Sunday, February 23, 2003

Warning of the Day

On almost all of the bank machines I've ever used in London, I've see a little notice indicating that I need to be wary of "Pin Thieves" who work in the area; this means, I guess, I need to cover the screen like I would a math exam and, as soon as the money is spat out, make haste. The sheer number of these little warnings have always made me question their effectiveness in making people any more aware of who might be looking over their shoulders, as we tend to become blind to what we always see -- husbands, wives, do I see you nodding vigorously? What sort of warning do you think the banks of the world are going to post regarding this:

Two Cambridge University researchers have discovered a new attack on the hardware security nodules employed by banks that makes it possible to retrieve customers' cash machine PINs in an average of 15 tries.

The attack takes advantage of a weakness in the cryptographic model used by many HSMs to encrypt, store and retrieve PINs. The system, used by many ATMs, reads the customer's account number that is encoded on the magnetic strip of the ATM card. The software then encrypts the account number using a secret DES key. The ciphertext of the account number is then converted to hexadecimal and the first four digits of it are retained.

Those digits are then put through a decimalization table, which converts them to a format that's usable on the ATM keypad. By manipulating the contents of this table, it's possible for an attacker to learn progressively more about the PIN with each guess. Using various schemes described in the paper, a knowledgeable attacker could discover as many as 7,000 PINs in a half hour, the authors say.

I've been talking to a friend mine via email about student loan debt, and perhaps this provides me with the best rationale to maintain mine: the only people stealing from me anytime soon are my creditors.

UPDATE: My sense of security just vanished -- perhaps as quickly as should my current internet server. (Yeah, that's right I'm a complacently debt-ridden, lazy AOL-user, what're you gonna do about it?)

Posted by Brad at 3:42 PM

Subscribe to: Comment Feed (RSS)