How Banks Use HSM to Protect Data

[Mutt]

HSM (Hardware Security Module) is a specialized device used by banks to protect cryptographic transactions and sensitive data such as encryption keys, PIN codes and bank card data. HSM provides secure storage, generation and processing of cryptographic keys, preventing their compromise, which is critical for protection against carding, including attempts to use skimmed data (card dumps). For educational purposes, I will describe in detail how banks use HSM to protect data, its technical aspects, integration with other systems, effectiveness and limitations in the context of combating fraud.

1. What is HSM and its purpose in banks​

HSM is a hardware device with a secure architecture, certified to standards such as FIPS 140-2/3 or Common Criteria EAL4+, designed to perform cryptographic operations and store keys in a secure environment.

Purpose in banks:

• Cryptographic Key Storage: Protects keys used to encrypt card data, PINs and transactions.
• Cryptographic operations: Performs encryption, decryption, signing and verification of transactions (e.g. EMV ARQC).
• PIN Security: Ensures secure creation, verification, and transmission of PIN codes.
• Transaction Authentication: Confirms the authenticity of transactions, including 3D-Secure (3DS) and EMV chips.
• Fraud Prevention: Protects against attacks such as skimming, data interception or card cloning.

In the context of carding: HSM prevents skimmed data (e.g. PAN, CVV) from being used to create cloned cards or bypass 3DS, as the keys needed to forge transactions are not available to carders.

2. How banks use HSM to protect data​

HSMs are integrated into banking systems to perform cryptographic functions and protect sensitive data. Here are the main ways they are used:

a) Storage and management of cryptographic keys​

• Mechanism:
  • HSM stores keys in a secure hardware area (Secure Element) that is not accessible to outsiders.
  • Uses:
    • Master Keys: The main keys for encrypting card data and PIN codes.
    • Session Keys: Temporary keys for specific transactions.
    • Issuer Keys: Issuer bank keys for EMV and 3DS.
  • Example: The Master Key for EMV transactions is stored in the HSM and never leaves the device.
• How it protects:
  • The keys are not available even to the bank's system administrators.
  • Any attempt at physical or software access to the HSM causes the keys to self-destruct (tamper resistance).
• Technical details:
  • HSM (e.g. Thales payShield, SafeNet Luna) uses hardware encryption (AES-256, RSA-2048).
  • Keys are generated inside the HSM using a hardware random number generator (TRNG).
  • Example: HSM generates Master Key:
    

    MK: 0123456789ABCDEF0123456789ABCDEF (128-бит AES)

• Impact on carding:
  • Carders who skim card data (PAN, CVV) cannot forge an EMV transaction without the Issuer Key stored in the HSM.

b) Processing PIN codes​

• Mechanism:
  • HSM generates, encrypts and verifies PIN codes for cards.
  • PIN codes are stored in encrypted form (e.g. PIN Block according to ISO 9564 standard).
  • Example: User enters PIN at ATM, HSM verifies it by comparing with encrypted PIN Block.
• How it protects:
  • The PIN is never transmitted in clear text, even within the bank.
  • Skimmers that intercept the PIN (via cameras or keypads) cannot use it without access to the HSM.
• Technical details:
  • PIN Block is encrypted using 3DES or AES:
    

    PIN Block: 041234F8F8F8F8F8 (PIN: 1234, padding: F)

  • The HSM performs PIN verification via the VERIFY PIN command.
• Impact on carding:
  • Carders using skimmed data - dump with PIN - are unable to conduct a transaction because the HSM rejects unauthorized requests.

c) Support for EMV transactions​

• Mechanism:
  • The HSM handles cryptographic operations for EMV chips, including ARQC (Authorization Request Cryptogram) generation and verification.
  • ARQC is a unique code generated by the card chip and verified by the issuing bank's HSM.
  • Example: Card generates ARQC using Session Key, HSM verifies it using Issuer Key.
• How it protects:
  • Without the Issuer Key stored in the HSM, ARQC cannot be forged.
  • Skimmed data (PAN, expiration date) is useless for EMV transactions.
• Technical details:
  • HSM uses algorithms:
    • 3DES for ARQC generation (obsolete, but still used).
    • AES-128/256 for new systems.
    • RSA-2048 for signing certificates.
  • ARQC example:
    

    ARQC: 8A023123456789AB

  • The HSM issues the GENERATE AC command to verify.
• Impact on carding:
  • Carders attempting to clone an EMV chip cannot generate a valid ARQC without the HSM keys.

d) 3D-Secure (3DS) support​

• Mechanism:
  • HSM generates and verifies cryptographic signatures for 3DS transactions (e.g. Verified by Visa, MasterCard SecureCode).
  • Used to authenticate OTP (one-time passwords) or biometric data.
  • Example: HSM signs the OTP sent to the user's phone and verifies it as it is entered.
• How it protects:
  • OTP or biometrics verified by HSM are not accessible to carders using skimmed data.
• Technical details:
  • HSM uses HMAC-SHA256 to sign OTP:
    

    HMAC: 5f4c2a9b7e3d1c0f8a9b7e3d1c0f8a9b

  • Integration with ACS (Access Control Server) for 3DS.
• Impact on carding:
  • Skimmed data is useless in 3DS stores as the HSM requires OTP.

e) Encryption of transmission channels​

• Mechanism:
  • HSM encrypts data transmitted between the bank, ATM, POS terminal and payment systems (VisaNet, MasterCard).
  • Uses TLS 1.2/1.3 or proprietary protocols (e.g. ISO 8583 with encryption).
  • Example: Transaction data (PAN, amount) is encrypted using Session Key in HSM.
• How it protects:
  • Prevents data interception (e.g. through MITM attacks) even if the network is compromised.
• Technical details:
  • HSM generates a Session Key for each transaction:
    

    Session Key: 0123456789ABCDEF (AES-128)

  • Encryption is performed according to the PCI DSS standard.
• Impact on carding:
  • Carders intercepting data through skimmers cannot decrypt it without HSM keys.

f) Protection against physical and software hacking​

• Mechanism:
  • HSM has tamper resistance:
    • Physical sensors (temperature, pressure, light) destroy keys when an attempt is made to open them.
    • Software protection: Limited access via API (e.g. PKCS#11, JCE).
  • Example: Attempting to open a Thales payShield HSM causes keys to be erased.
• How it protects:
  • Even with physical access to the HSM, carders cannot extract the keys.
• Technical details:
  • HSMs are FIPS 140-2 Level 3/4 certified, providing protection against side-channel attacks (e.g. DPA).
  • Example: HSM detects a hacking attempt and sends a log:
    

    Event: Tamper detected, HSM ID: 12345, Action: Key zeroization

• Impact on carding:
  • Carders cannot obtain the Master Key to counterfeit EMV or 3DS, even with physical access to the HSM.

3. Integration of HSM with other systems​

• ATMs and POS terminals:
  • The HSM encrypts the PIN and transaction data transmitted from the ATM (e.g. NCR SelfServ) to the bank.
  • Example: PIN Block is encrypted by HSM before being sent via ISO 8583.
• Antifraud systems:
  • HSM verifies the authenticity of transactions that are analyzed by systems (Stripe Radar, Adyen) via GeoIP, Device Fingerprinting and behavioral analysis.
  • Example: HSM checks ARQC and Radar detects VPN (IP 104.28.12.45, NordVPN).
• 3D-Secure:
  • HSM signs and verifies OTP, integrating with ACS for authentication.
• Payment systems:
  • HSM interacts with VisaNet, MasterCard to verify transactions via TC40/SAFE.
  • Example: A skimmed card is added to the blacklist after HSM verification.

4. HSM's effectiveness in combating carding​

a) Against skimming​

• Magnetic stripe:
  • HSM encrypts PIN and transaction data, making skimmed data (PAN, CVV1) useless without keys.
  • Example: Skimmed Non-VBV card (479126) does not work at ATM due to missing PIN.
• EMV chip:
  • HSM checks ARQC, preventing chip cloning.
  • Example: Carder cannot forge ARQC for Auto-VBV bin (440393) without Issuer Key.

b) Against online fraud​

• 3DS:
  • HSM ensures OTP security by blocking the use of skimmed data in stores.
  • Example: Skimmed Non-MCSC card (523236) is rejected at a Stripe store due to missing OTP.
• Antifraud systems:
  • HSM verifies the authenticity of transactions, while GeoIP and Device Fingerprinting detect anomalies.
  • Example: Radar blocks transaction from Nigerian IP for US card.

c) Against card testing​

• HSM checks transactions, and anti-fraud systems identify patterns (multiple attempts).
• Example: Carder tests skimmed card in 5 stores, HSM confirms rejections, and Radar blocks the card.

5. Practical examples​

• Scenario 1: ATM Skimming:
  • The carder installs the skimmer, reads the card data and PIN.
  • The HSM encrypts the PIN Block, making it inaccessible without the Master Key.
  • Result: The carder cannot use the data to withdraw cash.
• Scenario 2: Online Transaction:
  • The carder uses skimmed Auto-VBV card data in the store.
  • HSM validates 3DS by requiring OTP, which the carder does not have.
  • Result: Transaction is declined, card is blocked.
• Scenario 3: HSM hack attempt:
  • The carder gains physical access to the bank's HSM.
  • An attempt to open the lock causes the keys to self-destruct.
  • Result: Keys for EMV and 3DS remain unavailable.

6. HSM limitations​

• Legacy systems:
  • Some banks use old HSMs with outdated algorithms (3DES) that are vulnerable to theoretical attacks.
  • Solution: Switch to AES-256 and FIPS 140-3.
• Social engineering:
  • HSM does not protect against phishing if the user reveals the OTP.
  • Solution: User training and biometrics.
• Infrastructure compromise:
  • If a bank's network is hacked, data can be intercepted before the HSM.
  • Solution: Encryption at all stages (TLS 1.3, PCI DSS).
• High cost:
  • HSMs (e.g. Thales payShield) cost $10,000–$50,000, which may limit their use in smaller banks.

7. Conclusion​

Banks use HSM to store cryptographic keys, process PIN codes, support EMV transactions, 3DS and encrypt transmission channels. HSM provides a high level of security thanks to hardware protection (FIPS 140-2/3), preventing key theft and transaction forgery. In the context of carding, HSM makes skimmed data useless because:

• Keys for EMV (ARQC) and 3DS (OTP) are not available.
• PIN codes are encrypted and verified only by the HSM.
• Anti-fraud systems (GeoIP, Device Fingerprinting) complement the protection.

HSM, in combination with Jitter technology, anti-skimming sensors and 3DS, significantly reduces the effectiveness of skimming and carding, making fraud expensive and risky. The limitations (outdated algorithms, social engineering) are compensated by modern standards and user education.

If you want to dive deeper into other aspects, such as how to set up rules in Stripe Radar to combat skimming or how EMV cryptography works, let me know!