Home page logo

isn logo Information Security News mailing list archives

Students crack bank pin codes
From: InfoSec News <isn () c4i org>
Date: Fri, 9 Nov 2001 02:59:01 -0600 (CST)

Forwarded from: Will Munkara-Kerr <WillM () CS NSW GOV AU>


Two British PhD students have designed a computer program to crack
bank security codes which potentially gives them access to hundreds of
thousands of PIN numbers, it emerged today.

Armed with the software and hardware, the pair have shown that it is
theoretically possible to download large amounts of confidential
financial information, allowing a potential thief to steal vast
amounts of cash.

The two Cambridge University students plan to put details of how to
crack the systems on the internet in an effort to ensure security is

The security breach was revealed in the BBC's Newsnight program, which
outlined how it was possible to translate the 16-digit number for cash
cards from data downloaded by the program.

Michael Bond, 22, one of the students involved, said he felt not
enough was being done to insure that the hole in security was blocked.  
"Banks' approach to security at the moment is too closed, they are
relying on outdated concepts such as security through obscurity.

"What they really need to do is pay more attention to the open
community including academia and get more peer review on some of the
systems that they are using.

"We need to see banks being more accountable for the security of
people's money."

He said the breach could only be performed by bank staff with access
to bank computers.

The system involved is based on IBM's 4758 crypto-processor used by
banks, the military and governments across the world to protect their

The attacks work using a combination of software developed by Mr Bond
and off-the-shelf hardware costing less than STG750 ($A2,140)
developed by mature student Richard Clayton.

Their research shows it is possible for a single individual, with only
the level of access to a bank's computer system granted to a temporary
computer contractor, to extract and download information.

Within 20 minutes it is possible to find the secret "key" from the
crypto-processor it uses to scramble customer PINs.

Once taken home on a floppy disk, it would take around a day using the
Cambridge equipment to reveal the secret "key".

The "key" can translate the PIN into the 16-digit number on the front
of cash cards meaning a criminal could plunder thousands of bank

Alan Cox, a computer operating system developer, said: "This is a
military grade protected encryption system where you have to have
licences to possess them.

"I would expect the reaction of the banking industry is probably one
of pure horror ... shared by the military and a considerable number of
other bodies."

Computer company IBM says normal bank practice and procedure would
prevent any possibility of launching such an attack.

It says in a statement this academic study is based on specific
laboratory conditions.

IBM says in the real world there are too many physical safeguards and
authority protections for such an attack to be successful.


"This message is intended for the addressee named and may contain
confidential information. If you are not the intended recipient, please
destroy it and notify the sender. Views expressed in this message are those
of the individual sender, and are not necessarily the views of the Central
Sydney Area Health Service."

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]