We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.
http://cryptome.org/pacc.htm
Thursday, February 20, 2003
Popular Posts
-
Some good stuff from a Canadian futurist: - The rising power of the knowledge worker - Continuous training replaces job security; respect is...
-
Very dry, dull book with some basic financial info like ROI and cash flow. Not a lot here.
-
I had the pleasure to attend the IBM Think conference in wet and chilly San Fran from Feb 11-14th of this year. The event overall was ...
-
It's been almost exaclty three years since I've updated this blog. In that three years, I've achieved a lot -- I've gone aft...
-
Not a bad audio book, but I expected more. Big ideas: Build a high performance, high-trust culture; Identify desired results and un...
-
Nother confirmation Of einstein... the first images of light escaping a black hole show that they lose energy. In this case, it was a superm...
-
Here's my (edited) journal entry for this event dated 12/01/98: Wow. I just sessioned and started reading "The Tao of Physics...
-
Brad Dalton is the first to admit his theory is far-fetched: that bacteria could account for odd light emissions, as well as the reddish hue...
-
Increasingly, the overstretched and overburdened have a new answer to work lives of gunning harder for what seems like less and less: Dont j...
-
I'm sure someone else has written the rules of business out in terms of the Bushido, but here's my take: Truthfulness You must speak...