Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

PIN cracker situation a result of weak security practices says Credant

April 2009 by Credant Technologies

Revelations that hackers have discovered a method of cracking PINs from payment cards as they travel from an ATM to a banking computer are the direct result of sloppy security practices, says Credant Technologies, the military grade encryption specialist.

"The report, from Verizon Business, claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank’s ATM and the home network of the card being used," said Michael Callahan, Credant’s senior vice president.

"The fraudsters appear to have realised that each HSM (hardware security module) at each ’stop’ on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg," he added.

According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – this can give the fraudsters a chance to take advantage of a smaller bank’s HSM security.

What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder’s view.

All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.

This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.

"Double levels of encryption are nothing new in high level security circles. It’s a shame that the banks appear to have overlooked this issue when designing their ATM networks," he said. "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so
ensuring their cardholders are safe from this new type of hacking exploit," he added.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts