Experts continue to be amazed at how hackers manage to begin the practical use of methods that a year ago were considered only theoretically possible, and only in a narrow academic environment. Now they have learned to remove PIN codes from our cards without directly entering the ATM we use. To do this, it is enough to find a weak node in the network through which packets travel from the ATM to the bank.
There have been suspicions that attackers have access to a technique for decrypting PIN codes that are transmitted in encrypted form, but after the publication of the 2009 Data Breach Investigations report from Verizon, they are now officially confirmed for the first time.
It turned out that encrypted packets, until they reach the destination bank, on their way pass through many hardware encryption modules (HSM, in the photo - HSM with a PCI interface) from other banks. Because these HSMs have different settings and modes of operation, the PIN packets have to be decrypted at each node and re-encrypted with a new public key, which is paired with the private key of that particular HSM, available through the API. So, now hackers have learned to recognize the private key of an HSM if this node is not configured correctly. Once hackers are able to decrypt one PIN, they can easily decrypt the entire array of PINs that pass through that HSM.
Experts learned about the practical application of this technique only after the fact, when several months ago they began to investigate the wave of fraudulent withdrawals that swept across the world in 2008-2009 (before that, they noticed interest in the topic on Russian hacker forums, but could not understand why connected).
The chart shows statistics on the number of compromised bank accounts, including card accounts (source: Verizon). As you can see, this number is already twice the number of residents, for example, in Russia. In fact, many more cards have been compromised, so that they already make up a significant percentage of the total number of all bank cards in circulation.
But knowing the PIN code, you can withdraw money not only from the card, but directly from the user’s bank account, and it will be extremely difficult to prove fraud and return the money later.
According to Verizon experts, the problem can only be solved by a radical change in the infrastructure of global payment systems. In fact, a new system needs to be created from scratch.
There have been suspicions that attackers have access to a technique for decrypting PIN codes that are transmitted in encrypted form, but after the publication of the 2009 Data Breach Investigations report from Verizon, they are now officially confirmed for the first time.
It turned out that encrypted packets, until they reach the destination bank, on their way pass through many hardware encryption modules (HSM, in the photo - HSM with a PCI interface) from other banks. Because these HSMs have different settings and modes of operation, the PIN packets have to be decrypted at each node and re-encrypted with a new public key, which is paired with the private key of that particular HSM, available through the API. So, now hackers have learned to recognize the private key of an HSM if this node is not configured correctly. Once hackers are able to decrypt one PIN, they can easily decrypt the entire array of PINs that pass through that HSM.
Experts learned about the practical application of this technique only after the fact, when several months ago they began to investigate the wave of fraudulent withdrawals that swept across the world in 2008-2009 (before that, they noticed interest in the topic on Russian hacker forums, but could not understand why connected).
The chart shows statistics on the number of compromised bank accounts, including card accounts (source: Verizon). As you can see, this number is already twice the number of residents, for example, in Russia. In fact, many more cards have been compromised, so that they already make up a significant percentage of the total number of all bank cards in circulation.
But knowing the PIN code, you can withdraw money not only from the card, but directly from the user’s bank account, and it will be extremely difficult to prove fraud and return the money later.
According to Verizon experts, the problem can only be solved by a radical change in the infrastructure of global payment systems. In fact, a new system needs to be created from scratch.
