Monday, 31 October 2011

Cash machine (ATM) cracking

A weakness in the way ATMs verify customers' personal ID numbers means that a corrupt bank worker could steal over £2m in one lunch hour.

In a paper entitled Decimalisation table attacks for PIN cracking, Mike Bond and Piotr Zielinski note that there is a vulnerability in the way offline ATMs verify PINs. This vulnerability allows an attacker to successfully guess a PIN in 24 or even 15 attempts.

The paper, which was published in 2003, suggests that the long term solution is to protect or remove decimalisation tables. A much more recent paper demonstrates the attack, while also including nice examples using the classic 70s game Mastermind.