Feeds

Bank-card PINs 'wide open' to insider attack

Crackers

Build a business case: developing custom apps

Security researchers have highlighted how corrupt bank insiders might be able to obtain bank card PINs using as little as one or two guesses.

The flaw, which involves the way ATM PINs are encrypted and transmitted across international financial networks (by switches), is far more severe than previous attacks which created a means for insiders to crack PINs using around 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published a paper, titled The Unbearable Lightness of PIN Cracking (PDF), which explains how the processing system used by banks is open to abuse. One of the attacks targets the translate function in switches. Another abuses functions that are used to allow customers to select their PINs online.

In either case, the flaws create a means for an attacker to discover PIN codes, for example, those entered by customers while withdrawing cash from an ATM providing they have access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," said Ostrovsky, researcher at Tel Aviv University who also works for local security firm Algorithmic Research. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent".

The authors have passed on their research to credit card firm and banks, with little response, prompting their decision to go public with the problem.

"One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank's ATMs," writes security guru Bruce Schneier in a posting on the issue on his security blog. ®

Next gen security for virtualised datacentres

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?