Crack the PIN

Security of PINs (Personal Identification Numbers) that are used in your debit and credit cards is an interesting topic. Behind the scenes, the way PINs handled evolved together with science, technology, and business. And secure operation was always number one priority here.

For example, take PIN entry devices. As IT industry struggles with the concept of endpoint security for computer systems, financial institutions have vast networks of secure PIN pads for ages. They are at least tamper-evident, initiated in secure environments and rendered unusable of someone tries to change them.

Attacks on PIN evolve too. Rapid increase in computing capacity made PIN brute forcing possible. Here’s the attack against VISA PVV DES encryption. Further cryptanalysis gave us the decimalisation table attacks – which also requires quite high level of access to the systems dealing with PINs.

Along comes The Unbearable Lightness of PIN Cracking. This “attack” not only requires something like full ownership of ATM processing network, but also is using certain APIs to the hardware security modules that generally don’t exist. Yes, that’s an illustration of unbearable lightness of sensationalist bulldust.

Which got me thinking – are PINs really so secure? And I came to conclusion that one trivial attack – namely, distributed manual brute forcing – is largely overlooked. the idea is simple: as most PINs have four-digit PINs and the card’s magnetic stripe is easily copied, massively parallel brute forcing yields certain success. Either the scenario is thought to be too hard to implement (ATMs were quite rare just few years back), or the risk is considered low for anothe reason – I don’t know. Still the attack doesn’t seem to be publicly discussed anywhere – so I have published an article about it in 2600 – The Hacker Quarterly. Also I think that fraud monitoring systems may not be be much of a help in certain situations – namely, if PIN is verified against PIN verification value stored on the card before the transaction is sent to the issuer for authorisation (funds available checks, etc). If that is the case, unsuccessful PIN tries aren’t visible to the bank – and the whole distributed PIN brute forcing attempt will be virtually undetectable.

Similarly to Windows security, backwards compatibility is going to be risky for the banks for a long while.

2 thoughts on “Crack the PIN”

  1. Hi Slav,

    You probably know more about this than me (since you work for a bank), but I remember reading in Bruce Schneier’s “Secrets and Lies” book that bank ATM networks are able to detect the use of the same card across multiple ATM machines (basically to prevent someone “skimming” a card and then using a cloned card at a nearby ATM). In that case, a bank’s ATM netwok would be able to detect the near simultaneous use of the same card across multiple ATMs, especially in a geographically dispered manner.

  2. Ken, the issue is that fraud monitoring systems are implemented at the issuer bank, but PIN validation is sometimes done by Visa/Mastercard (esp. for smaller banks and credit unions) – before transaction is sent to the issuer. The fraud monitoring system will flag your card and account if you make purchase in Sydney and Istanbul within a hour; but not necessarily if you try to validate PIN.
    And then there are integration issues: the fraud monitoring system may not automatically put the card on the stop-list.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>