[EL] The $45M Hiest from NYC ATMs

[David Jefferson]

William Kelleher recently tried to undercut a posting by Richard Pildes, in which Mr. Pildes suggested that the recent $45 million heist of cash from ATM machines all over the world that was enabled by a cyber attack on the bank in question should give people pause when they think of the vulnerabilites of Internet voting. Mr. Kelleher argued that there is so little in common between online banking and Internet voting systems that "that financial crime has nothing to do with Internet voting security issues."

I beg to differ with Mr. Kelleher. Essentially every security vulnerability in an online banking system corresponds directly to a similar vulnerability in online voting systems. And because the privacy, security, and transparency requirements for online voting are so much more complex and unforgiving than those for financial transactions, there are many more risks with online voting that have no analog in the financial world. This may seem counterintuitive, but for a full explication see my essay "If I Can Shop and Bank Online, Why Can't I Vote Online?" at https://www.verifiedvoting.org/resources/internet-voting/vote-online/.

But Mr. Kelleher goes on to make serious errors of fact that should be corrected. Although the news media have not described in any detail exactly how the banking network was penetrated, he nonetheless suggests that some email-related attack may have been the means of penetration, and then argues in flat, authoritative-sounding language that "Internet voting servers are not connected to email systems". This is wrong on several counts. First, most of the Internet voting systems used in the United States not only are connected to email systems, but they actually *are* email systems! Email voting is legal in over 30 states, far more than any other form of Internet voting. Of all of the voting systems ever used in the U.S. email is by far the most vulnerable to automated fraud. (See my essay "What about Email and FAX voting?" at https://www.verifiedvoting.org/resources/internet-voting/email-fax/.)

But even if we confine ourselves to commercial, web-based online voting systems, Mr. Kelleher is still overstating when he writes that "Internet voting servers are not connected to email systems". He can of course assert that, but he simply cannot know it, and it is unlikely to be true. As long as there is any desktop, laptop, or even mobile device connected to anything in the data center that contains the vote servers, including temporarily via VPN or RSH (sorry for the jargon) then a successful email phishing attack on that device would get the attacker one step closer to the goal of penetrating the election servers themselves. And there will essentially always be devices in the data center that receive email. It would be extremely difficult to conduct  business otherwise. Note that it is not required that an email-capable device be actually connected to the same subnet as the vote servers for it to be a useful stepping stone in a penetration attack on the heart of the Internet voting system.

Finally, Mr. Kelleher makes an essentially irrelevant but also false point that "Internet voting servers [are not] connected to far away or foreign servers, such as the Indian firm that set the limits on cards that could be used in New York ATMs". Of course in the essentially borderless world of the Internet it makes little technical difference where servers are physically located, so it is not clear what point he is trying to make. But Scytl, one of the big three Internet voting vendors vying for business in the U.S., is a Spanish company. In the famous Internet voting experiment in Okaloosa County, FL in the general election of 2008 in which Scytl was the vendor, its voting servers were located in Barcelona. So Scytl's vote servers, which collected real U.S. votes in a Presidential election in the swing state of Florida, were not just "connected to far away or foreign servers", they actually *were* far away, foreign servers! 

David Jefferson
Computer Scientist
Lawrence Livermore National Laboratory
d_jefferson at yahoo.com

All opinions are my own, and are not endorsed by my employer or any other organization I am affiliated with.