Subverting PIN Encryption For Bank Cards 182
An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting:
"According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"
Re:Wow (Score:5, Insightful)
SSL was released in 1996
Banks prefer a conservative approach, using tried and tested 18th century steam punk hardware.
It ain't that easy (Score:5, Insightful)
Have you ever tried to get, say, three competing companies to agree to a standard? Well, now try the same with a few hundred. Also, get international and you might get an idea what the problem could be.
Here something we dubbed the "St. Florian principle" strikes (from the old German saying "Holy St. Florian, you saint with the water bucket, spare our houses and burn down others"): As long as it only affects our competitors, why should we agree to increase the overall security?
Besides, even if they could agree that something has to be done, things like that tend to be quite expensive. And banks currently definitly have other problems than losing a few million dollars, they're loosing billions every day.
Re:Doesn't a PIN Require the Physical Card? (Score:2, Insightful)
Not if you own the ATM, or just have some computer that is hacked into the ATM network pretending to be an ATM.
Re:Doesn't a PIN Require the Physical Card? (Score:1, Insightful)
Really? By disallowing some numbers they are just reducing the keyspace, making it easier for bad guys to brute force a PIN.
Bad HSM (Score:3, Insightful)
If at any one point, there is an HSM that allows the keys to be brought out of the HSM, then that HSM should NOT be used.
Plus if the "hacker" has that level of access to the transaction network meaning talk to the HSM directly, you are hosed to be honest.
Re:Solvable (Score:5, Insightful)
Seems the bankers should take a look at other technologies and consider some updates in how they handle it.
As long as the bankers can force everyone else to pay for the fraud the bankers' incompetence causes, they have absolutely no incentive to get their house in order.
That said, the problem with the obvious solution is that in order to encrypt card information immediately with the destination bank's public key you'd need to update all of the card swipe machinery and software with either a comprehensive database of keys or some way of securely identifying the correct bank and retrieving that key.
Re:Wow (Score:3, Insightful)
The fact that these networks are still vulnerable to MITM attacks is pretty shocking.
Fortunately, most of these transactions aren't conducted on the public internet. If there is a MITM attack, the "Man" should be easy to find.
Re:Wow (Score:5, Insightful)
One of the banks I go to still requires filled out deposit slips, ink signatures, and still has a "next business day before 2" in regards to processing your deposits. To that I say, "Come on, this is the digital age!"
You missed the overriding factor offered by the digital age which they use to earn interest on your money while it's on hold. By contrast, Really Important Customers (those with regularly high balances, etc.) rarely have any funds put on hold.
Compared with PayPal's 5-day period, it sucks a lot less.
Re:Wow (Score:5, Insightful)
Re:Curious (Score:3, Insightful)
So your bank somehow compromised your account, aren't refunding the money stolen, and you're grateful?
Re:Bank deposit latency (Score:3, Insightful)
They made the exact same point at the presentation - playing up how that 20 minutes "turns into an hour", because of course there's a 10-minute line at the bank, and they stop for coffee on the way back, and what business can afford an hour of lost productivity each day?
Maybe it's because my only retail job was working in a mall, but I assumed that most businesses did what we did - they used a nearby bank, and people swung by the night depository on their way home. Total time: three minutes, including deceleration and activating the hazard flashers.