Possible Serious Security Flaw In ATMs

sfjoe writes "According to a story at MSNBC.com, researchers at Algorithmic Research (ARX) have shown it may be possible for 'someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules'. Using these methods, an attacker could trick the security modules into exposing a PIN. It has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. If PINs can be compromised, the almost 8 billion transactions per year they handle may be in danger. Not to mention all the transaction at retail stores."

What's the big deal?

[goldseries]

I am surprised this has not surfaced before. Every piece of technology can be hacked if given enough time and access. The only way to remain secure is to stay ahead of the hackers. FTFA: The attack theory is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. I am really quite surprised that it was considered "impossible" to hack for so long.

Re:What's the big deal?

[FunkeyMonk]

It seems perfectly reasonable to me. Most ATMs in America are manufactured by Diebold. Diebold has proven time and again that they consider all their products to be unhackable.

Re:What's the big deal?

I am surprised this has not surfaced before. Every piece of technology can be hacked if given enough time and access.

This bizarre attitude always pisses me off. We're not even talking about "technology" here, we're talking about the protocol itself. Tell me, what do you really know about the cryptography they use in those boxes? Indeed, what do you know about cryptography at all? If you cannot prove that either, say, factoring is in P or that P != NP, how can you say that, say, a 2^20 bit RSA key "can be hacked if given enough time and access"? You can't, unless you by "enough time" mean more time than from now till the heat death of the universe. It is even more obvious with something like one-time pads. Use those, and I'd like to see you break the encryption no matter how freakin' long you have to do it. It's provably impossible.

Just because lots of crappy technologies and protocols get broken left and right doesn't mean that there every protocol must be by some law of nature. Some can even be proven to be secure, like one-time pads.

Besides, it's an amazingly dumb thing to say even if you were right that even all encryption protocols could be broken within (some reasonable) time. Because it hasn't been done yet. Do you understand the difference between knowing that something is possible and knowing how to do it? Obviously, nobody knew how to break ATM encryption for a long while, so that they have finally done it would obviously be a big deal, even granted your inane assumption that any cryptographic protocol must go the way of the Dodo in five years.

I am really quite surprised that it was considered "impossible" to hack for so long.

Let me reiterate: you know absolutely nothing about the encryption algorithm, and in all likelihood nothing about the field of cryptography at all. So what makes you think that your degree of surprise, or lack of it, when confronted with the hack is anything but completely uninteresting in every freakin' regard?

God, people like you just piss me off no end. Keep your fucking vacuous smart ass comments to yourself next time, mmkay? It'll make Slashdot, and the world, a better place.

Re:The reality of this is...

[mordors9]

I know I am probably the exception amongst most of you. We don't have an ATM card, we go down to the corner bank to get money out the old fashioned way. Everyone at the branch knows the wife and I and no one else could get money out without generating a lot of questions. There's a lot to be said for the good old days.

Easier to manually do it

[Evets]

It would be easier to simply use a video camera over the shoulder of an ATM visitor, and just as effective.

Using the information directly at an ATM to get a couple of hundred dollars would be too much effort, too high risk, and too little return. More likely, the PIN would be used to obtain larger sums of cash via other methods - calling in a bank transfer or something to that effect.

While on the surface it seems unlikely that somebody would go through the hassle, if one gained access to the ATM network, and had means to unencrypt the traffic at least in part, there is a great deal more potential for crime than simply obtaining an ATM PIN number.

Banks shouldn't be reliant on security at the switches either - all it takes is one bad employee to reduce the effectiveness of on site security to nothing, and I imagine with the pay rates they are kicking out, there are more than a few employees vulnerable to trouble of one sort or another.

Re:The reality of this is...

[Chosen+Reject]

I used to be a teller in a bank a few years ago. It is a very transitory position. I was there for nearly two years and there were few who had been there longer than I and many who had come and gone. Give it some time and people at the bank won't know who you are.

Having said that, I hope that even if they do know who you are, that they ask to see ID every time, like my teller colleagues and I did. A lot of people have this silly notion that the only time we ask for ID is if the person in front of us is not the person on the account. For some reason they didn't understand that we had no way of knowing that until we had seen ID. When we asked we actually had idiots say "Why? I'm the owner of the account," as if we would turn red in the face and say "Of course you are. How silly of me to ask. Certainly a criminal would have provided us with ID without being asked."

But if tellers ever get to the point that store clerks do (and I suspect many have) then any old schmoe will be able to take money out of your account. I can't tell you how many times I've had cashiers ring up a sale without ever even looking at either my ID or my signature on the back of the credit card. I've had times where I offered and was refused, as if they didn't want to have anything to do with security checks of any variety as that might bring upon them responsibility or something. I'm not talking about small purchases here either.

So my point is, if bank tellers get to the point of laziness as most cashiers, you're money isn't safe in the bank whether or not you have an ATM card. The best you can do is keep an eye on it and report anything as soon as it happens.

Re:New Title to Earn?

[__aaclcg7560]

No, I think that person becomes a "PIN cushion". :P

Re:So just use it as a credit card?

[Intron]

If you pay your balance off every month, you are also getting an interest-free loan for up to about 45 days.

Re:The reality of this is...

[Sillygates]

The ATM machines should directly encrypt the card info with the issuing bank's public key(or at least with the single operators public key, and then only get re-encrypted once, by that trusted machine)....that way the men in the middle/other banks along the way do not have the ability to see the transaction info

Re:The reality of this is...

[Takumi2501]

Exactly my thinking.

When I read the article, I couldn't believe that anyone would even consider building a "secure" system where third-party machines have to decrypt and re-encrypt such sensitive data... or any encrypted data for that matter... that's why it's encrypted in the first place.

What did they hope to accomplish by doing this?

Re:ok mr. paranoid

[bridson]

Actually I'd hope it because she is honest.