Subverting PIN Encryption For Bank Cards

Subverting PIN Encryption For Bank Cards 182

Posted by Soulskill on Wednesday April 15, 2009 @11:01AM from the pin-number-atm-machine dept.

An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting: "According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"

Subverting PIN Encryption For Bank Cards

This discussion has been archived. No new comments can be posted.

Search 182 Comments Log In/Create an Account

Comments Filter:

which PIN? (Score:1, Funny)

by Anonymous Coward writes: on Wednesday April 15, 2009 @11:06AM (#27586369)

Are they talking about my PIN number for the ATM machine? I guess I should go RTFA article now.

Re:Why I Hate Debit Cards (Score:5, Funny)

by Anonymous Coward writes: on Wednesday April 15, 2009 @11:26AM (#27586659)

Personally I insist on paying in cold, hard, gold. I'll also only accept payment in gold, silver, or a promissory note signed personally by a gentleman in good standing. I know some people who insist on bartering for goods and services, but they really should come into the 19th century as we have!

Re:So this is what my $2.00 buys me? (Score:5, Funny)

by emocomputerjock ( 1099941 ) writes: on Wednesday April 15, 2009 @11:35AM (#27586751)

That's not "free money", that's a Chief Scamming Officer's bonus.

Re:Doesn't a PIN Require the Physical Card? (Score:3, Funny)

by rackserverdeals ( 1503561 ) writes: on Wednesday April 15, 2009 @11:53AM (#27587001) Homepage Journal

Obvious things like 1-2-3-4 are not allowed.
That's the combination to my luggage!
And that's my computer account password too! That's surprisin #@&%*! NO CARRIER
That's my slashdot password.

Re:Doesn't a PIN Require the Physical Card? (Score:5, Funny)

by rackserverdeals ( 1503561 ) writes: on Wednesday April 15, 2009 @11:55AM (#27587031) Homepage Journal

Obvious things like 1-2-3-4 are not allowed.
That's the combination to my luggage!
And that's my computer account password too! That's surprisin #@&%*! NO CARRIER
That's my slashdot password.
Wow. He wasn't joking.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Subverting PIN Encryption For Bank Cards 182

Subverting PIN Encryption For Bank Cards More Login

Subverting PIN Encryption For Bank Cards

which PIN? (Score:1, Funny)

Re:Why I Hate Debit Cards (Score:5, Funny)

Re:So this is what my $2.00 buys me? (Score:5, Funny)

Re:Doesn't a PIN Require the Physical Card? (Score:3, Funny)

Re:Doesn't a PIN Require the Physical Card? (Score:5, Funny)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot