Slashdot Mirror


Subverting PIN Encryption For Bank Cards

An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting: "According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"

4 of 182 comments (clear)

  1. Old becomes new by emocomputerjock · · Score: 5, Interesting

    It's long been known that the PCI standards are nowhere near complex or secure enough to be trusted with protecting your data. Heck, they're just getting around to mandating encryption (128 bit, so as not to punish the early adopters of encryption technology). We moved too quickly to offer services without bothering to make sure we had the security in place to protect end users, and the criminal underground moves very quickly to exploit openings.

  2. Re:Wow by raddan · · Score: 5, Interesting

    I think part of the problem is that ATM machines have, in the past, not used IP networks, because there was always a need to lay down a line (or a modem) that would connect to the financial network. Many financial networks predate the Internet, and many of them have stricter requirements than typical IP traffic (like QoS), and so, in many cases, you see other kinds of network architectures (like X.25). Given those conditions, strong encryption did not always make sense.

    Now, there's nothing stopping you from using a higher-level protocol like SSL with other network architectures, but ATMs already have their own security mechanisms that predate SSL by a long shot, and the use of SSL, at least culturally, is tied pretty closely with TCP/IP. What surprises me, though, is that the HSMs must decrypt a message at every interchange, and re-encrypt it. I'm sure financial networks were around before asymmetric encryption was widely known or used, but they've had a long time to do this the right way now. The fact that these networks are still vulnerable to MITM attacks is pretty shocking.

    Anyway, I don't know a whole lot about financial networks. Anyone care to fill us in?

  3. Curious by neokushan · · Score: 5, Interesting

    Strangely enough, about 2 weeks ago I got a call from my bank saying they had noticed some "odd" transactions on my debit card (which is a chip and pin deal).
    Very small amounts of money, somewhere between £1.40 and £1.70 had been transferred from my account to various accounts in America, via this card. The strange thing was that this was a brand new card, I had to get my old card replaced just after christmas as an unfortunate wallet incident had cracked the old one in half.
    Between January and March, I had bought nearly nothing with the card, certainly nothing out of the ordinary and until now, I was slightly perplexed as to how my card could have been compromised.
    I'm glad my bank were on the ball, I've only lost somewhere around £4, which is lucky considering I had a few hundred pounds in my account at the time.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  4. Don't enter your PIN by Authoritative+Douche · · Score: 5, Interesting

    I never use the Debit Option when using my bank card in a transaction. I always choose credit for two reasons: A) When you use credit, the store pays the transaction fee, if any. I don't know if it's true anymore but last I checked, using a debit card and entering a PIN resulted in a small fee charged to the customer for the transaction. B) The purchase and fraud protections granted by Visa (even on check cards) are reduced or even disappear when you use the Debit option and enter your PIN. If you don't transmit the PIN, you don't need to worry about a MITM decrypting it.