Blog Cinangka

How to hack a Bank card’s PIN easily

Posted by Taufiq Rohman Friday, October 21, 2011
Share this Article on :

As Germany’s famous technology website heise online conveys today, two security experts named Omer Berkmann and Odelia Moshe Ostrovsky of the “School of Computer Science” in Tel Aviv have published a couple of attack scenarios against Bank Card PINs (ATM PINs) which require only only two guesses for a successful hack of the PIN of a certain account.


Abstract. We describe new attacks on the financial PIN processing
API. The attacks apply to switches as well as to verification facilities.
The attacks are extremely severe allowing an attacker to expose customer
PINs by executing only one or two API calls per exposed PIN. One of
the attacks uses only the translate function which is a required function
in every switch. The other attacks abuse functions that are used to allow
customers to select their PINs online. Some of the attacks can be applied
on a switch even though the attacked functions require issuer’s keys
which do not exist on a switch. This is particularly disturbing as it was
widely believed that functions requiring issuer’s keys cannot do any harm
if the respective keys are unavailable.

The problem with these attacks is the fact that this just requires access to (or an insider inside of) one of the forwarding switches between the bank terminal used and the data center of the issuing bank. As Bruce Schneier names it in his blog, this renders the complete PIN authentication process as weak/insecure as the least trusted element in this chain. He continues


Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank’s ATMs.

The reason for this security hole in the process can be found in the distance between bank terminal and bank data center, especially if you access your bank account from out of a foreign country. This involves so-called Switches, other data centers, which decrypt and re-encrypt the submitted data packets with the help of so-called Hardware Security Modules. If an employee of these Switches is corrupt and has access to these HSMs he can easily hack the PIN, just by using some API methods of the Financial PIN Processing API.

The problem is severe in that way that you as a customer have been able to recognize a manipulated terminal easily, but these attacks do not require any hardware modifications to a bank terminal, so you can no longer recognize whether there is some bad guy waiting for a Man in the Middle attack to duplicate your bank card including your PIN. For this reason Berkmann and Ostrovsky didn’t want to disclose their findings, but due to a lack of response of the international banks they contacted they did not see any chance other than disclosing these severe security issues.

Related Post:

Post a Comment