Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Hackers exploit weakest link in ATM communications

Credant Technologies : 17 April, 2009  (Technical Article)
Credant Technologies uncovers the poor banking security practices that result in the ability for PIN crackers to gain card user's information from the weakest point in the network
Revelations that hackers have discovered a method of cracking PINs from payment cards as they travel from an ATM to a banking computer are the direct result of sloppy security practices, says Credant Technologies, the military grade encryption specialist.

'The report, from Verizon Business, claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank's ATM and the home network of the card being used,' said Michael Callahan, Credant's senior vice president.

'The fraudsters appear to have realised that each HSM (hardware security module) at each 'stop' on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg,' he added.

According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America - this can give the fraudsters a chance to take advantage of a smaller bank's HSM security.

What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder's view.

All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.

This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.

'Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks,' he said. 'There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit,' he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo