Security of PINs (Personal Identification Numbers) that are used in your debit and credit cards is an interesting topic. Behind the scenes, the way PINs handled evolved together with science, technology, and business. And secure operation was always number one priority here.
For example, take PIN entry devices. As IT industry struggles with the concept of endpoint security for computer systems, financial institutions have vast networks of secure PIN pads for ages. They are at least tamper-evident, initiated in secure environments and rendered unusable of someone tries to change them.
Attacks on PIN evolve too. Rapid increase in computing capacity made PIN brute forcing possible. Here’s the attack against VISA PVV DES encryption. Further cryptanalysis gave us the decimalisation table attacks – which also requires quite high level of access to the systems dealing with PINs.
Along comes The Unbearable Lightness of PIN Cracking. This “attack” not only requires something like full ownership of ATM processing network, but also is using certain APIs to the hardware security modules that generally don’t exist. Yes, that’s an illustration of unbearable lightness of sensationalist bulldust.
Which got me thinking – are PINs really so secure? And I came to conclusion that one trivial attack – namely, distributed manual brute forcing – is largely overlooked. the idea is simple: as most PINs have four-digit PINs and the card’s magnetic stripe is easily copied, massively parallel brute forcing yields certain success. Either the scenario is thought to be too hard to implement (ATMs were quite rare just few years back), or the risk is considered low for anothe reason – I don’t know. Still the attack doesn’t seem to be publicly discussed anywhere – so I have published an article about it in 2600 – The Hacker Quarterly. Also I think that fraud monitoring systems may not be be much of a help in certain situations – namely, if PIN is verified against PIN verification value stored on the card before the transaction is sent to the issuer for authorisation (funds available checks, etc). If that is the case, unsuccessful PIN tries aren’t visible to the bank – and the whole distributed PIN brute forcing attempt will be virtually undetectable.
Similarly to Windows security, backwards compatibility is going to be risky for the banks for a long while.