Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator. The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to the investigator behind a new report looking at the data breaches.
[…]
The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.
Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert “Cumbajohnny” Gonzalez of leading the carding ring, indicated that the thieves had stolen “PIN blocks associated with millions of debit cards” and obtained “technical assistance from criminal associates in decrypting encrypted PIN numbers.”
[…]
Some of the attacks involve grabbing unencrypted PINs, while they sit in memory on bank systems during the authorization process. But the most sophisticated attacks involve encrypted PINs.
The article describes how it is done and how it ain’t gonna be fixed anytime soon. Guess it’s time to hit the mattresses, and not in a good way.
0
Support the Blog — Buy This Book!
For Kindle and with free ePub version. Only $9.49 Great reading.
Here is what Gary Shapiro CEO of the Consumer Electronics Association (CEA) said: Dvorak's writing sings with insight and clarity. Whether or not you agree with John's views, he will get you thinking and is never boring. These essays are worth the read!
Put this ad on your blog!
Syndicate
Subscribe to Main Blog feed here:
Subscribe to Comments too (below):
Junk Email Filter
So true, I swear my bank sends me a letter at least once a year indicating a security breach and they must replace my card. This does NOT give me much faith in our banking security.
I have about come to a conclusion that technology has made it easier for bad guys.
They can sit at home and get my information.
I think I may end up turning in my debit card and go back to walking in my bank and writing a withdrawal slip.
Pay with cash. Yes you will have to use the ATM to avoid a fee for actually entering a bank but that will minimize your surface of attack by these thieves!
Hint, label this as terrorism and it will go away real fast.
I have never in my life had to pay a fee for making a withdrawal at a bank. If anything, you would need to pay fees for using the ATM, not the other way around.
Just get a checking account with a check card. Use it like a credit card for all purchases and the money comes directly out of your account. No PINs, no bank trips, no ATM trips. Keep a few hundred bucks in your home for emergencies and when you need cash.
As the article finally gets round to sort-of admitting. Most of this so-called hacking – just as happens in corporations and governments – requires a corrupt and crooked insider.
Ain’t even up to social engineering. Just a thief.
to avoid a fee for actually entering a bank
If you have to pay that, get a different bank.
Seriously, dump the mega-banks who’s only motive for existing is massive profits and stock prices. Get a deal with small local banks…who were largely unaffected by the ‘crisis’ that hit the big dogs.
Yet another attempt by the “powers that be” to destroy our current economic system so they can replace it with fart-taxes and guilt-taxes (even though the critters in the oceans fart 10x more than anyone on the land).
FUD via media is the way to get the masses freaked out. Just like the “meat will kill you” campaign and the “grid has been hacked” BS/FUD to push for the needed “smart grid”.
F&%# IT! I’m going Amish!
Four-digit pins are a joke.
Even worse — those three digit numbers on the back credit cards! Three digits in the era of routine 128-bit encryption!
Why do we even have static credit card numbers?
Shouldn’t each transaction have a different number, (used just once), so that the pimply pizza guy can’t charge his porn on my card?
I would expect dvorak.org to be better at this…
What does PIN stand for again? Personal Identification Number. Saying PIN number is like saying ATM Machine.
And the last frackin’ book of the bible is Revelation, not Revelations.
Get it right, fellow geeks. We’re ugly and have no social skills – the only thing we have left is smug accuracy – don’t screw that up.
it boils down to this…………
and lock made can be picked.
Debit cards (check cards) have almost none of the protections against theft and abuse that credit cards do. Use them with great care. By using credit cards you shift most of the risk to the bank, and they spend lots of money to manage that risk.
Card association standards dictate that the PIN is never transmitted in the clear and should not be in the clear in any computer memory. Special purpose PIN verification computers are fed keys and encrypted PINs and return a go/no go result – the PIN is never decrypted except in protected, inaccessible (in theory) internal memory. This is how the standard reads – which does not mean every institution implements them correctly. Triple-DES encryption is also the standard, which is quite secure from most (but not all) attacks.
I suppose the current system can be called a type of 2-factor authentication: you have the card, and you know the PIN. The 2-factor model is still solid, except that both factors (chip & PIN) are now vulnerable. Only way forward I can see the card is having the cards replaced by biometrics.
Which biometric? If it’s a fingerprint, thieves will start carrying bolt cutters. Implanted RFID tags? Facial recognition? Retina scan? Is there a brainwave pattern scanner on the way? Who knows, but the cards have got to go.
# 12 brian t said, “Only way forward I can see the card is having the cards replaced by biometrics.”
That is until the hackers get a hold of the hash value associated with your bio feature…
If a thief can get deep enough into the banks computers they can take it all.
I suppose they should add five or six numbers to the pin.
Man that’s one hot granny in that picture.
lol..this article is a just feel-good.
-it is warm up article for some corrupted politician with lobby money sticking out of his hole to write some new vague, all-encompassing bill to help fill jails, create new funding for for an security niche (that will never work) and sap more privacy away from common folk in the guise of *security*
it is a huge joke.
this “problem” has been around for decades.
-they just don’t want it known how easy
it and widespread it is.
the banking industry allows this behavior
for various reasons..if only to allow
for funding of clandestine operations.
these guys got busted is because they
probablythey did not pay off the right
people or embarrassed someone in the chain.
no matter how many laws are created, no matter if you use even 4096 bit or bit encryption, there will NEVER be a secure network or this thing called “security” as long as their is just at least one corruptible human in the chain. Period.
to enact any more laws adressing this, like many security initiatives of late, only further
perpetrates a false sense of security and a
fraud tantamount to treason on a dumbed down public.
-the obvious corruption and fraud of people at the very top of government and all the major international banks in the current crisis only adds an exclamation point to this fact.
—
one of the biggest mistakes is the fact that the phone lines that carry the ATM transmissions are not secured. -esp the ATM’s in your local store.
look at the back of every ATM Kiosk in your local
deli. -you will see the same gray phone line
and terminal block on the wall that you have in your home.
it is nothing for entrepreneurial types to install a modified ATM’s at grocery stores
to harvest pins or other data. -or just forgo
all that and just tap the phone line. in the 80’s i knew quite a few highly intelligent corruptible phone company types that had access to SS7 switches and many other access points.
combine them with other “insiders” and it’s
easier than taking candy from a baby. it only takes nerve, some creative thinking and paying
off the right people. much easier than just opening your data center.
-this is how they define *secure* in the banking
industry.
again:
there will NEVER be a thing called security as long as their is just at least one corruptible
human in the chain.
example:
-as a kid in the 80’s, one of the best summer
jobs payed $200/day to erase credit card receipts
from topless bars that were already processed
so they could ding the bank twice. this went on several years that i know of, six days a week.
oddly enough, whenever one of these operations got raided, none of the kids were present. -that
would have drawn too much attention from special interests.
there were many more raided in the span of two weeks than was reported in the news. -also not
reported were the plainclothes and uniform officers who were payed to look the other way.
-just think of how many people needed to be corrupted for this ONE scheme to work.
there are thousands that never get caught.
the banks do not want the public to know
how lax security really is. -also, since
it’s just john Q Public getting ripped off
and not some multinational corp, they could
give a rats ass.
-and you wonder why they keep lowering
standards on everything across the boards.
—
-now, go to
http://usdoj.gov/usao/offices/index.html
these are the US Department of Justice (DA’s -district attorneys) listings by state.
go to the of any state and you will find *hundreds* of high profile cases of which many deal with corruption and fraud at the highest levels government and our *sacred* institutions going back decades.
just for starters, type in
in the search window..
strangely only three links show up for
“ATM fraud” (5 in all, two refer to
the same case)
so..we are to believe in the 35-40yr history
of ATM’s, the only 3 have been uncovered?
no. they moved those out of the DOJ search
and into http://cybercrimes.gov and made it
so you have to search on to generate a good amount of hits.
-add to the search to
explode it accordingly.
—
trust me, this is not a new issue. it’s only being brought to light, so the media can
produce “public outrage” which then allows
congress to pass laws that only effect us,
the *little people*
-god forbid should they *ever* pass laws that address the rampant corruption in their own ranks or the ranks of the banking industry that they
work for.
—
the background check to own/lease an ATM is laughable at best. all you need is cash or
good credit. (well obviously, they did away
the need for “good credit” years ago)
find a good location, get yourself $5k-$6k and you can buy an ATM machine for 2k-3k, load it with cash and your good to go.
i have two dudes at SCI wheelchair group i volunteer at who own ATM’s and pull in $3500
to $5000 a month. -even us poor wheelchair
folk can get in the fun.
what you do with the ATM machine after you
own it, well..that’s entirely up to you.
don’t be duped by the “feel-good” monster.
-s