Feeds

Bank-card PINs 'wide open' to insider attack

Crackers

Beginner's guide to SSL certificates

Security researchers have highlighted how corrupt bank insiders might be able to obtain bank card PINs using as little as one or two guesses.

The flaw, which involves the way ATM PINs are encrypted and transmitted across international financial networks (by switches), is far more severe than previous attacks which created a means for insiders to crack PINs using around 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published a paper, titled The Unbearable Lightness of PIN Cracking (PDF), which explains how the processing system used by banks is open to abuse. One of the attacks targets the translate function in switches. Another abuses functions that are used to allow customers to select their PINs online.

In either case, the flaws create a means for an attacker to discover PIN codes, for example, those entered by customers while withdrawing cash from an ATM providing they have access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," said Ostrovsky, researcher at Tel Aviv University who also works for local security firm Algorithmic Research. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent".

The authors have passed on their research to credit card firm and banks, with little response, prompting their decision to go public with the problem.

"One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank's ATMs," writes security guru Bruce Schneier in a posting on the issue on his security blog. ®

Intelligent flash storage arrays

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.