Resources
See latest resources ยป
ATM code cracking

ATM code cracking

Source:

This paper from Mike Bond and Piotr Zielinski of Cambridge University presents an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in cash machine infrastructures.

By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended, claim the researchers
In a single 30 minute lunch-break, a corrupt bank employee can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw up to $50,000 each day.
The paper explains the methodology of the attack which is described as a serious threat to bank security.

Download the document now 223Kb PDF

Comments: (0)

Research resources
See all Research resources »
Webinar - The Art and Science of Customer Relationships
/research

Webinar - The Art and Science of Customer Relationships

Accurately quantifying customer experience can seem an immensely nebulous task. While the benefits of improving this are evident, there is no clear method of measuring it.

Central Bank Digital Currency and Monetary Policy
/research

Central Bank Digital Currency and Monetary Policy

A Bank of Canada investigation into the benefits and costs of issuing a central bank digital currency for monetary policy.

Data in the payments industry
/research

Data in the payments industry

The UK's Payment Systems Regulator starts a conversation on how data is used in payment systems and explores the potential barriers to its objectives.