Banking Investigate

Weighing Down "The Unbearable Lightness of PIN Cracking" (Extended Version)

Download now Free registration required

Executive Summary

Responding to the PIN cracking attacks from Berkman and Ostrovsky (FC 2007), the authors outline a simple solution called salted-PIN. A randomly generated salt value of adequate length (e.g. 128-bit) is stored on a bank card in plaintext, and in an encrypted form at a verification facility under a bank-chosen salt key. Instead of sending the regular user PIN, salted-PIN requires an ATM to generate a Transport Final PIN from a user PIN, account number, and the salt value (stored on the bank card) through, e.g., a pseudo-random function. They explore different attacks on this solution, and propose three variants of salted-PIN that can protect against known attacks.

  • Format: PDF
  • Size: 182.3 KB