MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Verizon: Cracking PINs for Fun and Profit. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Verizon: Cracking PINs for Fun and Profit
by Acidus at 2:36 pm EDT, Apr 15, 2009

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."
Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers."
But until now, no one had confirmed that thieves were actively cracking PIN encryption.

... shit.

Information about how to conduct attacks on encrypted PINs isn't new and has been surfacing in academic research for several years. In the first paper, in 2003, a researcher at Cambridge University published information about attacks that, with the help of an insider, would yield PINs from an issuer bank's system.

.... Cambridge? I only know of one group in Cambridge that does this...

When you Google "2003 Cambridge University pin" and get a result on Cryptome, you know its gonna be good.

I was not disappointed: Decimalisation table attacks for PIN cracking

We present an attack on hardware security modules used by retail banks for the
secure storage and verication of customer PINs in ATM (cash machine) infrastructures.
By using adaptive decimalisation tables and guesses, the maximum amount
of information is learnt about the true PIN upon each guess. It takes an average of
15 guesses to determine a four digit PIN using this technique, instead of the 5000
guesses intended. In a single 30 minute lunch-break, an attacker can thus discover
approximately 7000 PINs rather than 24 with the brute force method. With a $300
withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million
and a single motivated attacker could withdraw $30{50 thousand of this each day.
This attack thus presents a serious threat to bank security.

As Decius and I have said for years, at the bottom of most good security tales you always end up with either Felton or Anderson. :-)

The paper also helped me understand (remember?) the significance of the Pin Offset field on ABA track II. (it funny/sad when you google something and come up with your own website. I'm getting old.)

RE: Verizon: Cracking PINs for Fun and Profit
by Worthersee at 3:10 pm EDT, Apr 15, 2009

Acidus wrote:
As Decius and I have said for years, at the bottom of most good security tales you always end up with either Felton or Anderson. :-)

Sweet! Fresh 2nd edition -- Publisher: Wiley; 2 edition (April 14, 2008)

Purchased.