Feeds

Bank-card PINs 'wide open' to insider attack

Crackers

Providing a secure and efficient Helpdesk

Security researchers have highlighted how corrupt bank insiders might be able to obtain bank card PINs using as little as one or two guesses.

The flaw, which involves the way ATM PINs are encrypted and transmitted across international financial networks (by switches), is far more severe than previous attacks which created a means for insiders to crack PINs using around 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published a paper, titled The Unbearable Lightness of PIN Cracking (PDF), which explains how the processing system used by banks is open to abuse. One of the attacks targets the translate function in switches. Another abuses functions that are used to allow customers to select their PINs online.

In either case, the flaws create a means for an attacker to discover PIN codes, for example, those entered by customers while withdrawing cash from an ATM providing they have access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," said Ostrovsky, researcher at Tel Aviv University who also works for local security firm Algorithmic Research. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent".

The authors have passed on their research to credit card firm and banks, with little response, prompting their decision to go public with the problem.

"One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank's ATMs," writes security guru Bruce Schneier in a posting on the issue on his security blog. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.