Two Israeli IT security experts claim to have identified an ATM security flaw which could allow corrupt bank employees to steal bank card PINs.
The researchers, Omer Berkman and Odelia Moshe Ostrovsky, say they have identified a vulnerability in the method by which PINs are encrypted and transmitted across international banking networks by ATM switches. In a white paper, "The Unbearable Lightness of PIN Cracking," Berkman and Ostrovsky explain how they believe ATM processing systems used by banks are open to exploitation by fraudsters. Ostrovsky is an academic in the Computer Science Department of Tel Aviv University and also works for Israeli cryptography firm Algorithmic Research Ltd. Berkman is based at the Academic College of Tel Aviv Yaffo's School of Computer Science. In the white paper, Ostrovsky and Berkman say there are potentially two types of attacks that could exploit the vulnerability they have identified. The first attack targets the ætranslateÆ function in ATM switches, while the second takes advantage of functions that allow bank customers to choose a new PIN online at an ATM. In either type of attack, the vulnerability allows fraudsters to steal customers' PINs once the four-digit codes have been entered at an ATM. However, the corrupt employee must have access to the online PIN verification facility or switching processes, the researchers say. "A bank insider could use an existing Hardware Security Module to reveal the encrypted PINs and exploit them to make fraudulent transactions, or to fabricate cards whose PINs are different from the legitimate cardsÆ PINs, and yet all of the cards will be valid at the same time," Ostrovsky says in a statement issued by Algorithmic Research. "Even worse, an insider working for a third-party switching provider could attack a bank outside of his or her territory or even in another continent." "The most disturbing thing right now is that the banks and card issuers won't even publicly comment on this important piece of research," Avivah Litan, a financial security expert with U.S. consultancy Gartner Group, tells epaynews. "Without a counter opinion from the banks, the research appears even more credible and it appears that there are no counter-measures in place to negate the vulnerabilities uncovered by the researchers." Related Links
Arx press release
PricewaterhouseCoopers Backs Rival to Chip-and-PIN
MasterCard Develops Real-Time PIN Debit Anti-Fraud Tool
