[ISN] Bank-card PINs 'wide open' to insider attack

From: InfoSec News (alerts@private)
Date: Mon Nov 20 2006 - 22:48:52 PST


http://www.theregister.co.uk/2006/11/20/bank_card_pin_fraud/

By John Leyden
20th November 2006

Security researchers have highlighted how corrupt bank insiders might be 
able to obtain bank card PINs using as little as one or two guesses.

The flaw, which involves the way ATM PINs are encrypted and transmitted 
across international financial networks (by switches), is far more 
severe than previous attacks which created a means for insiders to crack 
PINs using around 15 guesses. By design, it shouldn't be possible to 
guess a four-digit pin in less than an average of 5,000 attempts.

Israeli academics Omer Berkman and Odelia Moshe Ostrovsky have published 
a paper, titled The Unbearable Lightness of PIN Cracking (PDF) [1], 
which explains how the processing system used by banks is open to abuse. 
One of the attacks targets the translate function in switches. Another 
abuses functions that are used to allow customers to select their PINs 
online.

In either case, the flaws create a means for an attacker to discover PIN 
codes, for example, those entered by customers while withdrawing cash 
from an ATM providing they have access to the online PIN verification 
facility or switching processes.

A bank insider could use an existing Hardware Security Module (HSM) to 
reveal the encrypted PIN codes and exploit them to make fraudulent 
transactions, or to fabricate cards whose PIN codes are different than 
the PIN codes of the legitimate cards, and yet all of the cards will be 
valid at the same time," said Ostrovsky, researcher at Tel Aviv 
University who also works for local security firm Algorithmic Research. 
Even worse, an insider of a third-party Switching provider could attack 
a bank outside of his territory or even in another continent".

The authors have passed on their research to credit card firm and banks, 
with little response, prompting their decision to go public with the 
problem.

"One of the most disturbing aspects of the attack is that you're only as 
secure as the most untrusted bank on the network. Instead of just having 
to trust your own issuer bank that they have good security against 
insider fraud, you have to trust every other financial institution on 
the network as well. An insider at another bank can crack your ATM PIN 
if you withdraw money from any of the other bank's ATMs," writes 
security guru Bruce Schneier in a posting [2] on the issue on his 
security blog.

[1] http://www.arx.com/documents/The_Unbearable_Lightness_of_PIN_Cracking.pdf
[2] http://www.schneier.com/blog/archives/2006/11/attacking_bankc.html


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Nov 20 2006 - 22:57:59 PST