Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security hole in cash machines

  • 09-11-2001 11:19am
    #1
    logic1
    Closed Accounts Posts: 3,859 ✭✭✭


    http://news.bbc.co.uk/hi/english/sci/tech/newsid_1645000/1645552.stm
    A serious weakness has been discovered in the methods used by banks to protect the personal identification number (Pin) that lets you get money from a cash machine.


    Madness... was an interesting bit on BBC about it last night. Loads of hairy unix types commenting on it.

    .logic.


Comments

  • #2
    Trojan
    Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭Trojan


    There was an interesting reply on /. :
    [His brother] used to work as a contractor for Cirrus. He said that the PIN encryption was a private joke amongst all of the engineers there.
    The suits all believed that cryptographic mumbo-jumbo and really expensive chips sold by "connected" salespeople at IBM would
    protect the banks' assets. But, he said, the problems with the PIN were nearly impossible to solve. Consider:

    The PIN is four decimal digits = 10,000 combinations ~= somewhere between 13 and 14 bits of security. It is entirely feasible for a
    quick P4 to encrypt every single PIN within an hour, with time left over to play Unreal Tournament.
    There is no trusted path between the user's memory and the bank. Fake ATMs have been installed in shopping malls, collecting
    PINs and ATM cards from unsuspecting victims. Do you *really trust* every single PIN keypad at every shady gas station,
    grocery store, and Wal-Mart, not to have logging devices installed? Replay attacks are not rocket science.
    Embedding DES keys inside a chip will inevitably lead to compromise. One needs to look no farther than the DirecTV access
    cards (particularly the H and F cards) to see the amount of damage that a few determined hobbyists can do. Imagine if there are
    billions of dollars at stake rather than just a little free TV.

    Regardless, this is not a widespread problem. It is a weak system and it was always a weak system. But it's not worth thieves' time to
    steal PINs yet (for the most part anyway) just because PINless credit card fraud is still so easy.

    http://slashdot.org/article.pl?sid=01/11/09/008229&mode=thread

    Al.

    🎙️ The Recognized Authority Podcast



Advertisement