Brilliant Israeli Minds Freaking Everybody Out

December 3, 2006 - 11:27 PM by

061130_atm_hmed_12p.jpeg

This story is getting lotsa play all over the media:

Researchers who work for an Israeli computer security company say they have discovered a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks – a flaw that they say could undermine the entire debit card system.

The U.S. Secret Service is investigating the matter, and MSNBC.com obtained a memo compiled by the agency that indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic.

The report has ignited a debate within the banking industry, with many financial industry experts downplaying the seriousness of the flaw and outside experts divided on its implications. But there is no disputing the impact that such a hack would have if successful.

Using the methods outlined by the researchers, a hacker could siphon off thousands of PIN codes and compromise hundreds of banks, said Odelia Moshe Ostrovsky, the report’s principal author. Criminals could then print phony debit cards and simultaneously withdraw vast amounts of cash using ATMs around the world, she said.

Automated Teller Machines and point of sale debit card sales are a massive part of the global economy. In the U.S. alone, ATMs perform about 8 billion transactions every year and dispense $600 billion in cash, according to a study released earlier this year by Dove Consulting. Volume of retail store PIN-based debit card transactions is even higher.

Word of the apparent security flaw first surfaced two weeks ago, when Ostrovsky and other researchers at Algorithmic Research (ARX) published a paper stating that it would be possible for someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules.

When consumers enter their personal identification numbers, or PINs, into an ATM, the PIN and account number must travel through several computers on a special network before they arrive at their home bank for verification. The data is encrypted immediately after it’s entered at the ATM into what is known as a PIN block, then sent on its way.

Rarely does the transmission go directly to a consumer’s bank. Instead, it is handed off several times on a banking network run by several third parties. Each time a bank passes the data along, it goes through a switch that contains the hardware security module and the PIN block is unscrambled and then rescrambled. It is at these intermediate points where hackers could trick the machines into divulging PINs, the ARX researchers said.

“We show in these attacks that using only (a single) function we can reveal the content of every PIN block as if it’s not encrypted,” said Ostrovsky.

Tags: • Category: Business 

Comments

2 Comments on Brilliant Israeli Minds Freaking Everybody Out

  1. John on Mon, Dec 4th 2006 8:29 AM

    2. I am not as worried about my PIN as I am trying to get money out of Israeli ATMs. Other than Bank Hapoalim, there are few that offer real English menus. It’s sad, but I’ve spent the past two years just pressing buttons until cash comes out. Once I withdrew $400 instead of 400nis! I guess I need a re-fresher ulpan shiur on ATM-speak.

  2. Shanah on Mon, Dec 4th 2006 4:17 PM

    3. Reason #1,245,567,890,000 why Israelis are just sexy people.

    Now I’m going to go share this with my boss.

Leave a Comment





© 2012 ISRAELITY | Sitemap