Create an Account
username: password:
 
  MemeStreams Logo

Verizon: Cracking PINs for Fun and Profit

search

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Verizon: Cracking PINs for Fun and Profit
Topic: Miscellaneous 2:36 pm EDT, Apr 15, 2009

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers."

But until now, no one had confirmed that thieves were actively cracking PIN encryption.

... shit.

Information about how to conduct attacks on encrypted PINs isn't new and has been surfacing in academic research for several years. In the first paper, in 2003, a researcher at Cambridge University published information about attacks that, with the help of an insider, would yield PINs from an issuer bank's system.

.... Cambridge? I only know of one group in Cambridge that does this...

When you Google "2003 Cambridge University pin" and get a result on Cryptome, you know its gonna be good.

I was not disappointed: Decimalisation table attacks for PIN cracking

We present an attack on hardware security modules used by retail banks for the
secure storage and veri cation of customer PINs in ATM (cash machine) infrastructures.
By using adaptive decimalisation tables and guesses, the maximum amount
of information is learnt about the true PIN upon each guess. It takes an average of
15 guesses to determine a four digit PIN using this technique, instead of the 5000
guesses intended.
In a single 30 minute lunch-break, an attacker can thus discover
approximately 7000 PINs rather than 24 with the brute force method. With a $300
withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million
and a single motivated attacker could withdraw $30{50 thousand of this each day.
This attack thus presents a serious threat to bank security.

As Decius and I have said for years, at the bottom of most good security tales you always end up with either Felton or Anderson. :-)

The paper also helped me understand (remember?) the significance of the Pin Offset field on ABA track II. (it funny/sad when you google something and come up with your own website. I'm getting old.)

Verizon: Cracking PINs for Fun and Profit



 
 
Powered By Industrial Memetics
RSS2.0