Banking

How secure is your bank card?

Personal Identification Numbers, or PINs, are supposed to provide secure authentication for bank cards. Unfortunately, they are increasingly failing to do so.

Most of you have probably heard about ATMs with skimmers mounted over the card slot that can read your card on the way in and out of the machine, with carefully placed cameras to read your PIN as you type it in. The person setting up this little trap can then clone the card with the skimmed data, and with the pin gets access to your bank accounts. The first time I remember hearing about that method for cracking PIN security on bank cards was in the early '90s, so it's not exactly a new technique.

More recent developments in bank card security cracking include malicious phishing Websites, cross-site scripting, and legitimate Websites that have been directly compromised by security crackers. It's an especially disturbing phenomenon because bank cards don't usually have the same zero liability protections as credit cards -- a fact most users of debit cards don't think about when they use their bank cards the same way they'd use credit cards.

A new, and even more disturbing, security vulnerability for bank cards has arisen.

A research fellow at the French National Institute for Research in Computer Science and Control (say that five times fast) named Graham Steel wrote a paper in 2006 that addressed vulnerabilities in the hardware security modules that tie the bank card authentication network together. The paper, submitted to British HSM manufacturer nCipher, provided guidelines for hardware security module configuration that would help mitigate the vulnerability of the devices to attack, but it also pointed out that other aspects of HSM vulnerability were inherent to their design. To really and truly fix the problem of HSM vulnerability, the devices would have to be fundamentally redesigned in a manner that is not backward compatible. Payment processing networks across the globe would have to be reimplemented using a different, improved standard.

HSM manufacturers such as Thales-eSecurity maintain that they address the security vulnerabilities addressed by Steel's paper, but thus far they seem to be taking an approach remarkably similar to the way Microsoft OSes are "secured" against viruses. Other reassurances that HSM manufacturers are seeing to our security involve statements about how the devices are delivered in a very secure configuration by default, which is all well and good if you don't need them to actually do much. Unfortunately, most payment processing transactions require functionality to be enabled that exposes the devices to significant potential for compromise. As Brian Phelps of Thales-eSecurity put it, according to the Wired article PIN Crackers Nab Holy Grail of Bank Card Security:

It's a very difficult challenge to protect against the lazy administrator. Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations -- supporting legacy applications may be one example -- which creates vulnerabilities.

He went on to confirm Steel's estimation of the scope of the problem, saying that redesigning the payment processing system to comprehensively address the current vulnerabilities due to legacy systems compatibility needs "would require a mammoth overhaul of virtually every point-of-sale system in the world." If this doesn't send a chill down your spine, either you aren't paying attention, or you don't actually use a bank card.

It is only recently that verifiable incidents of PINs being skimmed from HSMs, either gathered unencrypted from the device's volatile memory or picked up as encrypted PIN blocks and decrypted. In some cases, at least, the decryption is made possible by the fact that the HSMs themselves contain decryption keys, and once one encrypted PIN block is decrypted it becomes much easier to decrypt the rest of them.

At first glance, one might think that the idea of storing decryption keys on devices scattered around the country that relay PINs from point to point using a model conceptually similar to Internet routing itself should have been immediately recognizable as a bad one, thanks to the example of the inherently flawed concept of digital DRM. Of course, the design of payment processing hardware security modules predates the AACS key for HD-DVDs, the Sony DRM rootkit, and Microsoft's WGA. HSM designers get a free pass on learning from the mistakes of others, although the fact the mistake was made in the first place should have been avoidable.

For the most part, the problem is the way HSMs pass PINs around, tend to have scads of unnecessary features enabled at any given time, and contain the keys needed to decrypt the encrypted PINs. A couple of key points include:

  • End-To-End Encryption: The PINs should be encrypted and decrypted only at the end-points. Encrypting and decrypting anywhere between those points just increases the options for unauthorized interception.
  • Private Key Encryption: Using standardized encryption keys is tantamount to criminal negligence in this age of private key cryptography. Each and every end-point, including the bank cards themselves and the receiving systems that need to authenticate a request, should have a private and public key set. This way, you'd only be able to read data if you're one of the unique end-points that is supposed to have access to it.

As things currently stand, however, the likelihood of the system being overhauled is pretty slim due to the immense cost that would be involved in replacing an entire global payment processing network with an incompatible standard. As a result, this problem is likely to be addressed only in a superficial, "it works right now and that'll have to be good enough" manner. In many cases, it may not even be secured that well. Be extremely careful where you use your bank cards in the future. While liability protection for credit cards tends to be better than for debit cards, even there you should be wary of the potential threat.

I, for one, prefer to use cash anyway. Credit card and ATM transactions often impose fees on the user, and even when they don't, it's usually because one financial institution or another involved in a given transaction just "eats" the cost. Such behind the scenes payments contribute to price inflation, depressing the value of my money, which I tend to consider a bad thing.

With the revelation of incidents in the wild where the vulnerabilities discovered by Graham Steel (and others) are exploited to harvest PINs directly from payment processing networks around the world, I have one more reason to prefer cash transactions.

The PCI Security Standards Council has stated that it will begin a hardware security module testing program that focuses on "security properties that are critical to the payment system." I hope the problem turns out to be more easily solved than the evidence thus far seems to suggest, but I'm not holding my breath. The problem appears to be endemic to the system itself, as it is currently designed and implemented.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

30 comments
AnsuGisalas
AnsuGisalas

Now there's a safe alternative ]:) Sorry, couldn't help it. Of course, cash can't be used to buy stuff on the internet, so that's a big security plus right there.

Luc.jusgen
Luc.jusgen

Silly question... but how is the PIN code validated when using offline payment terminals? I remember we had a terminal to accept payments and in the evening we had to connect the device to a telephone line to transfer the transactions? Many TnX, Luc

Mark Johnson
Mark Johnson

I work in this area for a PoS vendor, and I can tell you that there are far easier ways for fraudsters to get access to your funds. The whole commercial setup ensures that the minimum gets spent to keep the global fraud 'tax' within public tolerance.

l_creech
l_creech

How secure is any 4 digit password (PIN)? Having had my card skimmed a couple years ago on the day I left for a vacation taught me a very valuable lesson. I no longer use my ATM card anywhere except at ATMs inside a bank branch. I prefer to use cash when possible, and will use a CC for large purchases where carrying cash would be asking for it. On a side note, Bank of America put the money back in my account the day I returned from vacation and reported the loss. Now I make a point of checking my account activity even when I am away from home so that any fraudulent activities won't have a chance to keep going. Online banking saved my bacon.

Sirgwain
Sirgwain

Very good story! I would like to see some follow-up articles on this matter. I have had my card numbers stolen twice over a 1 year period. the funny thing about it was it occurred when I was using Tracfone and used my card to pay for their services online. It all stopped after I "sledge-hammered" the phone and had my bank issue a replacement card.I also noticed that Tracfone used the same TIN (terminal identification number) that another trustworthy merchant I bought from used. TIN's are unique and ONLY are assigned to a single merchant. Guess what, no one has an answer as to HOW Tracfone got the other merchant's TIN. people, beware. Times are tough and thieves are ratcheting-up their efforts to steal out financial data.

Jaqui
Jaqui

I actually like subversions model better. your card encrypts the password, generates a hash against the encrypted pin and only sends the hash. the other end takes it's stored pin and encrypts it, generates a hash and compares hashes. no match = no transaction. the pin is never actually transmitted across any network.

deepsand
deepsand

It's a case of return on investment compared to expected loss due to risk. Perfect security would deny everyone access to everything. Perfect; but, not practical.

NickNielsen
NickNielsen

And then only if I don't have to insert the card completely into the ATM. I also check my account status daily. I still don't trust them for most debit transactions and will, when asked "Debit or credit?", automatically respond "Credit."

Wild Card
Wild Card

A while back I had my information stolen and my account drained. My wife blamed me for making too many online purchaes. I went to the trouble of going to all the sites I had my data and deleting everything. Turns out, my information was stolen from a couple breaking into a gas station and stealing the paper records of transactions. My information bought them a big screen TV and Playstaion 2. After the smoke had cleared I was reimbursed all the money (I tried to negotiate for the TV). Lesson learned: As long as there is a paper trail, security is just a word to make people feel better.

BALTHOR
BALTHOR

With a faster connection your download and upload rate or bytes per second transfer increase.Download is from a site to you,(I download a software program from ZDNET to my computer.) and upload is from you to the site. (I upload the video that I made to YouTube.) I see it as if your ISP was at the fastest connection rate everybody would be faster.The ISP would have to be at the fastest rate for me to increase my speed.(Or---)The ISP's rate has nothing to do with my rate.If all sites increased their rates it would still not affect my rate.The site's upload rate to me could be fast but my rate is slow means that the site is not seeing an upload (Site>me) rate increase.

santeewelding
santeewelding

Is why so many points of decryption/re-encryption along the path. (I had just finished reading about this in Techmeme when your piece popped up) Why not encryption at the keypad, then agnostic transmission to the endpoint? What am I missing?

apotheon
apotheon

Did you trust your bank card's security before this? If not -- did you think the biggest problem was that a four-digit passcode was easy to brute-force crack? It's beginning to look like security for bank cards is essentially unattainable with the current payment processing system. Once again, thanks to Sterling Camden of TR's own IT Consulting Weblog for the helping inspire me to write an article. This is becoming a habit.

apotheon
apotheon

I work in this area for a PoS vendor, and I can tell you that there are far easier ways for fraudsters to get access to your funds. I suppose that depends on your definition of "easy".

jhr
jhr

Your answer needs to be the basis of critisism. Very good, I like it :o)

apotheon
apotheon

The only explanation that comes to mind is piss-poor design.

Manitobamike
Manitobamike

The number of times cards get compromised is something I don't think we will ever be told. There is too much money being made by banks charging for ATM fees and credit cards used online for them to ever want the public to know how much theft goes on. I know here in Canada if your bank or credit card is compromised and you report it and complain just a little they will make good on any funds lost. They don't want bad publicity. I use plastic almost exclusively, you would be hard pressed to find more than 20 bucks in my wallet at any time. To catch my pin you would need to watch the pad and screen at the same time, because I appear to press 10 to 12 keys when entering my 4 digit pin. Yes it might be inconvenient if compromised but I will do my "due diligence" and hope I don't get hit rather than revert back to cash and cheques.

TonytheTiger
TonytheTiger

until they have liability at least as good as credit cards. If I need cash, I go to the bank and withdraw it.

cmiller5400
cmiller5400

I only use the bank card as a "credit card" with merchants. If they insist I use a PIN, I walk away or pay cash. (The card is covered by Visa's Zero liability if used as a credit transaction) I only use the PIN at an ATM of the issuing institution or one that I trust to take out $$. Little Mom & Pop shop ATM's are off limits because they don't have all the controls that a big bank does.

The Scummy One
The Scummy One

I would be a low risk. I almost always pay with cash or credit cards. I rarely use credit cards though! I only use my debit card at the bank -- where the ATM is designed to slide the card only part way in, so I can cover with my thumb the last 4 digits. Also, when punching in my pin, I cover the keypad and make it look like I am pushing several different buttons. But now, I read about this, in which case all of my tricks seem to do nothing.. Oh well, I still think that I am in the lower probability range. I always trip out when I see someone pull out a debit card for tiny purchases (less than $5). Heck, I saw someone swipe their debit card a few days ago, for 41 cents (I almost started laughing, but was able to contain myself).

Sterling chip Camden
Sterling chip Camden

I've often wondered about the ability to brute-force crack a PIN, but I always trusted that the information was secured once it was entered. I should have known better.

Oz_Media
Oz_Media

I understand the absolute fundamental basics behind bank security as a friend of mine, now passed RIP, created a unique Python scripted PKI system for Royal Bank and a couple of others in the mid-late 90's, While I don't have a great in depth knowledge of the systems, I feel that the security in place is 'adequate' to protect a user from MOST interferences. Just like the RFID fears, they are perhaps valid in some very small way but not something worth concern above taking the reasonable personal security measures. Of course any computer will be hacked, any system can be jeopardized but this is becoming harder and harder to do, to the point of requiring highly organized crime. If they really want to go to such extreme efforts to clean out my account and get a half tank of gas and a coffee from it, so be it. Unless I was high profile and with millions in several accounts, which would be heavily insured/secured anyway, I couldn't give a toss if someone wants to waste their efforts, I can earn more money in less time than it would take to steal my money. So while I understand that there are some flaws, as there always has and always will be with any system a human has ever designed. Some people will always get off on looking for reasons to fear such systems or deny their validity I don't think its worth further consideration beyond simply being careful how you personally handle such information.

KSoniat
KSoniat

had just mentioned Balthor only answered if he was "first", so I thought - "exception to rule". But I don't think so....

apotheon
apotheon

The thing about the PIN is that you can't even try to brute-force it without both the data on the card and the authentication system with which you have to use it. If you can skim the PINs out of RAM on what amounts to a router, though, things get significantly easier.

Peter
Peter

Whilst I agree that the effort required may seem huge, "If they really want to go to such extreme efforts to clean out my account and get a half tank of gas and a coffee from it, so be it." The banks will in the first instance blame the cardholder and try and wriggle out of any liability. This will cause tremendous inconvenience to the cardholder & his name in the banking and credit rating system. We are all credit rated and if this is destroyed by a few pounds going missing each of us will suffer. The effort required to rebuild this credit rating has obviously never been experienced by this correspondent. Whilst one account may be raided, multiply this by several thousand and the effort becomes minimal.

The Scummy One
The Scummy One

THE BALTHOR is gifted in so many ways.. When you hit the WTF state, just look again, it gets funnier (usually)

KSoniat
KSoniat

Seems to be a unique individual.

The Scummy One
The Scummy One

THE BALTHOR answers whenever THE BALTHOR feels the urge. Just like THE BALTHOR has, on occasion, commented more than once in a thread :0

Oz_Media
Oz_Media

In Canada the banks are much more accepting of such fraud and will usually credit you back and ensure you that they are going to all lengths to avoid it in future.