[ISN] Students crack bank pin codes

From: InfoSec News (isnat_private)
Date: Fri Nov 09 2001 - 00:59:01 PST

  • Next message: InfoSec News: "Re: [ISN] Linux snares security tool"

    Forwarded from: Will Munkara-Kerr <WillMat_private>
    Two British PhD students have designed a computer program to crack
    bank security codes which potentially gives them access to hundreds of
    thousands of PIN numbers, it emerged today.
    Armed with the software and hardware, the pair have shown that it is
    theoretically possible to download large amounts of confidential
    financial information, allowing a potential thief to steal vast
    amounts of cash.
    The two Cambridge University students plan to put details of how to
    crack the systems on the internet in an effort to ensure security is
    The security breach was revealed in the BBC's Newsnight program, which
    outlined how it was possible to translate the 16-digit number for cash
    cards from data downloaded by the program.
    Michael Bond, 22, one of the students involved, said he felt not
    enough was being done to insure that the hole in security was blocked.  
    "Banks' approach to security at the moment is too closed, they are
    relying on outdated concepts such as security through obscurity.
    "What they really need to do is pay more attention to the open
    community including academia and get more peer review on some of the
    systems that they are using.
    "We need to see banks being more accountable for the security of
    people's money."
    He said the breach could only be performed by bank staff with access
    to bank computers.
    The system involved is based on IBM's 4758 crypto-processor used by
    banks, the military and governments across the world to protect their
    The attacks work using a combination of software developed by Mr Bond
    and off-the-shelf hardware costing less than STG750 ($A2,140)
    developed by mature student Richard Clayton.
    Their research shows it is possible for a single individual, with only
    the level of access to a bank's computer system granted to a temporary
    computer contractor, to extract and download information.
    Within 20 minutes it is possible to find the secret "key" from the
    crypto-processor it uses to scramble customer PINs.
    Once taken home on a floppy disk, it would take around a day using the
    Cambridge equipment to reveal the secret "key".
    The "key" can translate the PIN into the 16-digit number on the front
    of cash cards meaning a criminal could plunder thousands of bank
    Alan Cox, a computer operating system developer, said: "This is a
    military grade protected encryption system where you have to have
    licences to possess them.
    "I would expect the reaction of the banking industry is probably one
    of pure horror ... shared by the military and a considerable number of
    other bodies."
    Computer company IBM says normal bank practice and procedure would
    prevent any possibility of launching such an attack.
    It says in a statement this academic study is based on specific
    laboratory conditions.
    IBM says in the real world there are too many physical safeguards and
    authority protections for such an attack to be successful.
    "This message is intended for the addressee named and may contain
    confidential information. If you are not the intended recipient, please
    destroy it and notify the sender. Views expressed in this message are those
    of the individual sender, and are not necessarily the views of the Central
    Sydney Area Health Service."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 02:38:30 PST