Entries Tagged "PINs"

Page 2 of 4

Attack Against Point-of-Sale Terminal

Clever attack:

When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it’s legit? In the past three months, Toronto and Peel police have discovered many that aren’t.

In what is the latest financial fraud, crooks are using distraction techniques to replace merchants’ machines with their own, police say. At the end of the day, they create another distraction to pull the switch again.

Using information inputted by customers, including PIN data, the criminals are reproducing credit cards at an alarming rate.

Presumably these hacked point-of-sale terminals look and function normally, and additionally save a copy of the credit card information.

Note that this attack works despite any customer-focused security, like chip-and-pin systems.

Posted on June 19, 2012 at 1:02 PMView Comments

"1234" and Birthdays Are the Most Common PINs

Research paper: “A birthday present every eleven wallets? The security of customer-chosen banking PINs,” by Joseph Bonneau, Sören Preibusch, and Ross Anderson:

Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

Blog post.

EDITED TO ADD (2/22): News article

Posted on February 21, 2012 at 7:36 AMView Comments

Improving the Security of Four-Digit PINs on Cell Phones

The author of this article notices that it’s often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.

Then he points out that if your PIN has only three different digits — 1231, for example — the PIN can be one of 36 different possibilities.

So it’s more security, although not much more secure.

Posted on January 6, 2012 at 6:30 AMView Comments

Stealing ATM PINs with a Thermal Camera

It’s easy:

Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn’t work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that’s a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.

Paper here. More articles.

Posted on August 24, 2011 at 7:13 AMView Comments

Man-in-the-Middle Attack Against Chip and PIN

Nice attack against the EMV — Eurocard Mastercard Visa — the “chip and PIN” credit card payment system. The attack allows a criminal to use a stolen card without knowing the PIN.

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

[…]

So what went wrong? In essence, there is a gaping hole in the specifications which together create the “Chip and PIN” system. These specs consist of the EMV protocol framework, the card scheme individual rules (Visa, MasterCard standards), the national payment association rules (UK Payments Association aka APACS, in the UK), and documents produced by each individual issuer describing their own customisations of the scheme. Each spec defines security criteria, tweaks options and sets rules — but none take responsibility for listing what back-end checks are needed. As a result, hundreds of issuers independently get it wrong, and gain false assurance that all bases are covered from the common specifications. The EMV specification stack is broken, and needs fixing.

Read Ross Anderson’s entire blog post for both details and context. Here’s the paper, the press release, and a FAQ. And one news article.

This is big. There are about a gazillion of these in circulation.

EDITED TO ADD (2/12): BBC video of the attack in action.

Posted on February 11, 2010 at 4:18 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.