Geekly Articles each Day
📜 ⬆️ ⬇️

Hackers have learned how to decipher PIN codes

Experts continue to wonder how hackers manage to begin the practical use of methods that a year ago were recognized only theoretically possible, and then in a narrow academic environment. Now they have learned how to remove PIN codes from our cards, without penetrating directly into the ATM that we use. To do this, it is enough to find a weak node in the network, through which the packages go from ATM to bank.

Suspicions that the PIN code decryption technique that is transmitted in encrypted form has become available to attackers have existed before, but after the publication of the 2009 Data Breach Investigations report from Verizon, they are now officially confirmed for the first time.

It turned out that the encrypted packets, until they reach the destination bank, pass through many hardware-encryption modules (HSM, in the photo - HSM with a PCI interface) from other banks. Due to the fact that these HSMs have different settings and mode of operation, packets with PIN codes have to be decrypted and re-encrypted on each node with a new public key, which operates in conjunction with the private key of this particular HSM, accessible through the API. So, now the hackers have learned to recognize the HSM private key, if this node is incorrectly configured. As soon as hackers manage to decipher one PIN, they can easily decrypt the entire array of PIN codes that pass through this HSM.
')
Experts learned about the practical application of this technique only after the fact, when several months ago they began to investigate the wave of fraud withdrawals that swept around the world in 2008-2009 (before that, they noticed an interest in the topic on Russian hacker forums, but could not understand what it was related).

The chart shows statistics on the number of compromised bank accounts, including card accounts (source - Verizon). As you can see, this number is already twice the number of residents, for example, Russia. In fact, much more cards have been compromised, so that they already make up a significant percentage of the total number of all bank cards in circulation.



But knowing the PIN, you can withdraw money not only from the card, but directly from the user's bank account, and it will be extremely difficult to prove fraud and return the money later.

According to experts Verizon, the problem can be solved only by a radical change in the infrastructure of the global payment systems. In fact, a new system needs to be created from scratch.

via Wired

Source: https://habr.com/ru/post/57454/

More articles:


All Articles