Hackers have learned to decrypt PIN codes

Experts continue to wonder how hackers manage to begin the practical use of methods that a year ago were recognized only as theoretically possible, and even then in a narrow academic environment. Now they have learned how to remove PIN codes from our cards without directly entering the ATM we use. To do this, it is enough to find a weak node in the network along which packets go from an ATM to a bank.

Suspicions that the technique of decrypting PIN codes, which are transmitted in encrypted form, became available to attackers, were earlier, but after the publication of the 2009 Data Breach Investigations report from Verizon, they are now officially confirmed for the first time.

It turned out that the encrypted packets, until they reach the destination bank, go through manyhardware-encryption modules (HSM, pictured - HSM with PCI-interface) from other banks. Due to the fact that these HSMs have different settings and operating modes, packets with PIN codes must be decrypted and reencrypted on each node with a new public key, which is paired with the private key of this particular HSM, accessible through the API. So, now hackers have learned to recognize the private key HSM, if this node is not configured correctly. Once hackers manage to decrypt a single PIN code, they can easily decrypt the entire array of PIN codes that pass through this HSM.

The experts learned about the practical application of this technique only after the fact, when a few months ago they began to investigate a wave of fraud withdrawals that swept around the world in 2008-2009 (before that they had noticed interest in the topic at Russian hacker forums, but could not understand what it was connected).

The chart shows statistics on the number of compromised bank accounts, including card accounts (source - Verizon). As you can see, this number is already double the number of residents, for example, Russia. In fact, much more cards have been compromised, so that they already make up a noticeable percentage in the total number of all bank cards in circulation.



But knowing the pin code, you can withdraw money not only from the card, but directly from the user's bank account, and it will be extremely difficult to prove fraud and return the money later.

According to Verizon experts, the problem can only be solved by a radical change in the infrastructure of world payment systems. In fact, a new system needs to be created from scratch.

via Wired