[ISN] PIN Crackers Nab Holy Grail of Bank Card Security

From: InfoSec News <alerts_at_private>
Date: Wed, 15 Apr 2009 02:47:57 -0500 (CDT)

By Kim Zetter 
Threat Level
April 14, 2009

Hackers have crossed into new frontiers by devising sophisticated ways 
to steal large amounts of personal identification numbers, or PINs, 
protecting credit and debit cards, says an investigator.  The attacks 
involve both unencrypted PINs and encrypted PINs that attackers have 
found a way to crack, according to the investigator behind a new report 
looking at the data breaches.

The attacks, says Bryan Sartin, director of investigative response for 
Verizon Business, are behind some of the millions of dollars in 
fraudulent ATM withdrawals that have occurred around the United States.

"We're seeing entirely new attacks that a year ago were thought to be 
only academically possible," says Sartin. Verizon Business released a 
report Wednesday that examines trends in security breaches. "What we see 
now is people going right to the source ... and stealing the encrypted 
PIN blocks and using complex ways to un-encrypt the PIN blocks."

The revelation is an indictment of one of the backbone security measures 
of U.S. consumer banking: PIN codes. In years past, attackers were 
forced to obtain PINs piecemeal through phishing attacks, or the use of 
skimmers and cameras installed on ATM and gas station card readers. 
Barring these techniques, it was believed that once a PIN was typed on a 
keypad and encrypted, it would traverse bank processing networks with 
complete safety, until it was decrypted and authenticated by a financial 
institution on the other side.

But the new PIN-hacking techniques belie this theory, and threaten to 
destabilize the banking-system transaction process.


Best Selling Security Books and More!
Received on Wed Apr 15 2009 - 00:47:57 PDT

This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 01:11:43 PDT