Thursday, February 20, 2003

Phantom Debit Withdrawls

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.
http://cryptome.org/pacc.htm
Posted by at
Labels: ,

Popular Posts

  • Contact Addresses Regarding FTAA
    ...These measures, based on the US Digital Millennium Copyright Act (DMCA) give far too much power to publishers, at the expense of individu...
  • Japanese Dragon Mythology Lives On
    The concept of dragons was probably brought to Japan around 2,000 years ago, along with the technology for paddy agriculture. Their images h...
  • Got A Wii
        Finally went out and picked up a Nintendo Wii. My god the thing is fun. Ridiculously, ludicrously fun. Hiyat and I had to tear ourselves...
  • Satori?
    Here's my (edited) journal entry for this event dated 12/01/98: Wow. I just sessioned and started reading "The Tao of Physics...
  • Optical Cryptography
    His system, he said, starts with a laser that sends part of its beam into photo detectors which produce electrical signal that feed back to ...
  • Canada, Mexico Discuss Problem Neighbour
    The challenge of having the United States as a neighbour was one of the topics discussed Tuesday during a meeting with Mexican President Vic...
  • Your new IT budget: $10
    Someone that gets it. Service-oriented software, when done correctly in a platform-agnostic way can be flexible, cheap, and can motivate m...
  • More Terror Attacks to Come
    ...why was this given the file name of skyfall?... Certain information, while not specific as to target, gives the government reason to beli...
  • Putting In A Wireless Network
    When it comes to buying equipment, think g, not b. New 802.11g hardware is nearly five times faster than 802.11b gear, and it will interoper...
  • The Epic Of Gilgamesh
    This edition provides a prose rendering of The Epic of Gilgamesh, the cycle of poems preserved on clay tablets surviving from ancient Mesopo...

Like us on Facebook