Security experts are warning that flaws in the way PINs are encrypted and transmitted across international financial networks could allow corrupt bank workers to access the four-digit codes.
A research paper by Omer Berkman and Odelia Moshe Ostrovsky at Tel Aviv University describes how the financial transaction processing system used by banks is open to abuse and could enable corrupt bank workers to discover PIN codes.
One possible attack targets the translate function in switches which another abuses functions that are used to allow customers to select PINs online.
In both cases flaws in the system could enable an attacker to discover PIN codes,for example, when entered by customers while withdrawing cash from an ATM. The numbers could then be used to make fraudulent transactions.
"A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," says Ostrovsky, a researcher at Tel Aviv University who also works for local security firm Algorithmic Research. "Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent."
The authors says they have passed on the study to credit card firms and banks but have had little response and so have decided to go public with the research. The paper can be found on the Algorithmic Research Web site:Read the PDF here
In a blog posting security expert Bruce Schneier says: "One of the most disturbing aspects of the attack is that you're only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank's ATMs."