http://www.theregister.co.uk/2006/11/20/bank_card_pin_fraud/
By John Leyden
20th November 2006
Security researchers have highlighted how corrupt bank insiders might be
able to obtain bank card PINs using as little as one or two guesses.
The flaw, which involves the way ATM PINs are encrypted and transmitted
across international financial networks (by switches), is far more
severe than previous attacks which created a means for insiders to crack
PINs using around 15 guesses. By design, it shouldn't be possible to
guess a four-digit pin in less than an average of 5,000 attempts.
Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published
a paper, titled The Unbearable Lightness of PIN Cracking (PDF) [1],
which explains how the processing system used by banks is open to abuse.
One of the attacks targets the translate function in switches. Another
abuses functions that are used to allow customers to select their PINs
online.
In either case, the flaws create a means for an attacker to discover PIN
codes, for example, those entered by customers while withdrawing cash
from an ATM providing they have access to the online PIN verification
facility or switching processes.
A bank insider could use an existing Hardware Security Module (HSM) to
reveal the encrypted PIN codes and exploit them to make fraudulent
transactions, or to fabricate cards whose PIN codes are different than
the PIN codes of the legitimate cards, and yet all of the cards will be
valid at the same time," said Ostrovsky, researcher at Tel Aviv
University who also works for local security firm Algorithmic Research.
Even worse, an insider of a third-party Switching provider could attack
a bank outside of his territory or even in another continent".
The authors have passed on their research to credit card firm and banks,
with little response, prompting their decision to go public with the
problem.
"One of the most disturbing aspects of the attack is that you're only as
secure as the most untrusted bank on the network. Instead of just having
to trust your own issuer bank that they have good security against
insider fraud, you have to trust every other financial institution on
the network as well. An insider at another bank can crack your ATM PIN
if you withdraw money from any of the other bank's ATMs," writes
security guru Bruce Schneier in a posting [2] on the issue on his
security blog.
[1] http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf
[2] http://www.schneier.com/blog/archives/2006/11/attacking_bankc.html
Received on Tue Nov 21 00:48:52 2006