Looks like that hackers are able to crack
Bank ATM machines, I really hope not but
read here about it :
http://blog.wired.com/27bstroke6/
Greetings
CW
Check this out : Bank ATM's cracked ?!
-
codewalker
- Enthusiast
- Posts: 331
- Joined: Mon Mar 27, 2006 2:08 pm
- Location: Spain
Yeah, the weak point is in the hardware Security Module (HSM) and the malware installed grabs the PIN from memory. Been that way for years and i'm suprised they are just getting around to it now. Actually, its really nothing new as there have been other ways of grabbing PIN's before, just not so close to a system core component like this. And whats worse it has to happen and be injected in the network routing rooms/areas which means an insider having access. I think it should be noted also that this did not become a reality until banks and corporations were prohibited by court ruling (In the U.S. at least - in 2006 - I have it some where if i find it again i'll post the link) from doing periodic in-depth background checks on most contractors (who are really doing this stuff) - a check when they get initially employed but after that none. All PIN numbers at some point or another from anywhere in the world, from any country, will eventually pass thru a HSM portal in the U.S. because of the international partnership/interest/ownership of 99.9% of the banks in the world. And the same is true for PIN's used in the U.S., they will also pass thru other HSM's located in other countries. And to make matters worse, outsourcing has placed these HSM points in the hands of contractors not even in the banks own country, and in other some other countries like India for example there are no background checks at all for any employees and the bank (at least those in the U.S.) can't vet the employees of the outsourced foreign contractor.
The whole thing is a mess and as screwed up as a soup sandwich.
The HSM is a security device that sits on bank networks and on switches. The PIN numbers pass through it on their way from an ATM or point-of-sale to the card issuer. The module is a tamper-resistant device that provides a secure environment for functions such as encryption and decryption. The payment-card industry (PCI) standards for credit card transaction security say that PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The PIN must pass through multiple HSM's across multiple bank networks while en route to the customer's bank, and thats where the problem lies. The HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point the PIN is decrypted then re-encrypted with the proper key for the next part in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's programming API.
Specially configured malware can be installed on the HSM, and it grabs the decrypted PIN numbers out of memory and writes them to a log file that can be retrieved later. Because it happens somewhere in a network routing room/area there's no sign of problems at the ATM. And as long as the insider has access the malware can stay in play and be updated at will and continue grabbing PIN's.
The whole thing is a mess and as screwed up as a soup sandwich.
The HSM is a security device that sits on bank networks and on switches. The PIN numbers pass through it on their way from an ATM or point-of-sale to the card issuer. The module is a tamper-resistant device that provides a secure environment for functions such as encryption and decryption. The payment-card industry (PCI) standards for credit card transaction security say that PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The PIN must pass through multiple HSM's across multiple bank networks while en route to the customer's bank, and thats where the problem lies. The HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point the PIN is decrypted then re-encrypted with the proper key for the next part in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's programming API.
Specially configured malware can be installed on the HSM, and it grabs the decrypted PIN numbers out of memory and writes them to a log file that can be retrieved later. Because it happens somewhere in a network routing room/area there's no sign of problems at the ATM. And as long as the insider has access the malware can stay in play and be updated at will and continue grabbing PIN's.
Yeah, I've been hit twice in the last year with fraudulent charges on my check card.
What I'd like to see implemented is a system where each charge generates a text message sent to you with the store's name and the amount of the charge that you have to respond to for the transaction to be approved.
Not only would it provide an immediate alert that your card information has been compromised, but it would give you the ability to refuse the charge before the charge is added to your account.
It might also provide a way to arrest perpetrators of credit card fraud on the spot.
What I'd like to see implemented is a system where each charge generates a text message sent to you with the store's name and the amount of the charge that you have to respond to for the transaction to be approved.
Not only would it provide an immediate alert that your card information has been compromised, but it would give you the ability to refuse the charge before the charge is added to your account.
It might also provide a way to arrest perpetrators of credit card fraud on the spot.
> What I'd like to see implemented is a system where each charge
> generates a text message sent to you
One of the banks here in Australia has offered that service for years.
I always thought it sounded good, but the logistics are terrible: what
if your phone is off when you want to buy something, or you left it at
home by mistake, or the battery runs out, or you get spammed with
lots of texts because lots of fraudsters are using your card, etc.
> generates a text message sent to you
One of the banks here in Australia has offered that service for years.
I always thought it sounded good, but the logistics are terrible: what
if your phone is off when you want to buy something, or you left it at
home by mistake, or the battery runs out, or you get spammed with
lots of texts because lots of fraudsters are using your card, etc.
I compile using 5.31 (x86) on Win 7 Ultimate (64-bit).
"PureBasic won't be object oriented, period" - Fred.
"PureBasic won't be object oriented, period" - Fred.