Subverting PIN Encryption For Bank Cards 182
An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting:
"According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"
which PIN? (Score:1, Funny)
Re:Why I Hate Debit Cards (Score:5, Funny)
Re:So this is what my $2.00 buys me? (Score:5, Funny)
Re:Doesn't a PIN Require the Physical Card? (Score:3, Funny)
Obvious things like 1-2-3-4 are not allowed.
That's the combination to my luggage!
And that's my computer account password too! That's surprisin #@&%*! NO CARRIER
That's my slashdot password.
Re:Doesn't a PIN Require the Physical Card? (Score:5, Funny)
Obvious things like 1-2-3-4 are not allowed.
That's the combination to my luggage!
And that's my computer account password too! That's surprisin #@&%*! NO CARRIER
That's my slashdot password.
Wow. He wasn't joking.