New methods are being developed that go beyond card skimmers and fake banking sites, and PINs for a number of accounts have been intercepted while they were sent over the network between ATMs and the bank and decrypted.
Information was revealed following the arrest of hackers who stole the details of 40 million credit card accounts last year from TJ Maxx. It was revealed the hackers stole PIN blocks that were later decrypted by other experts. It seems the hackers only obtained the data for the cards that used magnetic stripes, as the chip and pin systems authenticate locally.
The more recent attacks involve the Hardware Security Module devices installed at switching points in the network that carries the PIN between the ATM and another point. In theory the PINs should be transmitted through the entire network encrypted, but they need to be processed by the HSM to route the data. Hackers have been able to somehow tamper with this system to obtain the PINs. This is possible because of the many redundant functions in the HSM’s software that are still active. As a manager from Thales, a company that manufactures HSMs, configuring them to support legacy hardware would create vulnerabilities.
One attack targets the last HSM in the link between the ATM and the bank’s server, which decrypts the PIN and matches it with the account number to authenticate and authorise the transaction. It’s possible this data was being read by malware as it was stored in the server’s memory and was being added to a hidden database. It suggests the hackers had help from others inside the HSM companies and the banks.
A big problem for the victims is the difficulty in proving the money was stolen from the account, as the banks would insist the only way it could happen is if the customer knowingly revealed the PIN. This would make the customer entirely liable for any amounts stolen.
Banks have been able to shift more of the liability to their customers with the introduction of the chip and PIN system, arguing that it’s absolutely secure, prevents fraud, etc. Of course, it’s only as secure as its weakest link, which is the four digit PIN that customers sometimes have to enter while in the middle of a queue to use the card. Anyone standing behind the customer would be in a reasonable position to make a pretty good guess the digits being entered.
Hardware Security Modules
HSMs are hardware devices attached to a server/computer that applies cryptographic functions to the I/O. Because the banks’ servers have to read and write to its database in real-time, it has to work on plaintext, so PINs have to be decrypted by the HSM connected directly to the server. An HSM is also used as a key management system storing the keys and the algorithm for generating them. They can also back up keys to other HSMs in the same network.
In the context of managing a database storing the bank account details, the server should only allow I/O to the database through a device with the same Message Authentication Code as the one generated by the HSM.
As HSMs share the same standards with other commercial authentication systems, upgrading them would involve drafting revisions, getting manufacturers and vendors across the whole industry to agree to the changes, and implementing the revised standards.