Researchers at Cambridge University have uncovered a flaw in cash machine security which would allow an attacker to find the correct PIN for a bank card in an average of 15 guesses, instead of the intended 5000 attempts.
The attack, detailed in a paper published by Mike Bond and Piotr Zielinski, is centred on the hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess, say the researchers.
"In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method," states the paper. "With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30,000 - $50,000 of this each day."
Bond and Zielinski argue that in the hand of a corrupt bank programmer the technique represents a serious threat to bank security which may not be spotted by conventional fraud prevention methods.
They are currently starting discussions with manufacturers of hardware security modules about the practical implications of the attacks. They say that updating systems to cope with the attacks is likely to prove costly and the degree of protection offered will depend upon the intrusion detection capabilities offered by each vendor.