But technology has changed over the past few years. The infrastructure is now built on Microsoft’s Windows operating system, and the cash machines themselves can be remotely diagnosed and repaired online. Unfortunately, this means that PIN codes have started to “leak” along the way — suggesting that industry guidelines on encryption are not always being followed.

Umm, Bill?

9 thoughts on “Ooops!”

  1. Not a “Bill” issue.

    Yes, the software for the ATMs is running on Windows (I seem to recall it’s the CE edition that people use), but if PINs are being sent out from the machine unencrypted, that’s down to the ATM manufacturer.

    The wilder possibility is that someone has broken triple DES encryption.

  2. Venture Creature

    While it could be (indeed seems more likely to be) a server security failure, I have understood from crypto friends of mine that the bank-level master passwords are potentially vulnerable to an attack based on obtaining a number of cards from the same bank.

  3. Worth noting as well that much much of the last ten to fifteen years ATMs have been a very profitable niche market for IBM’s OS/2 (the only place where it was still dominant or, indeed, used pretty much at all).

  4. > suggesting that industry guidelines on encryption are not always being followed.

    Ah, it is to laugh.

    Banks can be ridiculously complacent about this stuff. Talk to people on the inside, and the number of instances of passwords or encryption simply not being used at all is flabbergasting. (I’d say more, but I’d be breaking someone else’s confidentiality agreement, which wouldn’t be very nice of me.)

  5. There’s something odd about this.

    PIN codes are not stored in the machines, or transmitted to the banks when you draw cash.

    The PIN code is actually stored on your card, and verified against it. It would only exist in the ATM’s RAM at that moment (plus maybe swap files and such as part of the OS).

    The only place the bank stores the PIN, is the machine where it originates.

    Seems to me that the hackers have broken into the (supposedly) secure servers used for that purpose, rather than anything to do with ATM’s, and the details are being obfuscated by the banks for reasons of their own – probably CYA.

  6. Andrew,

    From what I understand, they don’t have chips on cards in the USA.

    There seems to be a number of PIN authentication systems around, but reading something on Star Network, that seems to send an encrypted PIN from the ATM to the customers bank (which makes sense as you can’t have each banks decryption keys on the ATM).

  7. While I’ve been out of the country, someone attempted to gain access to my bank accounts. They couldn’t get the password in three attempts, however, so they (and I) were locked out. The first I knew of this was when I attempted to check the accounts. There was no email informing me what had happened. Believe it or not, their only method of restoring internet access was to ask me to enter my ATM card number AND its PIN. I decided to leave access to the account locked until I get home instead. I’ll be looking for a new bank when I do.

  8. I don’t know the details of the encryption system used in ATMs, but I would assume a system based solely on PINs would be a challenge-response algorithm based around a cryptographic hash function. If the hackers have obtained access to the supposedly secure datastream between the ATM and the bank, they may simply have brute forced the hash algorithm to yield the PIN (effectively a form of replay attack). Then making a cloned card is easy.

    Moore’s Law means you lose a bit off the key of a block cipher or a HMAC every doubling period.

Leave a Reply

Your email address will not be published. Required fields are marked *