Feeds

How to get an ATM PIN in 15 guesses

Bank employee fraud just got easier

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Cambridge researchers have documented a worrying PIN cracking technique against the hardware security modules commonly used by bank ATMs.

Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

The attack, documented in a paper published earlier this week, is directed against the decimalisation tables used to translate between a card PIN and the hexadecimal value of a PIN generated when the hardware security module checks the validity of a number.

The attack works not by going after the PIN number directly but by manipulating the contents of the decimalisation table in order to gain clues (such as which digits are or are not present in the PIN).

Refining the technique, which allows a PIN to determined in an average of 24 iterations, might allow an attack to succeed in 15 guesses. The methodology of the attack, too mathematically complex to be properly explained in the context of a news story, is explained here.

Mike Bond told us that the risk of attack comes from a corrupt insider, perhaps in computer operations and with access to sensitive manuals, who might be able to use the attack to refine what would otherwise be a brute force attempt to guess PIN numbers.

Fraud, in these circumstances, might still be possible. The attack is simply a more powerful, optimised means of cracking PIN numbers.

In their paper, Bond and Zielinski outline mechanisms banks might apply to guard against the attack.

In the short term, according to Bond, probably the best way to guard against the attack is to make sure it isn't possible to change the decimalisation table without permission. Longer term the researchers warn in their conclusions that "support for decimalisation is not a robust approach to PIN verification".

"Unskewed randomly generated PINs stored encrypted on an online database, as already used by some banks, are significantly more secure," Bond and Zielinski conclude.

As a stop gap an audit trail in ATM hardware security module will also allow the banks to spot when something suspicious occurs. This would allow banks to finger corrupt insider but it wouldn't necessarily protect customers, due to ongoing confusion in the UK's liability regulations for bank transactions.

Bond explained that UK case law does not as yet determine where liability lies in the case of disputed PIN-authorised transactions. With credit card purchases liability lies with merchants but in the question of liability has yet to be determined.

The wider consequences of the attack method documented by the Cambridge researchers once again spotlight this gap in UK law. ®

External Links

Decimalisation table attacks for PIN cracking, by Mike Bond and Piotr Zielinski of Cambridge University

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.