Thursday, February 20, 2003

Phantom Debit Withdrawls

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.
http://cryptome.org/pacc.htm
Posted by at
Labels: ,

Popular Posts

  • Japanese Dragon Mythology Lives On
    The concept of dragons was probably brought to Japan around 2,000 years ago, along with the technology for paddy agriculture. Their images h...
  • New Peruvian Inca Grave Found
    Peruvian archeologists have discovered the first full Inca burial site at Machu Picchu since the famous mountaintop citadel was discovered 9...
  • More Terror Attacks to Come
    ...why was this given the file name of skyfall?... Certain information, while not specific as to target, gives the government reason to beli...
  • Your new IT budget: $10
    Someone that gets it. Service-oriented software, when done correctly in a platform-agnostic way can be flexible, cheap, and can motivate m...
  • New StrongBad Email
    http://www.homestarrunner.com/sbemail94.html
  • Beautiful: Hebes Chasma on Mars
    http://esamultimedia.esa.int/images/marsexpress/377-260208-2149-6-co-01-HebesChasma_H1.jpg
  • Good Article On Bandwith vs Latency
    From the bygone debates over DDR vs. RDRAM to the current controversy over Apples DDR implementations, one issue is commonly misunderstood i...
  • NASA Plans Permanant Moon Base
    In my mind, this is a huge waste of effort. Put a base on Mars instead of the Moon -- there's huge science finds waiting there to be dis...
  • HomeStar Christmas
    ... or, Decemberween. Whatever. http://www.homestarrunner.com/xmas04.html
  • Commercially Available Quantum Computer Demoed
      It looks like this might be real -- a Canadian company succesfully demoed a 16-qubit quantum computer which solved sudoku puzzles, seating...

Like us on Facebook