tailieunhanh - Decimalisation table attacks for PIN cracking

Abstract We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. | Technical Report UCAM-CL-TR-560 ISSN 1476-2986 Number 560 UNIVERSITY OF w CAMBRIDGE Computer Laboratory Decimalisation table attacks for PIN cracking Mike Bond Piotr Zielinski February 2003 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone 44 1223 763500 http 2003 Mike Bond Piotr Zielinski Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet http TechReports Series editor Markus Kuhn ISSN 1476-2986 Decimalisation table attacks for PIN cracking Mike Bond Piotr Zielinski Abstract We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM cash machine infrastructures. By using adaptive decimalisation tables and guesses the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique instead of the 5000 guesses intended. In a single 30 minute lunch-break an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a 300 withdrawal limit per card the potential bounty is raised from 7200 to million and a single motivated attacker could withdraw 30-50 thousand of this each day. This attack thus presents a serious threat to bank security. 1 Introduction Automatic Teller Machines ATMs are used by millions of customers every day to make cash withdrawals from their accounts. However the wide deployment and sometimes secluded locations of ATMs make them ideal tools for criminals to turn traceable electronic money into clean cash. The customer PIN is the primary security measure against fraud forgery of the magnetic stripe on cards is trivial in comparison to PIN acquisition. A street criminal can easily steal a cash card but unless he observes the customer enter the PIN at an ATM he can only have three guesses to match against a possible 10 000 PINs and

TỪ KHÓA LIÊN QUAN