)o(ro)q(ducts)1020
853 y Ff(In)e(practice,)i(there)e(are)g(a)h(n)o(um)o(b)q(er)g(of)f(problems)h
(with)g(encryption)1020 895 y(pro)q(ducts,)f(whether)f(the)g(old)g(3848s)h
(or)e(the)h(securit)o(y)h(mo)q(dules)g(no)o(w)1020 936 y(recommended)h(b)o(y)
f(banking)i(organisations)q(.)19 b(No)10 b(full)i(list)g(of)f(these)1020
978 y(problems,)i(whether)e(actual)h(or)e(p)q(oten)o(tial,)j(app)q(ears)f(to)
f(ha)o(v)o(e)g(b)q(een)1020 1019 y(published)16 b(an)o(ywhere,)e(but)f(they)h
(include)h(at)e(least)h(the)f(follo)o(wing)1020 1061 y(whic)o(h)h(ha)o(v)o(e)
f(come)h(to)f(our)g(notice:)1065 1186 y(1.)18 b(Although)23
b(VISA)d(and)h(Mastercard)h(ha)o(v)o(e)f(ab)q(out)h(10,000)1113
1228 y(mem)o(b)q(er)14 b(banks)g(in)g(the)g(USA)e(and)i(at)f(least)h(1,000)g
(of)f(these)1113 1269 y(do)i(their)g(o)o(wn)f(pro)q(cessing,)i(enquiries)g
(to)e(securit)o(y)i(mo)q(dule)1113 1311 y(salesmen)f(rev)o(eal)e(that)g(only)
h(300)g(of)e(these)h(pro)q(cessing)i(cen-)1113 1352 y(tres)c(had)g(actually)h
(b)q(ough)o(t)f(and)g(installed)i(these)e(devices)h(b)o(y)1113
1394 y(late)h(1990.)k(The)11 b(\014rst)h(problem)h(is)g(th)o(us)f(that)g(the)
f(hardw)o(are)1113 1435 y(v)o(ersion)17 b(of)d(the)h(pro)q(duct)h(do)q(es)f
(not)g(get)g(b)q(ough)o(t)h(at)f(all,)h(ei-)1113 1477 y(ther)e(b)q(ecause)h
(it)g(is)f(felt)g(to)g(b)q(e)g(to)q(o)g(exp)q(ensiv)o(e,)i(or)e(b)q(ecause)
1113 1518 y(it)g(seems)g(to)f(b)q(e)h(to)q(o)g(di\016cult)h(and)f
(time-consuming)i(to)e(in-)1113 1560 y(stall,)19 b(or)d(b)q(ecause)h(it)g(w)o
(as)f(not)g(supplied)j(b)o(y)e(IBM)f(\(whose)1113 1601 y(o)o(wn)f(securit)o
(y)h(mo)q(dule)h(pro)q(duct,)f(the)f(4753,)g(only)h(b)q(ecame)1113
1643 y(a)o(v)n(ailable)e(in)d(1990\).)17 b(Where)11 b(a)g(bank)g(has)g(no)g
(securit)o(y)h(mo)q(d-)1113 1684 y(ules,)21 b(the)e(PIN)g(encryption)i
(functions)f(will)g(t)o(ypically)i(b)q(e)1113 1726 y(p)q(erformed)17
b(in)f(soft)o(w)o(are,)g(with)g(a)g(n)o(um)o(b)q(er)h(of)e(undesirable)1113
1767 y(consequences.)1158 1845 y Fe(\017)k Ff(The)8 b(\014rst,)i(and)f(ob)o
(vious,)i(problem)f(with)g(soft)o(w)o(are)e(PIN)1196 1886 y(encryption)k(is)e
(that)g(the)h(PIN)e(k)o(ey)h(can)h(b)q(e)f(found)h(with-)1196
1928 y(out)k(to)q(o)g(m)o(uc)o(h)g(e\013ort)h(b)o(y)f(system)g(programmers.)
24 b(In)1196 1969 y(IBM's)14 b(pro)q(duct,)i(PCF,)e(the)g(man)o(ual)i(ev)o
(en)f(tells)h(ho)o(w)1196 2011 y(to)g(do)g(this.)27 b(Once)16
b(armed)h(with)f(the)h(PIN)e(k)o(ey)m(,)i(pro-)1196 2052 y(grammers)d(can)h
(easily)h(forge)e(cards;)h(and)g(ev)o(en)g(if)f(the)1196 2094
y(bank)f(installs)i(securit)o(y)f(mo)q(dules)g(later,)f(the)g(PIN)f(k)o(ey)
1196 2135 y(is)g(so)h(useful)g(for)f(debugging)j(the)d(systems)h(whic)o(h)g
(sup-)1196 2177 y(p)q(ort)c(A)m(TM)f(net)o(w)o(orking)i(that)f(kno)o(wledge)h
(of)f(it)g(is)g(lik)o(ely)1196 2218 y(to)j(p)q(ersist)h(among)g(the)g
(programming)h(sta\013)f(for)f(y)o(ears)1196 2260 y(afterw)o(ard.)1158
2315 y Fe(\017)19 b Ff(Programmers)13 b(at)g(one)g(bank)g(did)h(not)f(ev)o
(en)g(go)g(to)g(the)1196 2357 y(trouble)j(of)f(setting)h(up)f(master)g(k)o
(eys)g(for)g(its)g(encryp-)1196 2398 y(tion)c(soft)o(w)o(are.)16
b(They)10 b(just)h(directed)g(the)g(k)o(ey)g(p)q(oin)o(ters)1196
2440 y(to)g(an)i(area)f(of)g(lo)o(w)g(memory)g(whic)o(h)h(is)f(alw)o(a)o(ys)h
(zero)f(at)1196 2481 y(system)k(startup.)28 b(The)17 b(e\013ect)g(of)f(this)h
(w)o(as)f(that)h(the)1196 2523 y(liv)o(e)e(and)f(test)g(systems)g(could)i
(use)e(the)g(same)g(crypto-)1196 2564 y(graphic)k(k)o(ey)f(dataset,)h(and)f
(the)g(bank's)h(tec)o(hnicians)1196 2606 y(found)g(that)f(they)h(could)h(w)o
(ork)e(out)g(customer)h(PINs)1196 2647 y(on)e(their)h(test)f(equipmen)o(t.)28
b(Some)17 b(of)f(them)g(used)h(to)1196 2689 y(c)o(harge)c(the)g(lo)q(cal)h
(underw)o(orld)g(to)f(calculate)h(PINs)f(on)p eop
%%Page: 6 6
bop 100 -34 a Ff(stolen)18 b(cards;)h(when)e(the)g(bank's)g(securit)o(y)h
(manager)100 7 y(found)h(that)g(this)h(w)o(as)f(going)h(on,)g(he)f(w)o(as)g
(killed)i(in)100 49 y(a)d(road)i(acciden)o(t)g(\(of)e(whic)o(h)h(the)g(lo)q
(cal)i(p)q(olice)f(con-)100 90 y(v)o(enien)o(tly)h(lost)f(the)g(records\).)37
b(The)19 b(bank)h(has)g(not)100 132 y(b)q(othered)14 b(to)f(send)g(out)g(new)
g(cards)h(to)e(its)i(customers.)-31 201 y(2.)19 b(The)11 b(`buy-IBM-or-else')
h(p)q(olicy)i(of)d(man)o(y)h(banks)g(has)g(bac)o(k-)18 243
y(\014red)20 b(in)g(more)f(subtle)i(w)o(a)o(ys.)36 b(One)19
b(bank)i(had)f(a)f(p)q(olicy)18 284 y(that)11 b(only)h(IBM)f(3178)h
(terminals)h(could)f(b)q(e)f(purc)o(hased,)i(but)18 326 y(the)j(VISA)g
(securit)o(y)i(mo)q(dules)g(they)f(used)g(could)h(not)e(talk)18
367 y(to)d(these)g(devices)i(\(they)e(needed)h(DEC)f(VT)g(100s)g(instead\).)
18 409 y(When)k(the)g(bank)h(wished)g(to)f(establish)i(a)e(zone)h(k)o(ey)f
(with)18 450 y(VISA)i(using)i(their)f(securit)o(y)h(mo)q(dule,)h(they)e
(found)h(they)18 492 y(had)c(no)g(terminal)h(whic)o(h)g(w)o(ould)f(driv)o(e)h
(it.)28 b(A)17 b(con)o(tractor)18 533 y(obligingly)h(len)o(t)d(them)g(a)f
(laptop)i(PC,)e(together)h(with)g(soft-)18 575 y(w)o(are)e(whic)o(h)h(em)o
(ulated)h(a)e(VT100.)18 b(With)d(this)f(the)g(v)n(arious)18
616 y(in)o(ternal)e(auditors,)h(senior)f(managers)f(and)h(other)f(bank)g
(dig-)18 658 y(nitaries)g(duly)g(created)f(the)f(required)i(zone)f(k)o(eys)g
(and)g(p)q(osted)18 699 y(them)j(o\013)g(to)g(VISA.)18 752
y(Ho)o(w)o(ev)o(er,)i(none)h(of)f(them)g(realised)i(that)f(most)f(PC)g
(termi-)18 794 y(nal)h(em)o(ulation)h(soft)o(w)o(are)e(pac)o(k)n(ages)h(can)g
(b)q(e)f(set)h(to)f(log)h(all)18 835 y(the)c(transactions)j(passing)f
(through,)g(and)f(this)h(is)f(precisely)18 877 y(what)i(the)g(con)o(tractor)h
(did.)26 b(He)15 b(captured)h(the)g(clear)g(zone)18 918 y(k)o(ey)d(as)g(it)g
(w)o(as)g(created,)g(and)g(later)h(used)f(it)h(to)e(decrypt)i(the)18
960 y(bank's)f(PIN)e(k)o(ey)m(.)17 b(F)m(ortunately)d(for)e(them)h(\(and)g
(VISA\),)e(he)18 1001 y(did)g(this)h(only)g(for)e(fun)h(and)g(did)h(not)f
(plunder)i(their)e(net)o(w)o(ork)18 1043 y(\(or)i(so)g(he)g(claims\).)-31
1107 y(3.)19 b(Not)c(all)i(securit)o(y)h(pro)q(ducts)f(are)f(equally)i(go)q
(o)q(d,)f(and)g(v)o(ery)18 1149 y(few)9 b(banks)i(ha)o(v)o(e)f(the)h(exp)q
(ertise)g(to)f(tell)h(the)f(go)q(o)q(d)h(ones)f(from)18 1190
y(the)j(medio)q(cre.)62 1260 y Fe(\017)19 b Ff(The)f(securit)o(y)h(mo)q
(dule's)h(soft)o(w)o(are)e(ma)o(y)g(ha)o(v)o(e)h(trap-)100
1301 y(do)q(ors)14 b(left)f(for)g(the)h(con)o(v)o(enience)h(of)e(the)g(v)o
(endor's)h(en-)100 1343 y(gineers.)j(W)m(e)11 b(only)h(found)f(this)g(out)g
(b)q(ecause)g(one)g(bank)100 1384 y(had)18 b(no)g(prop)q(er)h(A)m(TM)e(test)h
(en)o(vironmen)o(t;)k(when)c(it)100 1426 y(decided)g(to)e(join)h(a)f(net)o(w)
o(ork,)h(the)f(v)o(endor's)h(systems)100 1467 y(engineer)c(could)g(not)f(get)
g(the)g(gatew)o(a)o(y)g(w)o(orking,)h(and,)100 1509 y(out)i(of)f
(frustration,)i(he)f(used)h(one)f(of)g(these)g(tric)o(ks)g(to)100
1550 y(extract)d(the)f(PIN)g(k)o(ey)h(from)f(the)h(system,)g(in)g(the)f(hop)q
(e)100 1592 y(that)k(this)g(w)o(ould)h(help)g(him)f(\014nd)h(the)f(problem.)
23 b(The)100 1633 y(existence)18 b(of)f(suc)o(h)g(trap)q(do)q(ors)h(mak)o(es)
g(it)f(imp)q(ossible)100 1675 y(to)f(devise)j(e\013ectiv)o(e)f(con)o(trol)g
(pro)q(cedures)g(o)o(v)o(er)f(secu-)100 1716 y(rit)o(y)c(mo)q(dules,)h(and)g
(w)o(e)e(ha)o(v)o(e)i(so)f(far)f(b)q(een)i(luc)o(ky)g(that)100
1758 y(none)f(of)g(these)g(engineers)h(ha)o(v)o(e)g(tried)f(to)g(get)f(in)o
(to)i(the)100 1800 y(card)c(forgery)g(business)i(\(or)e(b)q(een)h(forced)f
(to)g(co)q(op)q(erate)100 1841 y(with)j(organised)i(crime\).)62
1891 y Fe(\017)k Ff(Some)14 b(brands)h(of)f(securit)o(y)h(mo)q(dule)g(mak)o
(e)f(particular)100 1933 y(attac)o(ks)9 b(easier.)17 b(W)m(orking)11
b(k)o(eys)e(ma)o(y)m(,)h(for)f(example,)i(b)q(e)100 1974 y(generated)k(b)o(y)
f(encrypting)i(a)f(time-of-da)o(y)f(clo)q(c)o(k)i(and)100 2016
y(th)o(us)11 b(ha)o(v)o(e)g(only)h(20)f(bits)h(of)e(div)o(ersit)o(y)j(rather)
e(than)g(the)100 2057 y(exp)q(ected)j(56.)19 b(Th)o(us,)14
b(according)h(to)e(probabili)q(t)o(y)j(the-)100 2099 y(ory)m(,)g(it)g(is)h
(lik)o(ely)h(that)e(once)g(ab)q(out)h(1,000)f(k)o(eys)h(ha)o(v)o(e)100
2140 y(b)q(een)e(generated,)g(there)f(will)i(b)q(e)e(t)o(w)o(o)g(of)g(them)g
(whic)o(h)100 2182 y(are)i(the)g(same.)26 b(This)16 b(mak)o(es)h(p)q(ossible)
h(a)e(n)o(um)o(b)q(er)g(of)100 2223 y(subtle)j(attac)o(ks)g(in)g(whic)o(h)g
(the)g(enem)o(y)g(manipulates)100 2265 y(the)13 b(bank's)g(data)g(comm)o
(unications)j(so)d(that)g(transac-)100 2306 y(tions)h(generated)g(b)o(y)f
(one)g(terminal)i(seem)e(to)g(b)q(e)g(com-)100 2348 y(ing)h(from)e(another.)
62 2398 y Fe(\017)19 b Ff(A)d(securit)o(y)h(mo)q(dule's)h(basic)g(purp)q(ose)
f(is)g(to)g(prev)o(en)o(t)100 2440 y(programmers,)g(and)g(sta\013)g(with)f
(access)h(to)f(the)g(com-)100 2481 y(puter)11 b(ro)q(om,)h(from)f(getting)h
(hold)g(of)f(the)g(bank's)h(cryp-)100 2523 y(tographic)18 b(k)o(eys.)29
b(Ho)o(w)o(ev)o(er,)18 b(the)f(`secure')g(enclosure)100 2564
y(in)12 b(whic)o(h)h(the)e(mo)q(dule's)i(electronics)h(is)e(pac)o(k)n(aged)h
(can)100 2606 y(often)j(b)q(e)h(p)q(enetrated)h(b)o(y)f(cutting)h(or)e
(drillin)q(g.)30 b(The)100 2647 y(author)16 b(has)f(ev)o(en)g(help)q(ed)i(a)e
(bank)h(to)f(do)g(this,)h(when)100 2689 y(it)d(lost)h(the)f(ph)o(ysical)i(k)o
(ey)f(for)f(its)g(securit)o(y)h(mo)q(dules.)1158 -34 y Fe(\017)19
b Ff(A)14 b(common)i(mak)o(e)f(of)g(securit)o(y)h(mo)q(dule)g(implemen)o(ts)
1196 7 y(the)h(tamp)q(er-protection)j(b)o(y)e(means)g(of)f(wires)h(whic)o(h)
1196 49 y(lead)h(to)g(the)g(switc)o(hes.)35 b(It)18 b(w)o(ould)i(b)q(e)f
(trivial)i(for)d(a)1196 90 y(main)o(tenance)13 b(engineer)g(to)e(cut)g
(these,)h(and)g(then)g(next)1196 132 y(time)19 b(he)g(visited)h(that)f(bank)g
(he)g(w)o(ould)h(b)q(e)f(able)g(to)1196 173 y(extract)13 b(clear)h(k)o(eys.)
1158 229 y Fe(\017)19 b Ff(Securit)o(y)c(mo)q(dules)g(ha)o(v)o(e)f(their)g(o)
o(wn)g(master)f(k)o(eys)h(for)1196 271 y(in)o(ternal)19 b(use,)g(and)g(these)
f(k)o(eys)g(ha)o(v)o(e)g(to)g(bac)o(k)o(ed)h(up)1196 313 y(somewhere.)d(The)9
b(bac)o(kup)i(is)f(often)g(in)h(an)e(easily)j(read-)1196 354
y(able)k(form,)g(suc)o(h)g(as)g(PR)o(OM)g(c)o(hips,)h(and)f(these)g(ma)o(y)
1196 396 y(need)d(to)h(b)q(e)f(read)h(from)f(time)g(to)g(time,)h(suc)o(h)g
(as)f(when)1196 437 y(transferring)20 b(con)o(trol)f(o)o(v)o(er)g(a)f(set)g
(of)h(zone)f(and)h(ter-)1196 479 y(minal)d(k)o(eys)f(from)f(one)h(mak)o(e)f
(of)h(securit)o(y)g(mo)q(dule)h(to)1196 520 y(another.)j(In)14
b(suc)o(h)g(cases,)g(the)f(bank)i(is)f(comp)q(etely)h(at)1196
562 y(the)e(mercy)h(of)g(the)f(exp)q(erts)i(carrying)g(out)f(the)g(op)q(era-)
1196 603 y(tion.)1158 659 y Fe(\017)19 b Ff(A)m(TM)f(design)j(is)f(also)g(at)
g(issue)g(here.)36 b(Some)20 b(older)1196 701 y(mak)o(es)13
b(put)g(the)f(encryption)j(in)e(the)g(wrong)g(place)g(-)f(in)1196
742 y(the)i(con)o(troller)i(rather)e(than)h(in)g(the)f(disp)q(enser)i
(itself.)1196 784 y(The)10 b(con)o(troller)j(w)o(as)d(in)o(tended)j(to)e(sit)
g(next)g(to)g(the)f(dis-)1196 825 y(p)q(enser)17 b(inside)h(a)e(branc)o(h,)h
(but)g(man)o(y)f(A)m(TMs)g(are)g(no)1196 867 y(longer)g(an)o(ywhere)g(near)f
(a)g(bank)h(buildin)q(g.)26 b(One)15 b(UK)1196 908 y(univ)o(ersit)o(y)i(had)f
(a)g(mac)o(hine)h(on)e(campus)i(whic)o(h)f(sen)o(t)1196 950
y(clear)g(PINs)g(and)g(accoun)o(t)h(data)f(do)o(wn)g(a)g(phone)h(line)1196
991 y(to)11 b(a)h(con)o(troller)h(in)g(its)f(mother)g(branc)o(h,)g(whic)o(h)h
(is)f(sev-)1196 1033 y(eral)k(miles)h(a)o(w)o(a)o(y)e(in)h(to)o(wn.)25
b(An)o(y)o(one)16 b(who)f(b)q(orro)o(w)o(ed)1196 1074 y(a)h(datascop)q(e)i
(and)f(used)g(it)g(on)g(this)g(line)h(could)g(ha)o(v)o(e)1196
1116 y(forged)13 b(cards)h(b)o(y)f(the)g(thousand.)1065 1195
y(4.)18 b(Ev)o(en)f(where)f(one)h(of)e(the)i(b)q(etter)f(pro)q(ducts)h(is)g
(purc)o(hased,)1113 1237 y(there)d(are)g(man)o(y)g(w)o(a)o(ys)g(in)g(whic)o
(h)h(a)f(p)q(o)q(or)g(implemen)o(tation)1113 1278 y(or)f(slopp)o(y)h(op)q
(erating)g(pro)q(cedures)g(can)e(lea)o(v)o(e)i(the)e(bank)h(ex-)1113
1320 y(p)q(osed.)1158 1399 y Fe(\017)19 b Ff(Most)f(securit)o(y)h(mo)q(dules)
h(return)f(a)f(whole)h(range)f(of)1196 1441 y(resp)q(onse)12
b(co)q(des)g(to)g(incoming)i(transactions.)k(A)11 b(n)o(um-)1196
1482 y(b)q(er)g(of)g(these,)g(suc)o(h)h(as)f(`k)o(ey)g(parit)o(y)i(error')e
([VSM])f(giv)o(e)1196 1524 y(adv)n(ance)21 b(w)o(arning)g(that)f(a)g
(programmer)h(is)f(exp)q(eri-)1196 1565 y(men)o(ting)14 b(with)f(a)g(liv)o(e)
i(mo)q(dule.)j(Ho)o(w)o(ev)o(er,)13 b(few)f(banks)1196 1607
y(b)q(other)g(to)g(write)h(the)f(device)h(driv)o(er)g(soft)o(w)o(are)f
(needed)1196 1648 y(to)h(in)o(tercept)h(and)f(act)g(on)h(these)f(w)o
(arnings.)1158 1705 y Fe(\017)19 b Ff(W)m(e)11 b(kno)o(w)h(of)f(cases)h
(where)g(a)f(bank)i(sub)q(con)o(tracted)g(all)1196 1746 y(or)k(part)h(of)f
(its)g(A)m(TM)g(system)h(to)f(a)g(`facilities)j(man-)1196 1788
y(agemen)o(t')f(\014rm,)h(and)g(ga)o(v)o(e)f(this)h(\014rm)f(its)h(PIN)e(k)o
(ey)m(.)1196 1829 y(There)13 b(ha)o(v)o(e)h(also)h(b)q(een)f(cases)g(where)f
(PIN)h(k)o(eys)g(ha)o(v)o(e)1196 1871 y(b)q(een)j(shared)h(b)q(et)o(w)o(een)f
(t)o(w)o(o)g(or)g(more)g(banks.)30 b(Ev)o(en)1196 1912 y(if)18
b(all)h(bank)f(sta\013)g(could)i(b)q(e)d(trusted,)j(outside)f(\014rms)1196
1954 y(ma)o(y)c(not)g(share)g(the)g(banks')h(securit)o(y)g(culture:)21
b(their)1196 1995 y(sta\013)13 b(are)f(not)h(alw)o(a)o(ys)h(v)o(etted,)e(are)
h(not)g(tied)g(do)o(wn)g(for)1196 2037 y(life)g(with)g(c)o(heap)h(mortgages,)
f(and)h(are)e(more)h(lik)o(ely)i(to)1196 2078 y(ha)o(v)o(e)d(the)g(com)o
(bination)i(of)e(y)o(outh,)g(lo)o(w)g(pa)o(y)m(,)g(curiosit)o(y)1196
2120 y(and)j(rec)o(klessness)h(whic)o(h)f(can)f(lead)i(to)e(a)g(no)o(v)o(el)i
(fraud)1196 2161 y(b)q(eing)e(conceiv)o(ed)h(and)f(carried)g(out.)1158
2217 y Fe(\017)19 b Ff(Key)e(managemen)o(t)h(is)f(usually)j(p)q(o)q(or.)29
b(W)m(e)18 b(ha)o(v)o(e)f(ex-)1196 2259 y(p)q(erience)i(of)f(a)f(main)o
(tenance)j(engineer)g(b)q(eing)f(giv)o(en)1196 2300 y(b)q(oth)d(of)g(the)g
(PR)o(OMs)g(in)h(whic)o(h)g(the)f(securit)o(y)h(mo)q(d-)1196
2342 y(ule)11 b(master)f(k)o(eys)h(are)f(stored.)17 b(Although)11
b(dual)h(con)o(trol)1196 2383 y(pro)q(cedures)g(existed)h(in)f(theory)m(,)g
(the)f(sta\013)h(had)g(turned)1196 2425 y(o)o(v)o(er)h(since)g(the)g(PR)o
(OMs)g(w)o(ere)f(last)i(used,)f(and)g(so)g(no-)1196 2466 y(one)f(had)g(an)o
(y)h(idea)g(what)f(to)g(do.)k(The)c(engineer)i(could)1196 2508
y(not)e(only)i(ha)o(v)o(e)f(forged)g(cards;)g(he)f(could)i(ha)o(v)o(e)f(w)o
(alk)o(ed)1196 2550 y(o\013)e(with)g(the)f(PR)o(OMs)h(and)h(sh)o(ut)f(do)o
(wn)g(all)h(the)e(bank's)1196 2591 y(A)m(TM)i(op)q(erations.)1158
2647 y Fe(\017)19 b Ff(A)o(t)13 b(branc)o(h)i(lev)o(el,)g(to)q(o,)f(k)o(ey)g
(managemen)o(t)h(is)g(a)f(prob-)1196 2689 y(lem.)36 b(As)18
b(w)o(e)h(ha)o(v)o(e)h(seen,)g(the)g(theory)g(is)f(that)h(t)o(w)o(o)p
eop
%%Page: 7 7
bop 100 -34 a Ff(bank)o(ers)21 b(t)o(yp)q(e)g(in)g(one)g(k)o(ey)g(comp)q
(onen)o(t)g(eac)o(h,)i(and)100 7 y(these)11 b(are)g(com)o(bined)h(to)f(giv)o
(e)g(a)g(terminal)h(master)f(k)o(ey;)100 49 y(the)i(PIN)g(k)o(ey)m(,)g
(encrypted)h(under)g(this)g(terminal)h(mas-)100 90 y(ter)e(k)o(ey)m(,)h(is)h
(then)f(sen)o(t)g(to)g(the)g(A)m(TM)f(during)j(the)e(\014rst)100
132 y(service)g(transaction)h(after)d(main)o(tenance.)100 178
y(If)g(the)h(main)o(tenance)i(engineer)g(can)e(get)g(hold)i(of)e(b)q(oth)100
220 y(the)g(k)o(ey)g(comp)q(onen)o(ts,)g(he)g(can)g(decrypt)h(the)f(PIN)f(k)o
(ey)100 261 y(and)e(forge)g(cards.)16 b(In)10 b(practice,)i(the)d(branc)o(h)i
(managers)100 303 y(who)19 b(ha)o(v)o(e)h(custo)q(dy)g(of)f(the)h(k)o(eys)f
(are)h(quite)g(happ)o(y)100 344 y(to)14 b(giv)o(e)i(them)f(to)f(him,)i(as)e
(they)h(don't)g(lik)o(e)h(standing)100 386 y(around)i(while)h(the)e(mac)o
(hine)i(is)f(serviced.)31 b(F)m(urther-)100 427 y(more,)14
b(en)o(tering)i(a)f(terminal)h(k)o(ey)f(comp)q(onen)o(t)h(means)100
469 y(using)21 b(a)f(k)o(eyb)q(oard,)i(whic)o(h)f(man)o(y)f(older)h(managers)
100 511 y(consider)14 b(to)f(b)q(e)h(b)q(eneath)g(their)g(dignit)o(y)m(.)62
562 y Fe(\017)19 b Ff(W)m(e)12 b(ha)o(v)o(e)g(accoun)o(ts)h(of)f(k)o(eys)g(b)
q(eing)i(k)o(ept)e(in)h(op)q(en)f(cor-)100 604 y(resp)q(ondence)21
b(\014les,)g(rather)e(than)g(b)q(eing)i(lo)q(c)o(k)o(ed)f(up.)100
645 y(This)d(applies)i(not)e(just)g(to)g(A)m(TM)f(k)o(eys,)i(but)f(also)h(to)
100 687 y(k)o(eys)10 b(for)g(in)o(terbank)i(systems)f(suc)o(h)g(as)f(SWIFT,)g
(whic)o(h)100 728 y(handles)17 b(transactions)g(w)o(orth)e(billion)q(s.)26
b(It)15 b(migh)o(t)h(b)q(e)100 770 y(sensible)11 b(to)e(use)h(initiali)q
(sati)q(on)i(k)o(eys,)e(suc)o(h)g(as)g(terminal)100 811 y(k)o(eys)16
b(and)h(zone)f(k)o(eys,)g(once)h(only)g(and)f(then)h(destro)o(y)100
853 y(them.)62 905 y Fe(\017)i Ff(Underlying)c(man)o(y)e(of)f(these)h(con)o
(trol)h(failures)g(is)g(p)q(o)q(or)100 946 y(design)e(psyc)o(hology)m(.)18
b(Bank)11 b(branc)o(hes)h(\(and)e(computer)100 988 y(cen)o(tres\))h(ha)o(v)o
(e)h(to)g(cut)f(corners)h(to)g(get)f(the)h(da)o(y's)f(w)o(ork)100
1029 y(done,)20 b(and)g(only)g(those)f(con)o(trol)h(pro)q(cedures)g(whose)100
1071 y(purp)q(ose)h(is)f(eviden)o(t)h(are)f(lik)o(ely)i(to)e(b)q(e)g
(strictly)h(ob-)100 1112 y(serv)o(ed.)16 b(F)m(or)10 b(example,)i(sharing)g
(the)e(branc)o(h)i(safe)e(k)o(eys)100 1154 y(b)q(et)o(w)o(een)k(the)h
(manager)g(and)g(the)g(accoun)o(tan)o(t)g(is)g(w)o(ell)100
1195 y(understo)q(o)q(d:)i(it)11 b(protects)h(b)q(oth)f(of)f(them)h(from)f
(ha)o(ving)100 1237 y(their)k(families)i(tak)o(en)e(hostage.)19
b(Cryptographic)d(k)o(eys)100 1278 y(are)e(often)g(not)g(pac)o(k)n(aged)i(in)
e(as)h(user-friendly)h(a)e(w)o(a)o(y)m(,)100 1320 y(and)k(are)g(th)o(us)h
(not)f(lik)o(ely)i(to)e(b)q(e)g(managed)h(as)f(w)o(ell.)100
1362 y(Devices)f(whic)o(h)f(actually)h(lo)q(ok)g(lik)o(e)g(k)o(eys)e(\(along)
i(the)100 1403 y(lines)11 b(of)f(military)i(crypto)f(ignition)i(k)o(eys\))d
(ma)o(y)h(b)q(e)f(part)100 1445 y(of)i(the)i(answ)o(er)f(here.)62
1496 y Fe(\017)19 b Ff(W)m(e)c(could)h(write)f(at)g(great)g(length)h(ab)q
(out)g(impro)o(ving)100 1538 y(op)q(erational)e(pro)q(cedures)e(\(this)g(is)g
(not)g(a)f(threat!\),)g(but)100 1579 y(if)f(the)g(ob)r(ject)g(of)g(the)g
(exercise)h(is)f(to)g(prev)o(en)o(t)h(an)o(y)f(cryp-)100 1621
y(tographic)i(k)o(ey)e(from)h(falling)h(in)o(to)f(the)g(hands)g(of)f(some-)
100 1662 y(one)k(who)f(is)h(tec)o(hnically)j(able)e(to)e(abuse)i(it,)e(then)h
(this)100 1704 y(should)19 b(b)q(e)e(stated)h(as)f(an)h(explicit)i(ob)r
(jectiv)o(e)e(in)g(the)100 1745 y(man)o(uals)h(and)f(training)i(courses.)31
b(`Securit)o(y)18 b(b)o(y)g(ob-)100 1787 y(scurit)o(y')c(often)f(do)q(es)g
(more)g(harm)h(than)f(go)q(o)q(d.)-31 1859 y(5.)19 b(Cryptanalysis)d(ma)o(y)e
(b)q(e)g(one)g(of)g(the)f(less)i(lik)o(ely)h(threats)e(to)18
1901 y(banking)20 b(systems,)g(but)e(it)h(cannot)g(b)q(e)g(completely)h
(ruled)18 1942 y(out.)62 2014 y Fe(\017)f Ff(Some)10 b(banks)g(\(including)j
(large)d(and)g(famous)g(ones\))g(are)100 2056 y(still)i(using)g(home-gro)o
(wn)f(encryption)h(algorithms)h(of)d(a)100 2097 y(pre-DES)k(vin)o(tage.)22
b(One)13 b(switc)o(hing)j(net)o(w)o(ork)e(merely)100 2139 y(`scram)o(bled')i
(data)f(blo)q(c)o(ks)i(b)o(y)e(adding)i(a)e(constan)o(t)h(to)100
2180 y(them;)10 b(this)h(w)o(en)o(t)e(unprotested)i(for)e(\014v)o(e)h(y)o
(ears,)h(despite)100 2222 y(the)19 b(net)o(w)o(ork)f(ha)o(ving)j(o)o(v)o(er)e
(fort)o(y)f(mem)o(b)q(er)h(banks)h(-)100 2263 y(all)14 b(of)f(whose)g
(insurance)i(assessors,)f(auditors)h(and)e(se-)100 2305 y(curit)o(y)k
(consultan)o(ts)i(presumably)f(read)f(through)h(the)100 2346
y(system)13 b(sp)q(eci\014cation.)62 2398 y Fe(\017)19 b Ff(In)f(one)h(case,)
g(the)g(t)o(w)o(o)f(defendan)o(ts)h(tried)g(to)f(en)o(tice)100
2440 y(a)g(univ)o(ersit)o(y)j(studen)o(t)e(in)o(to)h(helping)g(them)f(break)g
(a)100 2481 y(bank's)e(proprietary)h(algorithm.)28 b(This)17
b(studen)o(t)f(w)o(as)100 2523 y(studying)h(at)e(a)g(maths)g(departmen)o(t)i
(where)e(teac)o(hing)100 2564 y(and)21 b(researc)o(h)g(in)h(cryptology)g(tak)
o(es)f(place,)i(so)e(the)100 2606 y(skills)c(and)f(the)f(reference)g(b)q(o)q
(oks)h(w)o(ere)e(indeed)j(a)o(v)n(ail-)100 2647 y(able.)i(F)m(ortunately)c
(for)e(the)g(bank,)h(the)f(studen)o(t)h(w)o(en)o(t)100 2689
y(to)f(the)g(p)q(olice)i(and)e(turned)h(them)f(in.)1158 -34
y Fe(\017)19 b Ff(Ev)o(en)d(where)g(a)g(`resp)q(ectable')i(algorithm)g(is)e
(used,)i(it)1196 7 y(ma)o(y)13 b(b)q(e)h(implemen)o(ted)i(with)e(w)o(eak)g
(parameters.)19 b(F)m(or)1196 49 y(example,)14 b(banks)f(ha)o(v)o(e)h
(implemen)o(ted)h(RSA)e(with)g(k)o(ey)1196 90 y(sizes)j(b)q(et)o(w)o(een)h
(100)f(and)h(400)f(bits,)h(despite)g(the)f(fact)1196 132 y(that)11
b(they)h(k)o(ey)g(needs)g(to)f(b)q(e)h(at)f(least)i(500)f(bits)g(to)f(giv)o
(e)1196 173 y(an)o(y)i(real)h(margin)g(of)f(securit)o(y)m(.)1158
228 y Fe(\017)19 b Ff(Ev)o(en)11 b(with)f(the)h(righ)o(t)g(parameters,)h(an)e
(algorithm)j(can)1196 269 y(easily)19 b(b)q(e)e(implemen)o(ted)i(the)f(wrong)
f(w)o(a)o(y)m(.)29 b(W)m(e)17 b(sa)o(w)1196 311 y(ab)q(o)o(v)o(e)g(ho)o(w)f
(writing)i(the)e(PIN)g(to)g(the)g(card)h(trac)o(k)g(is)1196
352 y(useless,)h(unless)g(the)e(encryption)j(is)e(salted)g(with)g(the)1196
394 y(accoun)o(t)d(n)o(um)o(b)q(er)g(or)f(otherwise)h(tied)h(to)e(the)g
(individ)q(-)1196 435 y(ual)d(card;)h(there)f(are)f(man)o(y)i(other)f(subtle)
g(errors)g(whic)o(h)1196 477 y(can)19 b(b)q(e)g(made)g(in)h(designing)i
(cryptographic)f(proto-)1196 518 y(cols,)15 b(and)g(the)f(study)h(of)f(them)g
(is)h(a)f(whole)h(discipli)q(ne)1196 560 y(of)d(itself)i([BAN].)e(In)g(fact,)
h(there)g(is)g(op)q(en)h(con)o(tro)o(v)o(ersy)1196 601 y(ab)q(out)20
b(the)g(design)i(of)d(a)h(new)g(banking)i(encryption)1196 643
y(standard,)16 b(ISO)f(11166,)h(whic)o(h)g(is)f(already)i(in)e(use)h(b)o(y)
1196 684 y(some)d(2,000)g(banks)h(w)o(orldwide)h([R].)1158
738 y Fe(\017)k Ff(It)f(is)i(also)g(p)q(ossible)i(to)d(\014nd)h(a)f(DES)h(k)o
(ey)f(b)o(y)h(brute)1196 780 y(force,)c(b)o(y)h(trying)g(all)h(the)e(p)q
(ossible)i(encryption)h(k)o(eys)1196 821 y(un)o(til)12 b(y)o(ou)g(\014nd)f
(the)g(one)g(whic)o(h)h(the)f(target)g(bank)h(uses.)1196 863
y(The)k(proto)q(cols)i(used)f(in)h(in)o(ternational)h(net)o(w)o(orks)e(to)
1196 905 y(encrypt)j(w)o(orking)g(k)o(eys)g(under)g(zone)g(k)o(eys)g(mak)o(e)
g(it)1196 946 y(easy)15 b(to)g(attac)o(k)g(a)g(zone)h(k)o(ey)f(in)h(this)f(w)
o(a)o(y:)21 b(and)16 b(once)1196 988 y(this)c(has)f(b)q(een)h(solv)o(ed,)g
(all)h(the)e(PINs)g(sen)o(t)g(or)g(receiv)o(ed)1196 1029 y(b)o(y)i(that)g
(bank)h(on)f(the)h(net)o(w)o(ork)f(can)g(b)q(e)g(decrypted.)1196
1077 y(A)c(recen)o(t)h(study)h(b)o(y)g(researc)o(hers)f(at)g(a)g(Canadian)i
(bank)1196 1118 y([GO])18 b(concluded)j(that)e(this)h(kind)h(of)e(attac)o(k)g
(w)o(ould)1196 1160 y(no)o(w)13 b(cost)g(ab)q(out)i Fd($)p
Ff(30,000)f(w)o(orth)f(of)g(sp)q(ecialist)j(com-)1196 1201
y(puter)d(time)h(p)q(er)f(zone)h(k)o(ey)m(.)k(It)12 b(follo)o(ws)j(that)e(it)
g(is)h(w)o(ell)1196 1243 y(within)d(the)e(resources)i(of)e(organised)i
(crime,)g(and)f(could)1196 1285 y(ev)o(en)16 b(b)q(e)h(carried)g(out)g(b)o(y)
f(a)g(reasonably)j(w)o(ell)e(heeled)1196 1326 y(individual)q(.)1196
1374 y(If,)f(as)g(seems)g(lik)o(ely)m(,)j(the)d(necessary)h(sp)q(ecialist)i
(com-)1196 1415 y(puters)e(ha)o(v)o(e)g(b)q(een)g(built)h(b)o(y)e(the)h(in)o
(telligence)j(agen-)1196 1457 y(cies)13 b(of)f(a)h(n)o(um)o(b)q(er)g(of)g
(coun)o(tries,)h(including)i(coun)o(tries)1196 1498 y(whic)o(h)g(are)g(no)o
(w)f(in)i(a)e(state)h(of)f(c)o(haos,)i(then)f(there)g(is)1196
1540 y(also)d(the)f(risk)h(that)f(the)g(custo)q(dians)i(of)e(this)g(hardw)o
(are)1196 1581 y(could)i(misuse)g(it)g(for)e(priv)n(ate)j(gain.)1020
1723 y Fg(3.2.3)39 b(The)14 b(consequences)f(fo)o(r)g(bank)o(ers)1020
1837 y Ff(The)h(original)k(goal)d(of)g(A)m(TM)e(crypto)i(securit)o(y)h(w)o
(as)e(that)h(no)g(sys-)1020 1879 y(tematic)e(fraud)g(should)g(b)q(e)g(p)q
(ossible)i(without)e(the)f(collusion)j(of)d(at)1020 1920 y(least)g(t)o(w)o(o)
f(bank)h(sta\013)f([NSM].)f(Most)i(banks)g(do)f(not)g(seem)h(to)f(ha)o(v)o(e)
1020 1962 y(ac)o(hiev)o(ed)i(this)f(goal,)g(and)g(the)f(reasons)i(ha)o(v)o(e)
e(usually)j(b)q(een)e(imple-)1020 2003 y(men)o(tation)i(blunders,)h(ramshac)o
(kle)g(administration,)h(or)d(b)q(oth.)1076 2093 y(The)19 b(tec)o(hnical)h
(threats)f(describ)q(ed)i(in)e(section)h(3.2.2)e(ab)q(o)o(v)o(e)1020
2135 y(are)13 b(the)g(ones)g(whic)o(h)h(most)f(exercised)i(the)e
(cryptographic)i(equip-)1020 2176 y(men)o(t)h(industry)m(,)i(and)f(whic)o(h)g
(their)f(pro)q(ducts)i(w)o(ere)d(designed)j(to)1020 2218 y(prev)o(en)o(t.)i
(Ho)o(w)o(ev)o(er,)14 b(only)h(t)o(w)o(o)e(of)g(the)h(cases)h(in)f(that)g
(section)h(ac-)1020 2259 y(tually)e(resulted)g(in)g(losses,)f(and)h(b)q(oth)f
(of)f(those)h(can)g(just)g(as)f(easily)1020 2301 y(b)q(e)i(classed)i(as)e
(implemen)o(tation)j(failures.)1076 2391 y(The)e(main)i(tec)o(hnical)g
(lessons)g(for)e(bank)o(ers)h(are)f(that)h(comp)q(e-)1020 2433
y(ten)o(t)f(consultan)o(ts)i(should)g(ha)o(v)o(e)f(b)q(een)g(hired,)g(and)g
(m)o(uc)o(h)g(greater)1020 2474 y(emphasis)c(should)h(ha)o(v)o(e)e(b)q(een)g
(placed)h(on)f(qualit)o(y)h(con)o(trol.)17 b(This)11 b(is)1020
2516 y(urgen)o(t)i(for)g(its)g(o)o(wn)g(sak)o(e:)k(for)c(in)g(addition)i(to)e
(fraud,)g(errors)g(also)1020 2557 y(cause)h(a)f(signi\014can)o(t)i(n)o(um)o
(b)q(er)f(of)f(disputed)i(A)m(TM)d(transactions.)1076 2647
y(All)g(systems)f(of)g(an)o(y)h(size)f(su\013er)h(from)f(program)h(bugs)f
(and)h(op-)1020 2689 y(erational)i(blunders:)19 b(banking)14
b(systems)f(are)f(certainly)i(no)f(excep-)p eop
%%Page: 8 8
bop -76 -34 a Ff(tion,)10 b(as)f(an)o(y)o(one)h(who)f(has)g(w)o(ork)o(ed)g
(in)h(the)f(industry)h(will)h(b)q(e)e(a)o(w)o(are.)-76 7 y(Branc)o(h)15
b(accoun)o(ting)h(systems)e(tend)g(to)g(b)q(e)g(v)o(ery)g(large)h(and)f(com-)
-76 49 y(plex,)19 b(with)f(man)o(y)f(in)o(terlo)q(c)o(king)j(mo)q(dules)f
(whic)o(h)f(ha)o(v)o(e)g(ev)o(olv)o(ed)-76 90 y(o)o(v)o(er)c(decades.)k
(Inevitably)m(,)d(some)f(transactions)h(go)e(astra)o(y:)18
b(deb-)-76 132 y(its)c(ma)o(y)f(get)g(duplicated)j(or)d(p)q(osted)h(to)e(the)
i(wrong)f(accoun)o(t.)-20 223 y(This)d(will)g(not)f(b)q(e)h(news)f(to)f
(\014nancial)k(con)o(trollers)f(of)d(large)i(com-)-76 265 y(panies,)18
b(who)e(emplo)o(y)h(sta\013)f(to)g(reconcile)i(their)f(bank)g(accoun)o(ts.)
-76 306 y(When)d(a)g(stra)o(y)f(debit)i(app)q(ears,)f(they)g(demand)g(to)g
(see)f(a)g(v)o(ouc)o(her)-76 348 y(for)g(it,)h(and)g(get)f(a)h(refund)g(from)
f(the)g(bank)i(when)e(this)i(cannot)f(b)q(e)-76 389 y(pro)q(duced.)29
b(Ho)o(w)o(ev)o(er,)17 b(the)f(A)m(TM)g(customer)h(with)g(a)f(complain)o(t)
-76 431 y(has)i(no)f(suc)o(h)h(recourse;)h(most)f(bank)o(ers)g(outside)g(the)
f(USA)g(just)-76 472 y(sa)o(y)d(that)f(their)h(systems)f(are)g(infallibl)q
(e.)-20 563 y(This)20 b(p)q(olicy)h(carries)e(with)h(it)f(a)g(n)o(um)o(b)q
(er)h(of)e(legal)j(and)e(ad-)-76 605 y(ministrativ)o(e)i(risks.)33
b(Firstly)m(,)20 b(there)f(is)f(the)h(p)q(ossibili)q(t)o(y)i(that)d(it)-76
646 y(migh)o(t)c(amoun)o(t)g(to)f(an)h(o\013ence,)f(suc)o(h)h(as)f
(conspiracy)j(to)d(defraud;)-76 688 y(secondly)m(,)20 b(it)e(places)h(an)f
(unmeetable)i(burden)f(of)e(pro)q(of)h(on)g(the)-76 729 y(customer,)d(whic)o
(h)g(is)g(wh)o(y)f(the)g(US)g(courts)h(struc)o(k)g(it)f(do)o(wn)h([JC],)-76
771 y(and)f(courts)f(elsewhere)h(ma)o(y)f(follo)o(w)h(their)f(lead;)h
(thirdly)m(,)h(there)e(is)-76 812 y(a)g(moral)h(hazard,)f(in)h(that)f
(sta\013)g(are)g(encouraged)i(to)d(steal)i(b)o(y)f(the)-76
854 y(kno)o(wledge)g(that)e(they)g(are)g(unlik)o(ely)j(to)d(b)q(e)g(caugh)o
(t;)h(and)f(fourthly)m(,)-76 896 y(there)18 b(is)g(an)g(in)o(telligen)q(ce)i
(failure,)g(as)e(with)g(no)g(cen)o(tral)h(records)-76 937 y(of)d(customer)g
(complain)o(ts)i(it)e(is)g(not)g(p)q(ossible)i(to)e(monitor)h(fraud)-76
979 y(patterns)d(prop)q(erly)m(.)-20 1070 y(The)j(business)i(impact)f(of)e(A)
m(TM)g(losses)i(is)g(therefore)f(rather)-76 1111 y(hard)i(to)f(quan)o(tify)m
(.)33 b(In)18 b(the)g(UK,)f(the)h(Economic)i(Secretary)e(to)-76
1153 y(the)c(T)m(reasury)g(\(the)f(minister)j(resp)q(onsible)g(for)d(bank)i
(regulation\))-76 1194 y(claimed)f(in)f(June)g(1992)g(that)f(errors)h
(a\013ected)g(at)f(most)g(t)o(w)o(o)g(A)m(TM)-76 1236 y(transactions)j(out)e
(of)f(the)h(three)f(million)k(whic)o(h)d(tak)o(e)g(place)h(ev)o(ery)-76
1277 y(da)o(y)19 b([B];)f(but)h(under)h(the)e(pressure)i(of)e(the)h(curren)o
(t)g(litigation)q(,)-76 1319 y(this)d(\014gure)g(has)g(b)q(een)g(revised,)h
(\014rstly)f(to)f(1)g(in)h(250,000,)h(then)e(1)-76 1360 y(in)f(100,000,)f
(and)h(lately)h(to)d(1)h(in)h(34,000)g([M1].)-20 1452 y(As)20
b(customers)i(who)e(complain)j(are)e(still)h(c)o(hased)f(a)o(w)o(a)o(y)g(b)o
(y)-76 1493 y(branc)o(h)13 b(sta\013,)g(and)g(since)g(a)f(lot)h(of)f(p)q
(eople)i(will)g(just)e(fail)h(to)f(notice)-76 1535 y(one-o\013)h(debits,)g
(our)g(b)q(est)f(guess)h(is)g(that)f(the)h(real)g(\014gure)g(is)f(ab)q(out)
-76 1576 y(1)f(in)g(10,000.)17 b(Th)o(us,)11 b(if)f(an)h(a)o(v)o(erage)h
(customer)f(uses)g(an)g(A)m(TM)f(once)-76 1618 y(a)i(w)o(eek)g(for)f(50)h(y)o
(ears,)g(w)o(e)g(w)o(ould)g(exp)q(ect)h(that)f(ab)q(out)g(one)h(in)f(four)-76
1659 y(customers)h(will)g(exp)q(erience)h(an)e(A)m(TM)f(problem)i(at)f(some)g
(time)g(in)-76 1701 y(their)i(liv)o(es.)-20 1792 y(Bank)o(ers)j(are)f(th)o
(us)h(thro)o(wing)g(a)o(w)o(a)o(y)f(a)g(lot)h(of)f(go)q(o)q(dwill,)j(and)-76
1834 y(their)12 b(failure)g(to)f(face)g(up)g(to)g(the)g(problem)h(ma)o(y)f
(undermine)i(con\014-)-76 1875 y(dence)h(in)h(the)e(pa)o(ymen)o(t)h(system)g
(and)g(con)o(tribute)h(to)f(unp)q(opular-)-76 1917 y(it)o(y)m(,)j(public)g
(pressure)g(and)f(ultimately)j(legislation.)28 b(While)18 b(they)-76
1958 y(consider)11 b(their)f(resp)q(onse)g(to)f(this,)h(they)g(are)f(not)g
(only)h(under)g(\014re)f(in)-76 2000 y(the)k(press)h(and)f(the)g(courts,)g
(but)h(are)f(also)h(saddled)g(with)g(systems)-76 2041 y(whic)o(h)k(they)f
(built)i(from)d(comp)q(onen)o(ts)i(whic)o(h)g(w)o(ere)e(not)i(under-)-76
2083 y(sto)q(o)q(d,)12 b(and)h(whose)f(administrativ)o(e)j(supp)q(ort)d
(requiremen)o(ts)i(ha)o(v)o(e)-76 2124 y(almost)d(nev)o(er)f(b)q(een)g
(adequately)i(articulated.)18 b(This)11 b(is)f(hardly)h(the)-76
2166 y(en)o(vironmen)o(t)17 b(in)f(whic)o(h)f(a)g(clear)h(headed)g(and)g
(sensible)h(strategy)-76 2207 y(is)d(lik)o(ely)h(to)e(emerge.)-76
2351 y Fg(3.3)40 b(The)14 b(implications)c(fo)o(r)j(equipment)g(vendo)o(rs)
-76 2466 y Ff(Equipmen)o(t)h(v)o(endors)f(will)g(argue)g(that)f(real)h
(securit)o(y)g(exp)q(ertise)h(is)-76 2508 y(only)k(to)e(b)q(e)g(found)h(in)g
(univ)o(ersities,)i(go)o(v)o(ernmen)o(t)e(departmen)o(ts,)-76
2549 y(one)d(or)g(t)o(w)o(o)f(sp)q(ecialist)k(consultancy)f(\014rms,)e(and)g
(in)h(their)g(design)-76 2591 y(labs.)21 b(Because)15 b(of)f(this)g(skill)j
(shortage,)d(only)i(h)o(uge)e(pro)r(jects)h(will)-76 2632 y(ha)o(v)o(e)e(a)g
(capable)i(securit)o(y)f(exp)q(ert)f(on)g(hand)h(during)g(the)f(whole)g(of)
-76 2674 y(the)c(dev)o(elopmen)o(t)i(and)e(implemen)o(tation)j(pro)q(cess.)k
(Some)10 b(pro)r(jects)1020 -34 y(ma)o(y)18 b(get)f(a)h(short)g(consultancy)i
(input,)g(but)d(the)h(ma)r(jorit)o(y)h(will)1020 7 y(ha)o(v)o(e)d(no)g(sp)q
(ecialised)j(securit)o(y)e(e\013ort)f(at)g(all.)26 b(The)16
b(only)h(w)o(a)o(y)e(in)1020 49 y(whic)o(h)j(the)f(exp)q(erts')h(kno)o(who)o
(w)g(can)f(b)q(e)h(brough)o(t)g(to)f(mark)o(et)h(is)1020 90
y(therefore)12 b(in)h(the)f(form)f(of)g(pro)q(ducts,)i(suc)o(h)g(as)f(hardw)o
(are)g(devices,)1020 132 y(soft)o(w)o(are)h(pac)o(k)n(ages)h(and)f(training)j
(courses.)1076 223 y(If)g(this)h(argumen)o(t)g(is)f(accepted,)i(then)e(our)h
(researc)o(h)g(implies)1020 265 y(that)e(v)o(endors)g(are)g(curren)o(tly)h
(selling)h(the)e(wrong)g(pro)q(ducts,)g(and)1020 306 y(go)o(v)o(ernmen)o(ts)g
(are)g(encouraging)h(this)f(b)o(y)g(certifying)h(these)f(pro)q(d-)1020
348 y(ucts)e(under)h(sc)o(hemes)g(lik)o(e)g(ITSEC.)1076 439
y(As)f(w)o(e)f(ha)o(v)o(e)h(seen,)g(the)g(suppliers')i(main)e(failure)h(is)g
(that)f(they)1020 480 y(o)o(v)o(erestimate)i(their)f(customers')g(lev)o(el)h
(of)f(cryptologic)i(and)e(secu-)1020 522 y(rit)o(y)g(design)g(sophisticatio)q
(n.)1076 613 y(IBM's)d(securit)o(y)i(pro)q(ducts,)f(suc)o(h)g(as)g(the)f
(3848)h(and)g(the)f(new)o(er)1020 655 y(4753,)18 b(are)f(a)g(go)q(o)q(d)h
(case)f(in)h(p)q(oin)o(t:)26 b(they)18 b(pro)o(vide)g(a)f(fairly)h(ra)o(w)
1020 696 y(encryption)d(capabili)q(t)o(y)m(,)g(and)g(lea)o(v)o(e)f(the)f
(applicatio)q(n)j(designer)f(to)1020 738 y(w)o(orry)i(ab)q(out)i(proto)q
(cols)g(and)f(to)f(in)o(tegrate)i(the)f(cryptographic)1020
779 y(facilities)e(with)d(application)k(and)c(system)h(soft)o(w)o(are.)1076
871 y(This)i(ma)o(y)f(enable)h(IBM)f(to)g(claim)h(that)f(a)g(4753)h(will)g
(do)g(an)o(y)1