Hole-in-the-wall digits showing cracks

By JUHA SAARINEN

A paper published by Cambridge University Computer Laboratories researchers Mike Bond and Piotr Zelinski details a method that allows automatic teller Machine PIN numbers to be readily cracked.

PINs are generated from customers' account numbers, and stored in a hardware security module (HSM) in encrypted form in banking systems to ensure that nobody apart from the customer knows their PIN.

But Bond and Zelinski's Decimalisation Table attack allows anyone who can capture the responses from a commonly used HSM made by IBM to recover a four-digit PIN with an average of 15 guesses. Normally, it would take around 5000 guesses.

This means a bank "insider" could capture some 7000 PINs in 30 minutes, by interfacing a notebook computer to the HSM.

They could then create duplicate ATM cards to fraudulently withdraw money from cash machines. Blank ATM cards, and card readers/writers are readily available.

The sums involved could be huge: with 7000 PINs, a daily limit of $800 and an average of two days before such frauds are discovered, an attacker could gain $11.2 million.

Bond and Zelinski are not alone in their work: last October South African researcher Jolyon Clulow of the University of Natal, Durban, held a seminar at Cambridge, called "I Know Your PIN".

A court case is under way in South Africa, involving some £50,000 ($40,000) withdrawn from a man's account in Britain, even though he was not there.

How worried are the banks? Diner's Club and Citibank have asked the High Court in Britain to impose a "gagging order" on Bond and his assistant Ross Anderson, banning them from discussing developments in the case, and excluding the public and the press from the court room.

ASB Bank head of retail banking and marketing Barbara Chapman said the bank had systems to detect any such activity by a staff member.

She said the systems involved were among the most protected areas within the bank.

"Only a very small number of specialist systems staff have access to this kind of system.

"We have never had the security of these systems compromised"

National Bank spokeswoman Cynthia Brophy said that the methodology it used for PIN validation was not the same as that covered in the Cambridge report.

"We have no reason to think that the integrity of either our staff or systems could be compromised in any way by this report," she said.

New Zealand Bankers Association chief executive Errol Lizamore did not want to comment.

The BNZ, Westpac and equipment vendor Eftpos New Zealand were also approached, but wanted to study the vulnerabilities in detail before issuing any official comment.

Eftpos terminals use the same cards as ATMs, and would therefore seem open to attack.

But James Munro of Superbank - an offshoot of St George Bank operating in Foodstuff's supermarkets - said it would be difficult to exploit the Eftpos network, which Superbank would initially use for transactions, to crack PINs, because the terminals concerned were in public view.

Whose responsibility is it?

Banking Ombudsman Liz Brown says the Banking Code of Practice limits customer liability in the case of fraudulent transactions to $50, provided the customer has not been negligent in keeping the PIN safe.

If a "phantom withdrawal" takes place, it's hard to prove that you weren't negligent, as there is no direct evidence of fraud (the ATM thinks the card and PIN are OK) and you cannot know if the PIN has been captured from the HSM.

So isn't that the bank's problem?

Yes. ASB Bank head of retail banking and marketing Barbara Chapman confirms "a customer will not bear the loss where there has been fraudulent conduct by employees or agents of the bank, or where through no fault of the customer unauthorised transactions have occurred". Parnell law firm IT Law Associate Averill Parkinson says while it might be "tricky" to determine liability, it would be difficult for banks to put the onus on customers if research shows PINs can be cracked.