Wednesday, 15 April 2009

Weak point found in bank card PINs

Security experts have discovered a weak point in the system that handles bank card PINs. According to Wired, a thief could fool the computer systems that handle transactions into revealing the secret codes used by billions of people.

When you type your personal identification number (PIN) into a cash machine it is supposed to be sent in a secure manner back to your bank for verification. This involves traversing a chain of hardware security modules (HSMs), which decrypt and re-encrypt the PIN at each stage.

The problem is, these devices are managed by different companies and they have to be very flexible. Sometimes they are even handled by sub-contractors. Whoever manages them, they can contain vulnerabilities due to the wide range of tasks that they are required to perform.

From Wired: '"Essentially, the thief tricks the HSM into providing the encryption key," says Sartin. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."'