On sci.crypt: New attacks on the financial PIN processing

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
An interesting post on sci.crypt on attacks on bank PINs:


Possible Serious Security Flaw In ATMs

ATM system called unsafe

from above:

A U.S. Secret Service memo obtained by MSNBC.com indicates that
organized criminals are systematically attempting to subvert the ATM
system and unscramble encrypted PIN codes.


The underlying paper, which came out about 2 weeks ago, is at:



Re: On sci.crypt: New attacks on the financial PIN processing

Quoted text here. Click to load it

http://www.garlic.com/~lynn/2006v.html#33 New attacks on the financial PIN

and some misc. older posts related to ATM and debit card issues,
vulnerabilities, exploits and threats:

http://www.garlic.com/~lynn/2005u.html#16 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#22 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006k.html#23 Value of an old IBM PS/2 CL57 SX Laptop
http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner
http://www.garlic.com/~lynn/aadsm22.htm#22 FraudWatch - Chip&Pin, a new tenner
http://www.garlic.com/~lynn/aadsm22.htm#25 FraudWatch - Chip&Pin, a new tenner
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner
http://www.garlic.com/~lynn/aadsm23.htm#35 3 of the big 4 - all doing payment
http://www.garlic.com/~lynn/aadsm23.htm#37 3 of the big 4 - all doing payment
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm26.htm#1 Extended Validation - setting the
minimum liability, the CA trap, the market in browser governance
http://www.garlic.com/~lynn/aadsm26.htm#6 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#11 What is the point of encrypting
on that is publicly visible?
http://www.garlic.com/~lynn/2006v.html#1 New attacks on the financial PIN

in the mid-90s, the x9a10 financial standard working group was given
the requirement to protect the financial infrastructure for all retail
payments. the result was the x9.59 financial standard

part of x9.59 standard was attempting to eliminate most of the known
exploits, threats and vulnerabilities in the infrastructure.

another part was being privacy agnostic ... i.e. name and/or other
identifying information would not be required at point-of-sale.
part of that was looking at promoting x9.59 to ISO (international)
level ... and in that period the EU had made some directive (in
conjunction with the EU-DPD) that all retail/pos electronic
transactions should be as anonymous as cash.

for some other drift ... as part of co-authoring the x9.99 financial
industry privacy standard ... did some work on trying to pull together
a merged privacy taxonomy and glossary from several sources
(including GLBA, EU-DPD, HIPAA, etc)

Re: On sci.crypt: New attacks on the financial PIN processing

Quoted text here. Click to load it

Thanks for the comprehensive reference material and overview.


Re: On sci.crypt: New attacks on the financial PIN processing

http://www.garlic.com/~lynn/2006v.html#39 On sci.crypt: New attacks on the
financial PIN processing

and some more background and related topics

Bank-card PINs 'wide open' to insider attack
http://www.theregister.co.uk/2006/11/20/bank_card_pin_fraud /
Researchers uncover PIN security flaw
Banks face growing threat of identity theft from insiders
Banks face growing threat of identity theft from insiders

and repeat about some PIN issues
as well as the insider issue

UK Leads Europe In Card Crime
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=116427718621320215354&block =
Britain card fraud hotspot of Europe
UK tops Europe for card fraud
Britain branded 'card fraud capital'
Britons are Europe's biggest victims of card fraud
UK banks face phishing chaos
Phishing still hits banks and customers
http://www.crime-research.org/news/21.11.2006/2361 /

then there is the old "yes cards" discussions and the generic issue
with "replay attacks" when static authentication data is being used

and related issue is that if there is authentication separate from the
transaction ... the infrastructure can be exposed to man-in-the-middle
attacks ... something that x9a10 financial standard working group
spent some amount of time studying

shows up relatively recently in these posts
http://www.garlic.com/~lynn/2006v.html#26 Fighting Fraudulent Transactions
http://www.garlic.com/~lynn/2006v.html#27 Federal Rules May Not Fully Secure
Online Banking Sites

Re: On sci.crypt: New attacks on the financial PIN processing

Quoted text here. Click to load it

http://www.garlic.com/~lynn/2006v.html#39 On sci.crypt: New attacks on the
financial PIN processing

general class of harvesting/skimming authentication static data for various
forms of replay attacks.

in the "yes card" scenario, some considered the chip worse than the
magstripe cards that it replaced. a countermeasure in the standard
financial account transaction is to flag the account and negate future
(online) transactions. in the "yes card" scenario ... once the
(counterfeit) "yes card" replayed the authentication static data, it
was allowed to instruct the terminal to do an "offline"
transaction. by the time the terminal finds out the account has been
flagged, it is way too late. also when the "terminal" asked the
(counterfeit) "yes card" if the entered PIN was correct, the "yes
card" would always reply "YES" (part of the where the counterfeit card
got its label "yes card"). As a result, the attacker doesn't even need
to know the PIN.

in three-factor authentication model

* something you have
* something you know
* something you are

normally in multi-factor authentication, the different factors are
assumed to have independent vulnerabilities. A ("something you know")
PIN is countermeasure to lost/stolen ("something you have") card.  In
the "yes card" scenario, an attacker just needs to harvest/skim the
card "authentication" information (and/or trick a lost/stolen card
into divulging the information). That information then can be loaded
into a (counterfeit) "yes card". Futhermore, while the account for a
lost/stolen card can be reported and have the corresponding account
flagged, since a (counterfeit) "yes card" can instruct the terminal to
do an offline transactions, it defeats the effect of flagging the

some other recent items related to static data authentication and
replay attacks
http://www.garlic.com/~lynn/2006v.html#29 User Authentication
http://www.garlic.com/~lynn/2006v.html#44 User Authentication


User agency warns of online security risks
Warning over use of repeat passwords
Warning over use of repeat passwords
Schumer warns on no-swipe credit cards

now one of the countermeasures to the static data authentication and
"yes card" vulnerability is to convert to some form of dynamic data
authentication (like digital signatures). note however, that even
"dynamic data authentication" may be vulnerable to a "yes card"
man-in-the-middle attack if it is used for card authentication as
opposed to transaction authentication, i.e. pair a counterfeit "yes
card" with a valid lost/stolen card ... where the counterfeit "yes
card" transparently passes the card authentication messages and then
controls the rest of the session (when the terminal asks if the
correct PIN was entered the "yes card" responds "YES" and when the
terminal asks if it should do an offline transactions, the "yes card"
also responds "YES").

recent related item
http://www.garlic.com/~lynn/2006v.html#26 Fighting Fraudulent Transactions

other posts related to man-in-the-middle attacks

Site Timeline