Slashdot Mirror

← Back to Stories (view on slashdot.org)

Subverting PIN Encryption For Bank Cards

Posted by Soulskill on from the pin-number-atm-machine dept.

An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting: "According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"

6 of 182 comments (clear)

  1. Wow by Sir_Lewk · · Score: 4, Informative

    Seriously? This is just incredibly stupid.

    What ever happened to accessing the routing information but leaving the data encrypted? SSL really is not that complicated of a concept.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    1. Re:Wow by Hatta · · Score: 4, Informative

      Are you really surprised? If someone wants to drain your bank account, they don't even need to break any encryption, all the information they needed is written on your checks. They don't even need to forge a signature.

      If banks were liable for fraud committed with the systems they designed, they'd design more fraud tolerant systems.

      --
      Give me Classic Slashdot or give me death!
    2. Re:Wow by ToasterMonkey · · Score: 3, Informative

      It doesn't have to do with routing, it's because each point to point connection uses a symmetric encryption key, shared in advance. That's what this boils down to, using symmetric key encryption, and needing to make several hops to the destination, instead of using PKI where you could easily share all keys with everyone and encrypt once. How else would you move encrypted data through a network with symmetric keys? You can't have every single issuer and acquirer exchanging symmetric keys with each other, it would be unwieldy. HSMs protect the keys at all times, and procedures are built around key management to ensure no one person can have all key components. The system is actually pretty sophisticated, and suggesting it could just be replaced with SSL is laughable. There's a lot more to it, especially the whole issue of how to manage trust if such a system were to go PKI. PKI only works if you're absolutely SURE you have the real public key, and this is not typically a problem when you're physically exchanging symmetric key components with the switches.

  2. Solvable by TheCarp · · Score: 4, Informative

    Seems that we have encryption/signing protocols that don't require decryption for all operations... seems we also have public key encryption....

    We already have onion routing... where we have end to end and point to point encryption in layers....

    Seems the bankers should take a look at other technologies and consider some updates in how they handle it.

    -Steve

    --
    "I opened my eyes, and everything went dark again"
  3. Re:So this is what my $2.00 buys me? by Anonymous Coward · · Score: 5, Informative

    That's not free money. ATM's cost in upwards of $30k (for a Diebold Opteva) - then there is circuit cost, depreciation, loading money in the machines (that doesn't earn interest in the financial institution's overnight account), supplies, maintenance, etc. Unless you're in a high traffic or tourist area, making a couple $100 in PROFIT after all expenses on an ATM is good.

    Mostly they lose money. It's a cost-center.

    Speaking (as AC) as someone who has 12+ years experience in financial institution back-office operations and data processing.

  4. Not in my experience by FadedTimes · · Score: 4, Informative

    I work for a Electronic Payments/ATM/Point of Sale/Card Issuer company. If the PIN is in the clear after being decrypted at the bank/card issuer then that is the bank/card issuers issue and not the payment industries fault. The bank/card issuer needs to look at their software vendor who is not secure, as the PIn should never be in the clear. If the HSM device is giving up the key, then that HSM vendor is not secure. How is the hacker getting access to even itneract with the HSM device. These are usually held in a secure environment network and physical access. If the HSM device is not in a secure area then some one has to be responsible for over looking this. These HSM devices are set to self destruct if tampered with. The article calls for a radical change to the payment industry, but all these issues can be resolved with regulation and I belive these rules are already in place. The PCI auditors should be catching these items.