Feeds

Bank-card PINs 'wide open' to insider attack

Crackers

Combat fraud and increase customer satisfaction

Security researchers have highlighted how corrupt bank insiders might be able to obtain bank card PINs using as little as one or two guesses.

The flaw, which involves the way ATM PINs are encrypted and transmitted across international financial networks (by switches), is far more severe than previous attacks which created a means for insiders to crack PINs using around 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published a paper, titled The Unbearable Lightness of PIN Cracking (PDF), which explains how the processing system used by banks is open to abuse. One of the attacks targets the translate function in switches. Another abuses functions that are used to allow customers to select their PINs online.

In either case, the flaws create a means for an attacker to discover PIN codes, for example, those entered by customers while withdrawing cash from an ATM providing they have access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," said Ostrovsky, researcher at Tel Aviv University who also works for local security firm Algorithmic Research. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent".

The authors have passed on their research to credit card firm and banks, with little response, prompting their decision to go public with the problem.

"One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank's ATMs," writes security guru Bruce Schneier in a posting on the issue on his security blog. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.