Experts say PIN cracker situation a result of weak security practices

PIN cracker situation a result of weak security practices says Credant

Revelations that hackers have discovered a method of cracking PINs from payment cards as they travel from an ATM to a banking computer are the direct result of sloppy security practices, says Credant Technologies, the military grade encryption specialist.

"The report, from Verizon Business, claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank's ATM and the home network of the card being used," said Michael Callahan, Credant's senior vice president.

"The fraudsters appear to have realised that each HSM (hardware security module) at each 'stop' on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg," he added.
According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – this can give the fraudsters a chance to take advantage of a smaller bank's HSM security.

What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder's view.

All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.

This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.

"Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks," he said. "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit," he added.

For more on the weakest link in the ATM chain story:

In other words, the fraudsters have gotten wise while the banks and others haven't, as yet. The cameras and other equipment that was required – and some still use it so don't drop your guard as yet, folks – to be installed at the ATMs in order to collect card number and PIN and such could be spotted and it was a risky business to install them. Now they seem to have found a much easier way.

Vigilance on the user's side is one thing and sometime that is the weakest link. Alas, it would appear that, while users may be getting wiser too sloppy security practices of the institutions themselves are at fault for PINs and other data falling into the wrong hands.

As it has been described by the people from Credant, it is not rocket science. The problem, as with most security programs, is that it costs money to implement such measures and that's where it all seems to fall flat every time and this not just as far as PINs and other banking data are concerned.

© 2009