We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.
http://cryptome.org/pacc.htm
Thursday, February 20, 2003
Popular Posts
-
...These measures, based on the US Digital Millennium Copyright Act (DMCA) give far too much power to publishers, at the expense of individu...
-
William Gibson's latest novel, Spook Country is awesome. Not as frantic or kinetic as Pattern Recognition or All Tomorrow's Parti...
-
This is not bad. A mix of 70s rock and 80s punk with some good lyrics. Songs range from boring to excellent. Id give it a B+. http://www.ama...
-
The challenge of having the United States as a neighbour was one of the topics discussed Tuesday during a meeting with Mexican President Vic...
-
Here's my (edited) journal entry for this event dated 12/01/98: Wow. I just sessioned and started reading "The Tao of Physics"...
-
nother bottle of the doublewood -- arguably one of my favorite scotches. Balvenie just doesnt make a bad blend. A fab birthday gift from my ...
-
Finally went out and picked up a Nintendo Wii. My god the thing is fun. Ridiculously, ludicrously fun. Hiyat and I had to tear ourselves...
-
"The International Space Station will have ultra-sensitive clocks on board, and it is a good place to test the theory," said Dr. A...
-
This is from a 1932 episode of The Little Rascals . Man, I've had jobs like that. http://www.boingboing.net/2007/10/23/perpetually...
-
OK, if you have to go, this is the way to do it. Just like Spock in Star Trek II: The Wrath Of Khan. I'm serious. http://www.eter...