We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.
http://cryptome.org/pacc.htm
Thursday, February 20, 2003
Popular Posts
-
I've learned a great many things over the past month... "friends" at work are not neccessarily friends, people you thought wer...
-
Brad Dalton is the first to admit his theory is far-fetched: that bacteria could account for odd light emissions, as well as the reddish hue...
-
Lots of funny stuff today. Tim, check this one. http://www.penny-arcade.com/view.php3
-
Some interesting tidbits about Lynchs Mulholland Drive , as well as David Bowies next movie apperance. http://www.crowdsurfer.com/index.php3...
-
We see it doing its thing, starting to fight against ordinary gravity, Adam Riess of the Space Telescope Science Institute said about the ...
-
Let me make this clear. This is a long book. Weighing in at just under one thousand pages and probably a pound and a half this book takes ...
-
Looks like a sweet FPS for Linux... and it's team based like Counter Strike. If it's good, Hiyat's going to kill me. It took...
-
Now ideas for advances in data routing are beginning to emerge from a surprisingly simple model: the ant.Indeed, applying the study of ants ...
-
I'm always fascinated by ways to get stuff done, particularly at work. It's changed quite a bit since I've been in my current r...