Slashdot Mirror

← Back to Stories (view on slashdot.org)

Possible Serious Security Flaw In ATMs

Posted by Zonk on from the my-money-is-flighty-enough-as-it-is dept.

sfjoe writes "According to a story at MSNBC.com, researchers at Algorithmic Research (ARX) have shown it may be possible for 'someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules'. Using these methods, an attacker could trick the security modules into exposing a PIN. It has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. If PINs can be compromised, the almost 8 billion transactions per year they handle may be in danger. Not to mention all the transaction at retail stores."

4 of 167 comments (clear)

  1. Re:Intercepting Transmission by DigitalRaptor · · Score: 4, Informative

    Here is the story.

    --
    Lose Weight and Feel Great with Isagenix
  2. You don't need ID by Mr2001 · · Score: 2, Informative
    I can't tell you how many times I've had cashiers ring up a sale without ever even looking at either my ID or my signature on the back of the credit card.

    They're supposed to check your signature, but not your ID.

    Remember those Visa Check Card commercials from a few years back, where some easily recognizable celebrity would walk into a store without his ID, try to pay for something with a check, and be frustrated when the clerk couldn't recognize him? The point was you don't need ID when you pay with Visa, you just need your signature. In fact, it's against Visa's merchant rules for a store to require ID with a purchase: they can ask, but if you refuse, they still have to go through with the transaction. (If they won't let you pay without ID, call (800) VISA-911 and file a complaint.)
    --
    Visual IRC: Fast. Powerful. Free.
  3. This is highly unlikely by marcgvky · · Score: 3, Informative

    I personally have experience configuring the HSM's and implementing the types of security referred to in this article. To understand how unlikely this hack is, I would have to go into a deep conversation with regard to how these HSM's are supposed to be configures and implemented. The brief version: Typically, PIN's are stored by your card issuer ONLY in their encrypted format. The keys that do the encryption are stored in the HSM and SHOULDN'T be exportable. When enter your PIN at a POS or ATM, it is 3DES encrypted and sent over the wire as an encrypted pin block (EPB). When an inbound EPB is fed into the HSM, the originating bank pulls an encrypted version of your PIN and feeds that into the HSM. The HSM _should_ be a black box and decrypts both in inside of protected memory, makes a comparison of the two PIN's, and returns TRUE or FALSE. PIN's are stored by the card issuer in encrypted form and are NEVER reversible to people. When you forget/lose your PIN, the card issuer will typically issue a new PIN. That's because they CAN'T read a PIN. The PIN is DES encrypted by a symetric 128-bit key that is encrypted by another key which is NEVER NEVER known to any human. If this hack is proposing to repeatedly "guess" EPB's until they get one right, or do EPB->EPB translation until they get something that makes sense.... you would be better off buying lottery tickets. LOL

  4. Re:Transmission of PINs? by Anonymous Coward · · Score: 1, Informative

    Here is reality:

    There are two types of HSM's: A mini one in each ATM that uses the Zonal encryption keys for the bank involved to encrypt something somewhat like the PIN entered by the customer. Of course if someone instrumented (tampered with) this module inside an ATM then they would get any PIN's entered. Also they could probably find other ATM's in the same area/bank using the SAME Zonal encryption keys (if the bank did not sufficiently distribute enough different keys to prevent this).

    Why is it a surprise that any "self-destruct" mechanism on such a device (that might only be worth a couple of K at wholesale) would not be fail-safe? It is just that the archane knowledge necessary to pull this off is so rare that a criminal organization would be lucky to figure out who to target let alone to actually recruit them (e.g. yes I sound like I know this stuff but I don't know how to do this either since I am not a hardware hacker).

    The other type of HSM is part of a very secure internal network at the acquiring institution/bank. That type might be more hackable since they do hang off IP networks and thus are more vulnerable just by their base technology. However, the actual access to these machines is closely secured (both physically and by remote access).

    So unless the "story" fits into the above or someone has been very lax in their other security procedures I am calling "likely BS!".