Thursday, November 23, 2006

How safe is your PIN?

Early this year I asked my bank to cancel my main credit card and issue me with a brand new card having a completely different card number. This was because an unauthorized transaction had occurred, which seemed to be somehow related to an overseas software purchase, and I no longer had confidence in the security of my old card.

I've been purchasing software like this for years, and this was the first time anything like this had happened. It really got me thinking about credit card security for online transactions. I absolutely NEVER use my card on anything but secured web pages (having the "locked padlock"), and continually scan for malware (keylogging trojans, etc).

My best guess was that in this case somewhere overseas a scoundrel somehow got access to transaction details and was able to generate a bogus transaction. My bank refunded the transaction amount, but didn't (or perhaps as a matter of policy wouldn't) tell me what their investigation into the matter turned up.

This all bubbled to the surface when I just came across the following report -
The unbearable lightness of PIN cracking by Omer Bergman and Odelia Moshe Dostoevsky. Take a look at it yourself:
Abstract. We describe new attacks on the financial PIN processing API. The attacks apply to switches as well as to verification facilities. The attacks are extremely severe allowing an attacker to expose customer PINs by executing only one or two API calls per exposed PIN. One of the attacks uses only the translate function which is a required function in every switch. The other attacks abuse functions that are used to allow customers to select their PINs online. Some of the attacks can be applied on a switch even though the attacked functions require issuer’s keys which do not exist on a switch. This is particularly disturbing as it was widely believed that functions requiring issuer’s keys cannot do any harm if the respective keys are unavailable.
Your own local bank's systems and processes might be totally secure, but think of all the stages in a transaction and all the chances for a rogue to somehow tap into the transaction ... and shudder!

Security expert Bruce Schneier discusses this report too in Attacking Bank-Card PINs and this post includes some interesting comments by others.

No comments:

Post a Comment