PIN transmission at automated tellers less safe than expected
Security experts Omer Berkmann and Odelia Moshe Ostrovsky from the School of Computer Science in Tel Aviv have jointly published attack scenarios for account PINs whereby only two attempts would be needed to guess correctly the PIN for a bank account. The problem affects switching stations between the bank terminal and the bank's corporate computing centre. Employees of the switching station could steal the PINs and undertake transactions. The threat is particularly high for cash withdrawals in far-away countries.
International banking commerce uses a Financial PIN Processing API internally for transactions like withdrawals at automated tellers. Among other operations, the API includes functions for secure data transfer between distant ATMs and PIN verification locations – typically the bank's computing centre. Several of those functions, such as those that reformat incoming encrypted PINs into another encrypted format for the next switch, actually open up security holes.
Because the distance between automated tellers and a bank's computer centre is often great, the data is generally transmitted through interim stations called switches. While the security requirements for automated tellers and banking computer centres are quite high, they are often much more lax at these switches. Criminally inclined employees at those switches with access to what are known as Hardware Security Modules could intercept encrypted PIN transmissions and, using the API functions available to them, quite easily spy on the account number and PIN, or even set up a new PIN to be valid going forward. Some attacks can also be executed through functions that actually require the automated teller's key, although this is not available to the switch at all.
The two security experts from Israel report trying to contact several banks and credit card providers about the issue, without success. They are therefore publishing their results to warn the public. Cryptology pope Bruce Schneier voices agreement with them in his blog: "One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network."
Prior attempts at ATM fraud often involved a rigged cashpoint with some sort of attachment in front of the card slot; in many cases even lay users can recognise such ruses. A manipulated card reader at a petrol station or an adapter plug between the bank terminal and telephone jack could potentially raise suspicions. For customers at automated tellers, however, this new kind of attack is frightening precisely because there's nothing out of the ordinary to set off red warning lights.
- The Unbearable Lightness of PIN Cracking, essay from Omer Berkman and Odelia Moshe Ostrovsky
- Attacking Bank-Card PINs, blog entry from Bruce Schneier