Feeds

Bank-card PINs 'wide open' to insider attack

Crackers

Choosing a cloud hosting partner with confidence

Security researchers have highlighted how corrupt bank insiders might be able to obtain bank card PINs using as little as one or two guesses.

The flaw, which involves the way ATM PINs are encrypted and transmitted across international financial networks (by switches), is far more severe than previous attacks which created a means for insiders to crack PINs using around 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published a paper, titled The Unbearable Lightness of PIN Cracking (PDF), which explains how the processing system used by banks is open to abuse. One of the attacks targets the translate function in switches. Another abuses functions that are used to allow customers to select their PINs online.

In either case, the flaws create a means for an attacker to discover PIN codes, for example, those entered by customers while withdrawing cash from an ATM providing they have access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," said Ostrovsky, researcher at Tel Aviv University who also works for local security firm Algorithmic Research. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent".

The authors have passed on their research to credit card firm and banks, with little response, prompting their decision to go public with the problem.

"One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank's ATMs," writes security guru Bruce Schneier in a posting on the issue on his security blog. ®

Beginner's guide to SSL certificates

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.