, The Register 2003-02-21
Cambridge researchers have documented a worrying PIN cracking technique against the hardware security modules commonly used by bank ATMs.
Expand all |
Post comment
How to get an ATM PIN number in 15 guesses
2003-02-22
Anthony M. Saffer <anthony (at) safferconsulting (dot) com [email concealed]>
Anthony M. Saffer <anthony (at) safferconsulting (dot) com [email concealed]>
User "porky" has an ATM account, his PIN is "1118" (for example).
Someone co-opts his card. Goes to an ATM attempting to quess the PIN. They submit "5555". This encoded transmission is sent to the database. Crossreferencing "porky" and "5555" this is not a match (boolean FALSE result.)
The database sends an encrypted "FAIL" result back. ATM ejects card with invalid login and marks account as having 1 bad login attempt.
Repeat until bad login attempts >2, then lock account, call "porky", and keep card inside ATM (possibly dumping to internal shredder) activate ATM camera for 15 seconds.
Done.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/2584/18279#18279