Slashdot Mirror

← Back to Stories (view on slashdot.org)

Subverting PIN Encryption For Bank Cards

Posted by Soulskill on from the pin-number-atm-machine dept.

An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting: "According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"

5 of 182 comments (clear)

  1. which PIN? by Anonymous Coward · · Score: 1, Funny

    Are they talking about my PIN number for the ATM machine? I guess I should go RTFA article now.

  2. Re:Why I Hate Debit Cards by Anonymous Coward · · Score: 5, Funny

    Personally I insist on paying in cold, hard, gold. I'll also only accept payment in gold, silver, or a promissory note signed personally by a gentleman in good standing. I know some people who insist on bartering for goods and services, but they really should come into the 19th century as we have!

  3. Re:So this is what my $2.00 buys me? by emocomputerjock · · Score: 5, Funny

    That's not "free money", that's a Chief Scamming Officer's bonus.

  4. Re:Doesn't a PIN Require the Physical Card? by rackserverdeals · · Score: 2, Funny

    Obvious things like 1-2-3-4 are not allowed.

    That's the combination to my luggage!

    And that's my computer account password too! That's surprisin #@&%*! NO CARRIER

    That's my slashdot password.

    --
    Dual Opteron < $600
  5. Re:Doesn't a PIN Require the Physical Card? by rackserverdeals · · Score: 5, Funny

    Obvious things like 1-2-3-4 are not allowed.

    That's the combination to my luggage!

    And that's my computer account password too! That's surprisin #@&%*! NO CARRIER

    That's my slashdot password.

    Wow. He wasn't joking.

    --
    Dual Opteron < $600