Subverting PIN Encryption For Bank Cards

An anonymous reader sends in a story at Wired about the increasingly popular methods criminals are using to bypass PIN encryption and rack up millions of dollars in fraudulent withdrawals. Quoting: "According to the payment-card industry ... standards for credit card transaction security, [PINs] are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface, or API. 'Essentially, the thief tricks the HSM into providing the encryption key,' says Sartin. 'This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device.'"

Re:Doesn't a PIN Require the Physical Card?

[piripiri]

Obvious things like 1-2-3-4 are not allowed.

That's the combination to my luggage!

And that's my computer account password too! That's surprisin #@&%*! NO CARRIER

and ATM fees are for what?

[psydeshow]

What makes this even more egregious is that these are exactly the same transactions that we now routinely pay up to $3 for.

In other words, if you're not a customer of the bank which owns the ATM you are using, you're getting ripped off *and* exposing your PIN to man-in-the-middle attacks. And let's not forget that your $3 also buys you up to $50 of liability for any theft against your account.

Bankers are more evil than spammers.