Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Businesses Security The Almighty Buck Technology

Possible Serious Security Flaw In ATMs 167

Posted by Zonk from the my-money-is-flighty-enough-as-it-is dept.
sfjoe writes "According to a story at MSNBC.com, researchers at Algorithmic Research (ARX) have shown it may be possible for 'someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules'. Using these methods, an attacker could trick the security modules into exposing a PIN. It has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. If PINs can be compromised, the almost 8 billion transactions per year they handle may be in danger. Not to mention all the transaction at retail stores."
This discussion has been archived. No new comments can be posted.

Possible Serious Security Flaw In ATMs More

Possible Serious Security Flaw In ATMs

Comments Filter:

  • Poink-Poink-Poink-Poink (Score:5, Funny)

    by Stanistani ( 808333 ) on Thursday November 30, 2006 @05:48PM (#17057656) Homepage Journal
    *Looks left and right*

    Stop reading my tones!

  • The reality of this is... (Score:5, Funny)

    by __aaclcg7560 ( 824291 ) on Thursday November 30, 2006 @05:48PM (#17057664)
    Getting a bigger mattress to store my cash in.

    • Re:The reality of this is... (Score:5, Insightful)

      by mordors9 ( 665662 ) on Thursday November 30, 2006 @05:53PM (#17057740)
      I know I am probably the exception amongst most of you. We don't have an ATM card, we go down to the corner bank to get money out the old fashioned way. Everyone at the branch knows the wife and I and no one else could get money out without generating a lot of questions. There's a lot to be said for the good old days.

      • Re:The reality of this is... (Score:4, Insightful)

        by Chosen Reject ( 842143 ) on Thursday November 30, 2006 @06:04PM (#17057918)
        I used to be a teller in a bank a few years ago. It is a very transitory position. I was there for nearly two years and there were few who had been there longer than I and many who had come and gone. Give it some time and people at the bank won't know who you are.

        Having said that, I hope that even if they do know who you are, that they ask to see ID every time, like my teller colleagues and I did. A lot of people have this silly notion that the only time we ask for ID is if the person in front of us is not the person on the account. For some reason they didn't understand that we had no way of knowing that until we had seen ID. When we asked we actually had idiots say "Why? I'm the owner of the account," as if we would turn red in the face and say "Of course you are. How silly of me to ask. Certainly a criminal would have provided us with ID without being asked."

        But if tellers ever get to the point that store clerks do (and I suspect many have) then any old schmoe will be able to take money out of your account. I can't tell you how many times I've had cashiers ring up a sale without ever even looking at either my ID or my signature on the back of the credit card. I've had times where I offered and was refused, as if they didn't want to have anything to do with security checks of any variety as that might bring upon them responsibility or something. I'm not talking about small purchases here either.

        So my point is, if bank tellers get to the point of laziness as most cashiers, you're money isn't safe in the bank whether or not you have an ATM card. The best you can do is keep an eye on it and report anything as soon as it happens.

        • Re: (Score:3)

          by phorm ( 591458 )
          Heck, I've *love* to have the banks ask for ID a little more often. My experience was that in hitting a branch of the bank that I didn't patronize often (and staff I didn't recognise), I was able to just present my debit code and pull amounts under $200 without giving ID... and without needing to enter a PIN (the card was just to save the trouble of writing out my account # details).

          A little bit worrying if somebody could swipe my card and pull out cash right in front of the teller.
          • That's very strange. At the two banks I use, I am required to swipe my card and enter my PIN for any transaction. I thought this was standard procedure. I couldn't imagine the bank allowing people to take out money without entering the PIN, or providing some other method of identification.

        • Re: (Score:3, Interesting)

          by ZzzzSleep ( 606571 )
          Quoth Chosen Reject

          But if tellers ever get to the point that store clerks do (and I suspect many have) then any old schmoe will be able to take money out of your account. I can't tell you how many times I've had cashiers ring up a sale without ever even looking at either my ID or my signature on the back of the credit card. I've had times where I offered and was refused, as if they didn't want to have anything to do with security checks of any variety as that might bring upon them responsibility or somethi

          • Re: (Score:2)

            by Nurgled ( 63197 )

            I like that anecdote on page 2 about a cashier having the card owner sign the card in front of her. Reminds me of when I was at my local supermarket and for some reason the Chip+Pin machine rejected my card and I had to give my signature. It'd been so long since I'd signed that I'd not noticed that the signature had faded away to the point that you could tell there used to be something there but couldn't make out what it was. The checkout clerk called a manager and the manager had me re-sign my card and go

            • Yeah, it's a bit worrying really. Perhaps they just figure, if the card has been stolen it'll pop up on the screen, and so any signature checks are redundant.

        • You don't need ID (Score:3, Informative)

          by Mr2001 ( 90979 )

          I can't tell you how many times I've had cashiers ring up a sale without ever even looking at either my ID or my signature on the back of the credit card.

          They're supposed to check your signature, but not your ID.

          Remember those Visa Check Card commercials from a few years back, where some easily recognizable celebrity would walk into a store without his ID, try to pay for something with a check, and be frustrated when the clerk couldn't recognize him? The point was you don't need ID when you pay with Visa, y

          • Re: (Score:2)

            by tlhIngan ( 30335 )

            The point was you don't need ID when you pay with Visa, you just need your signature. In fact, it's against Visa's merchant rules for a store to require ID with a purchase: they can ask, but if you refuse, they still have to go through with the transaction. (If they won't let you pay without ID, call (800) VISA-911 and file a complaint.)

            Wow. I didn't know that. I guess I shall be calling it soon - EBGames always checks ID for all credit card purchases. (They have a sign, too...) And yes, they take Visa - I

            • Re: (Score:2)

              by Mr2001 ( 90979 )

              Wow. I didn't know that. I guess I shall be calling it soon - EBGames always checks ID for all credit card purchases. (They have a sign, too...) And yes, they take Visa - I only carry a Visa card. Not only that, but they record down the ID presented and the number. I believe that would really be against their rules...

              Indeed. Here [visa.com] are the merchant rules (PDF). Page 29 says "merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should no

              • I wonder if that's valid in Canada as well. Just about every grocery store I see says they require ID on credit card transactions over some specified amount. Usually something low like $50. If this is in the merchant agreement, then I think they should have their credit card privileges taken away for 1 month or something if they are asking for ID. I guess the problem is that they can still ask, but they can't refuse you if you don't present ID.

            • Re: (Score:2)

              by Detritus ( 11846 )
              They are supposed to check that the card is signed, which indicates that the cardholder agrees to the issuer's terms and conditions. The signature on the card is not intended to be an exemplar. Clerks are not expected to be hand writing analysts.

              • Re: (Score:2)

                by Mr2001 ( 90979 )

                The signature on the card is not intended to be an exemplar.

                Yes, it is. From page 28 of the Rules for Visa Merchants [visa.com]:

                The final step in the card acceptance process is to ensure that the customer signs the sales receipt and to compare that signature with the signature on the back of the card. When signing the receipt, the customer should be within your full view, and you should check the two signatures closely for any obvious inconsistencies in spelling or handwriting.

          • Re: (Score:2)

            by Belial6 ( 794905 )
            The thing about these commercials that always got me was that they showed that you didn't need ID AND you didn't need a pin. They actively advertised that they were easy to commit fraud with. Combine that with the fact that the event that will make you notice the fraud is when your checks like rent or your mortgage payment start bouncing. It amazes me that people actually carry these 'take my money for free' cards.
            • Why? They're just as difficult (or easy as the case may be) to commit fraud with as a regular credit card.

              • Re: (Score:2)

                by Belial6 ( 794905 )
                Because when fraud is commited with a regular credit card, the process goes like this:

                Fraud occurs
                Bill comes
                You discover fraud
                You dispute charges
                End of story

                Whereas the story for check cards will more like go like this:

                Fraud occurs
                You get a notice from your landlord/mortgage company that your check bounced
                You get a notice from your credit card company that your check has bounced and that your 6.9% credit card is now a 21% credit card
                You discover the fraud
                You dispute the charges
                A day or tw

                • Re: (Score:2)

                  by Mr2001 ( 90979 )

                  Whereas the story for check cards will more like go like this: [horror story]

                  Indeed. The big difference between credit and debit cards isn't the ease of committing fraud, but the consequences of fraud if it occurs.

                  However, the other debit cards are worse. Finding your PIN isn't any harder for a scammer than forging your signature, and on PIN debit cards, you don't have the fraud guarantees that you do with Visa - so not only will your checks bounce and your credit score fall, but you'll never see that money

            • Re: (Score:2)

              by Mr2001 ( 90979 )
              The thing about these commercials that always got me was that they showed that you didn't need ID AND you didn't need a pin. They actively advertised that they were easy to commit fraud with.

              No, you still have to sign when you use them. Forging a stranger's signature is harder than watching him type his PIN.

          • Re: (Score:2)

            by inKubus ( 199753 )
            I wrote "SEE ID" on the back of my card instead of signing it. In case it gets lost.

            • Re: (Score:2)

              by Mr2001 ( 90979 )
              That's not a valid signature, unless your name happens to be See Id. Your card is invalid according to Visa, and merchants who follow the rules are supposed to make you sign it in front of them, just as if you hadn't written anything there at all.
              • If "X" is a valid signature, then so is See ID. Many people's signatures don't look anything like their actual name, and are often illegible anyway. See ID should be a perfectly acceptable signature.

                • Re: (Score:2)

                  by Mr2001 ( 90979 )
                  Actually, the name you sign doesn't have to match the name printed on the card, so I suppose "See ID" could be a valid signature if you decide you want to do that. Of course, you'd have to sign your charge slips the same way. And if you're worried about someone forging your real signature, surely it's easier for them to forge this "signature", so what's the point?
          • Are you telling me that you can rent a car on a Visa without showing your ID?

            • Re: (Score:2)

              by dwandy ( 907337 )
              No, he's telling you you can *pay* for the rental using visa without showing ID.
              The rental itself may or may not require the showing of ID but is unrelated to the payment.
              In other words, if you pay for the car rental in cash and don't provide a credit card in any way shape or form (good luck with that) then they would still demand ID - specifically a driver's license.
      • Some of us do not have a bank right on our corner. It would likely be a three hour ride on two different transit systems for me to get to my home branch. (Hey, I used to bank in an entirely different city 200+km from where I live). Since I only need to go to the branch once or twice every five years, it is not worth the hassle of switching. Internet and ATM is the way to go.
        • My checking account is at Washington Mutual since they have ATMs everywhere. But my savings account is in a credit union with very few ATMs and there's no local network ATM where I live. I write a check for CASH every two weeks that I deposit into my savings account by mail in special envelopes provided by the credit union. If I need to move money into my checking account, I can do a direct deposit from the credit untion website.
      • My dad has a similar attitude towards credit cards. Since declaring bankruptcy 25 years ago, he haven't had a credit card or bought anything on credit. When a truck dealership had a Labor Day sale on $10,000 trucks, he took an $8,000 cashier check in hand and asked to finance the rest. It took the dealership a while to figure out if he was credit worthy since had no credit record whatsoever. His boss paid off the balance when the first payment was due since the truck was used mostly for work. I kept asking

        • I kept asking my dad whatever happened to "cash is king" philosophy that he's been preaching for years. He told me to shut up. :)

          You dad was right, though. Cash is, indeed, king. The problem is that you have to be willing to save until you can afford to buy without credit. This is something that most of us, not even your dad, is willing to do. Credit is an all or nothing deal. You either play the game with all the risks, or you are generally excluded from borrowing money from anywhere except the insti

        • My personal take on the "cash is king" issue is this:
          If the thing you are buying on credit does not make you more productive, and help you at least recoup the interest, then your finances are poorly managed; you spend more than you make, and end up paying more for the same quality of life.
          If however, you buy something that helps you make more money, then credit is a good idea: it helps you grow faster than a strict cash-only strategy.
          Note that the line between productive and unproductive investments is rath

  • Intercepting Transmission (Score:5, Interesting)

    by DigitalRaptor ( 815681 ) on Thursday November 30, 2006 @05:50PM (#17057700)
    I saw a news report the other day of a guy that hooked his a device (it may have been an iPod) to the back of an ATM where the phone line comes out, and intercepted the signal transmitting the information.

    He was able to get credit card numbers, pins, and all of the other information transmitted, and stole a lot of money before being caught. And he wasn't caught by bank security or software, he was caught because a clerk was paying attention, IIRC.

    • Re:Intercepting Transmission (Score:5, Informative)

      by DigitalRaptor ( 815681 ) on Thursday November 30, 2006 @05:56PM (#17057786)
      Here is the story [google.com].

      • Re: (Score:2)

        by Intron ( 870560 )
        OMFG. They are sending all of the information on phone lines without encryption. What is this, the 1970s bulletin board era? These are the people we trust to build voting machines because of their security expertise?
      • What story are you referring to?

        The only one that had inflammatory hand wringing was the Mp3 player that Sound emitted from the line is then interpreted using a modem line tap, or passed through a Ukrainian computer software program which is illegal to purchase.

        And yes, there is crypto, at least for US ATM networks, between the ATM and end unit HSM.

        This isn't a comment regarding the original article, just this particular story.

        • Re: (Score:3, Interesting)

          by DigitalRaptor ( 815681 )
          This one [webpronews.com].

          Also covered here [timesonline.co.uk].

          And here. [com.com]

          If there was crypto used, it absolutely sucked.

          If all you need is a modem line tap or an illegal program to crack ATM's, there isn't much security is there?

          I don't think there is crypto. I think the information is sent across the phone lines as plain text. The purpose of the modem line tap or illegal program is to convert the signal going over the line (the same signal you hear when you pick up the phone during a fax or internet connection) to text. From there, no men

  • Let's just get this clear right now... (Score:5, Funny)

    by Anonymous Coward on Thursday November 30, 2006 @05:50PM (#17057702)
    First one to refer to "ATM Machines" or "PIN numbers" gets slapped.
  • I am surprised this has not surfaced before. Every piece of technology can be hacked if given enough time and access. The only way to remain secure is to stay ahead of the hackers. FTFA: The attack theory is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. I am really quite surprised that it was considered "impossible" to hack for so long.

    • Re: (Score:2, Insightful)

      by FunkeyMonk ( 1034108 )
      It seems perfectly reasonable to me. Most ATMs in America are manufactured by Diebold. Diebold has proven time and again that they consider all their products to be unhackable.

    • Re: (Score:2)

      by Twylite ( 234238 )

      Actually it has surfaced before. These researchers have extended attacks that were described in 2003, which in turn extended earlier attacks. Even before that ANSI & ISO issued several updates to PIN encryption standards to protect against known weaknesses.

      The oldest standards for PIN encryption used the naive approach of padding the PIN and encrypting it. For a 5 digit PIN this gives only 10,000 possible ciphertexts per key. The attacks describes by the Israeli researchers target this format.

      Be

  • Holding All the Cards (Score:5, Interesting)

    by Doc Ruby ( 173196 ) on Thursday November 30, 2006 @05:56PM (#17057782) Homepage Journal
    Every bank I know of with back-end offices here in NYC requires everyone passing through their building doors to use onetime password cards (usually RSA keycards) for access. Yet those banks all make us run around broadcasting our PINs to whichever fly-by-night ATM dispenses $100 latenight when we're drunk.

    The cost of chipcards that generate onetime passwords, to protect from replay attacks, is minimal. Especially compared with fraud and theft. What's taking them so long?

    • Re: (Score:2)

      by bperkins ( 12056 )
      Accessiblity for one.

      Try reading one of those cards when you've had your pupils dialated sometime.
      • Why should I read the card? That's the machine's job. Letting me know the onetime passwords just increases the risk.
    • I worked for a developer that did bank card software and the parent is right about physical security. The banks have thought long and hard about security regarding their card payment operations and they are generally well thought out and practical. Implementation is excellent at the facilities I have been to.

      The cost of chipcards that generate onetime passwords, to protect from replay attacks, is minimal.
      Not even close. Everything about the change is gigantic considering they would need to somehow inte
      • I've worked developing infosystems, often secure ones, for many banks, for over a decade. US, Canadian, European. Familiar depositors, commercial, credit corps, insurance, brokers, interbanks. Banks are a bizarre world of risk-averse analysis and dizzying unnecessary risk taking.

        The cost of chipcards, and the key infrastructure, is minimal compared to the profits the banks make off of us. And compared to the costs of losses in security. And the costs of losing customers. What about the ATM thefts we're disc
        • If security isn't a selling feature, why do I see several bank ads a day pitching their ID theft services?
          Because this is easier and more profitable than going to a proper microprocessor smart card. More importantly, the banks get to promote the perception that they are running a tight ship.

          I entirely agree with your comments regarding the history and profile of banking. In the U.S. anyway, it seems policy/regulation is not preventative. Sadly, I think another massive failure will be required.

          Your commen
          • I think the best way for consumers to take these matters into our own hands is to start with controlling our own client HW/SW, including these bankcards. I mentioned elsewhere in these subthreads that I'd like my smartcard to keep transaction histories for multiple bank accounts in multiple banks. With an interface, maybe Bluetooth, for using my mobile phone as the GUI. The next step to making the smartcard encrypt the transactions for transmissions thru a transparent ATM that's merely the gateway to the ba
            • I'd like my smartcard to keep transaction histories for multiple bank accounts in multiple banks.

              Better e-purses already do this. They don't do multiple bank accounts though. That would require either multiple e-purses or "one purse to rule them all..."

              encrypt the transactions for transmissions
              Better epurses do something like this now. Essentially mutual authentication followed by password. From there the entire transaction is encrypted between the terminal and the card. The beauty of a proper smart ca
    • One major credit card company is switching to chipcards in my country next year. They expect to be finished (ie almost all merchants and cardholders) switched over by 2010.
  • "...the almost 8 billion transactions per year they handle may be in danger."

    It was as if the entire NCC had suddenly received the news, and the voices of NCC staffers across the country had cried out as one. We could only look at each other in stunned silence, afraid to speak, as if any utterance would risk making our greatest fear become real, and the terror would come out of the cold dark depths...t'would come for us - the KRACKEN!!!

  • Easier to manually do it (Score:4, Insightful)

    by Evets ( 629327 ) on Thursday November 30, 2006 @06:01PM (#17057876) Homepage Journal
    It would be easier to simply use a video camera over the shoulder of an ATM visitor, and just as effective.

    Using the information directly at an ATM to get a couple of hundred dollars would be too much effort, too high risk, and too little return. More likely, the PIN would be used to obtain larger sums of cash via other methods - calling in a bank transfer or something to that effect.

    While on the surface it seems unlikely that somebody would go through the hassle, if one gained access to the ATM network, and had means to unencrypt the traffic at least in part, there is a great deal more potential for crime than simply obtaining an ATM PIN number.

    Banks shouldn't be reliant on security at the switches either - all it takes is one bad employee to reduce the effectiveness of on site security to nothing, and I imagine with the pay rates they are kicking out, there are more than a few employees vulnerable to trouble of one sort or another.

  • New Title to Earn? (Score:4, Funny)

    by failedlogic ( 627314 ) on Thursday November 30, 2006 @06:01PM (#17057882)
    So if someone cracks the system do they become "The Lord of the PINS?"

    Sorry, obvious pun joke. Had to make it. Any others?

  • So just use it as a credit card? (Score:4, Interesting)

    by letsgolightning ( 1004592 ) on Thursday November 30, 2006 @06:04PM (#17057920)
    I realize this topic is mostly meant for using a card at an atm to take out cash and the like, but whenever I use my debit card to actually buy something, I make sure to use it as credit, even though most stores' touch-and-swipe pads love to default to a keypad to enter a pin. I just hit 'cancel' then 'credit' and sign the screen. No pin gets transferred, so I don't have to worry about anyone stealing it. Usually, they ask for an id because my signature is so awful (added security for me). I get points for my purchases, which I may be able to redeem within the next decade. And best of all, if anyone does decide to defraud me this way, Visa and my bank will give me the stolen funds back (my bank covers the $50 or so 'deductible' that Visa normally wants). To quote Micheal Scott, it's a win-win-win. I'm safer, my money's safer, and Sam Walton gets less profits because he now has to pay Visa processing fees.

    • Re: (Score:3, Insightful)

      by Intron ( 870560 )
      If you pay your balance off every month, you are also getting an interest-free loan for up to about 45 days.

    • Re: (Score:2)

      by garcia ( 6573 )
      They don't make you sign these days (if it's under some unknown amount -- they all seem to be different) and I get cash back on my non PIN purchases.

      I never quite understood the reason for using it like an ATM when it takes so fucking long. I use a card because I want it to be fast (no ID checks, no signature, no change).
  • Come on, post specifics. With Christmas around the corner we need all the help we can get. Have you seen the prices the new Elmo and P3s go for!
  • Breaking News: Republican Congress rushes Vote-by-ATM bill through committee.

  • As long as the ATMs in Chicago are secure I'll be fine ;-)

  • it may be possible for 'someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes

    Holy crap! People with access to a network can attack it? Next you're going to tell me that the only secure computer is one that's turned off, locked in a safe, and dropped to the bottom of the Marianas Trench.
  • Really, "If PINs can be compromised, the almost 8 billion transactions per year they handle may be in danger. Not to mention all the transaction at retail stores." take a breath and calm down. It's not like any kid off the street with basic knowledge of a computer is going to be able to walk into radio shack and hack his way into your bank account. This isn't the movies, it's reality in order to pull this off you would have to have someone working in a bank and monitoring the transactions who would leak, re

  • What a coincidence! (Score:3, Interesting)

    by Mark_in_Brazil ( 537925 ) on Thursday November 30, 2006 @07:51PM (#17059248)
    I'm sure it's just a coincidence that Algorithmic Research (ARX) is a vendor of security solutions, including HSMs [arx.com], and that ARX has been losing market share in that space for years and has a tiny market share (nCipher dominates the HSM market worldwide, Safenet, through acquisitions, has the next-largest market share, and then you start getting to competitors with very small market shares). I'm sure the researchers at ARX had no idea that almost all banks in the world use HSMs made by competitors of ARX and just wrote this paper to expose a very real security flaw, one that something tells me ARX HSMs don't allow...
    FWIW, ARX was actually something of a leader and had some cool ideas... several years ago. I'm not sure whether it was because of financial trouble, incompetent management, neither, or both, but they were lapped by players like nCipher, Luna (now part of SafeNet), Utimaco, even Thales, which focuses on serving the credit card transaction market but doesn't have things like Diffie-Hellman key exchange because VISA and Mastercard don't require them, and yes, even the old low-cost option, Eracom (bought by Safenet in order to do away with a pesky competitor).
  • A spokesman pointed out that you'd have to be on the same LAN segment as the Hardware Security Module to launch this attack. Considering that a technician with an infected laptop once put viruses onto ATMs, this is less comforting than it might be.

    (Still trying to wrap my head around every "switch" (router?) in the network decrypting and re-encrypting the PIN block. These being systems outside the control of the data owner).

  • Really Unlikely... (Score:2, Interesting)

    by fixer007 ( 851350 )
    I work at a 'switch' that the article describes. It would be REALLY hard to do what they are describing, even having inside access. Not to say it couldn't be done, but the person doing it would have to have some serious clearance to get access to the HSM and the system it is on. If they do have that kind of access, it is pretty unlikely that they have the technical know-how to go about doing what the article describes.
    Usually the people that have the technical know-how don't have userid's or passwords to
  • The paper points to a lack of serious integrity checking, which by itself opens up a whole family of crypto attacks. But another bad part is that the "switch" can rewrite PIN block formats. Of which there are too many. The attack sequence is to translate the PIN block into a format which doesn't contain an account number (but which does contain random data, the designers weren't quite that stupid), and then translate that block into another format which does include an account number. Which means you supply
  • The problem appears to be fact that intermediaries in the network have to decrypt and reencrypt the PIN and related information.

    It is generally considered safer to do end-to-end encryption. The first ATM encrypts all the information and the intermediaries just pass through a collection of bytes (without needing to know what the bytes mean), once the bytes reach the target bank, the information is decrypted, verified and the response is send back (possibly encrypted as well). This way all tempering at interm

  • This is highly unlikely (Score:3, Informative)

    by marcgvky ( 949079 ) on Thursday November 30, 2006 @09:29PM (#17060258) Journal
    I personally have experience configuring the HSM's and implementing the types of security referred to in this article. To understand how unlikely this hack is, I would have to go into a deep conversation with regard to how these HSM's are supposed to be configures and implemented. The brief version: Typically, PIN's are stored by your card issuer ONLY in their encrypted format. The keys that do the encryption are stored in the HSM and SHOULDN'T be exportable. When enter your PIN at a POS or ATM, it is 3DES encrypted and sent over the wire as an encrypted pin block (EPB). When an inbound EPB is fed into the HSM, the originating bank pulls an encrypted version of your PIN and feeds that into the HSM. The HSM _should_ be a black box and decrypts both in inside of protected memory, makes a comparison of the two PIN's, and returns TRUE or FALSE. PIN's are stored by the card issuer in encrypted form and are NEVER reversible to people. When you forget/lose your PIN, the card issuer will typically issue a new PIN. That's because they CAN'T read a PIN. The PIN is DES encrypted by a symetric 128-bit key that is encrypted by another key which is NEVER NEVER known to any human. If this hack is proposing to repeatedly "guess" EPB's until they get one right, or do EPB->EPB translation until they get something that makes sense.... you would be better off buying lottery tickets. LOL

    • Re: (Score:2)

      by Twylite ( 234238 )

      The attacks described are against the PIN Translation function, not PIN Verification.

      PINs, as you will know, must be formatted before encryption. ANSI X9.8 and ISO 9564 provide standards for PIN formats. You should also know that in its passage across a network, a PIN goes through several zones, and is changed not only from one encryption key to another, but also from one format to another, according to the zone.

      The attacks exploit the fact that you can change the PIN's format, in particular the abili

  • This was stored as an image for some reason

    "At the STM, the information is combined into a format called a PIN block, scrambled, then passed along the network. The intermediate steps are called switches, and these are rarely owned by the cardholder's bank. So at each step, the PIN block is unscrambled and rescrambled with a new key i a machine called a hardware security module (HSM). It's at these intermediate points where hackers could trick the machines into divulging PINs, Israeli researchers say."

Slashdot Top Deals

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Close