Two Cambridge University researchers have discovered a new attack on the hardware security modules employed by banks that makes it possible to retrieve customers cash machine PINs in an average of 15 tries.
The attack takes advantage of a weakness in the cryptographic model used by many HSMs to encrypt, store and retrieve PINs. The system, used by some older ATMs, reads the customers account number that is encoded on the magnetic strip of the ATM card. The software then encrypts the account number using a secret Data Encryption Standard key. The ciphertext of the account number is then converted to hexadecimal format, and the first four digits of it are retained.
Those digits are then put through a decimalization table, which converts them to a format thats usable on the ATM keypad. By manipulating the contents of this table, its possible for an attacker to learn progressively more about the PIN with each guess. Using various schemes described in the paper, a knowledgeable attacker could discover as many as 7,000 PINs in a half-hour, the authors say.
The paper, written by Mike Bond and Piotr Zielinski, goes on to say that typical security countermeasures such as intrusion detection systems are all but useless against this attack. Many banks have systems in place that prevent users from trying another PIN once theyve failed three times in a row. These failures generate alerts within the bank.
But, as the authors point out, an internal attacker “can discover a PIN without raising the alarm by inserting the attack transactions just before genuine transactions from the customer which will reset the count.”
The researchers paper has drawn quite a bit of attention and is now part of a controversial court case in the United Kingdom concerning so-called phantom withdrawals from ATMs. The case concerns a South African couple who claim that someone used their Diners Club card to make 190 withdrawals at ATMs all over the United Kingdom while they were in South Africa. The cards issuer said thats not possible because its ATM network is secure and is suing the couple to recover the nearly $80,000 that was charged against the card. The couple has refused to pay, according to court documents filed in the case.
As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, plaintiff Diners Club S.A. Ltd. has asked for a secrecy order around the testimony of Bond and other security experts, saying that publication of the ATM issues described in the paper would harm its business and open its networks up to attack.
Ross Anderson, a well-known and highly regarded security expert and Bonds research adviser at Cambridge University, wrote a letter to the judge handling the case, asking him to deny Diners Clubs request. Anderson argues that Bond and Zielinskis paper—as well as a related one Anderson and Bond wrote last fall—are based on information in the public domain and that the order would interfere with research and teaching and, in the end, make worldwide banking networks less secure.
“In addition to being published material, derived from open sources, and of crucial importance to the defendants case, the vulnerabilities are likely to be crucially important in other cases brought in the U.K. and elsewhere over disputed ATM transactions,” Anderson wrote in his letter.