A U.S. Secret Service memo obtained by MSNBC.com indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN codes. (Will Burgess / Reuters file)
Researchers who work for an Israeli computer security company say they have discovered a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks – a flaw that they say could undermine the entire debit card system.
The U.S. Secret Service is investigating the matter, and MSNBC.com obtained a memo compiled by the agency that indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic.
The report has ignited a debate within the banking industry, with many financial industry experts downplaying the seriousness of the flaw and outside experts divided on its implications. But there is no disputing the impact that such a hack would have if successful.
Using the methods outlined by the researchers, a hacker could siphon off thousands of PIN codes and compromise hundreds of banks, said Odelia Moshe Ostrovsky, one of the report's authors. Criminals could then print phony debit cards and simultaneously withdraw vast amounts of cash using ATMs around the world, she said. The paper was co-authored by Omer Berkman, a researcher at The Academic College of Tel Aviv-Yaffo
Automated Teller Machines and point of sale debit card sales are a massive part of the global economy. In the U.S. alone, ATMs perform about 8 billion transactions every year and dispense $600 billion in cash, according to a study released earlier this year by Dove Consulting. Volume of retail store PIN-based debit card transactions is even higher.
Word of the apparent security flaw first surfaced two weeks ago, when the PIN-hacked paper was published, \\stating that it would be possible for someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules.
When consumers enter their personal identification numbers, or PINs, into an ATM, the PIN and account number must travel through several computers on a special network before they arrive at their home bank for verification. The data is encrypted immediately after it's entered at the ATM into what is known as a PIN block, then sent on its way.
Rarely does the transmission go directly to a consumer's bank. Instead, it is handed off several times on a banking network run by several third parties. Each time a bank passes the data along, it goes through a switch that contains the hardware security module and the PIN block is unscrambled and then rescrambled. It is at these intermediate points where hackers could trick the machines into divulging PINs, the researchers said.
"We show in these attacks that using only (a single) function we can reveal the content of every PIN block as if it's not encrypted," said Ostrovsky.
PINs thought to be unassailable in transit
The attack theory is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. But the ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries that would enable criminals to make educated guesses about – and possibly break -- the encryption code.
ARX sells hardware security modules to ATM networks, but Ostrovsky said its machines also are vulnerable to the attacks because they must communicate with other ATM network computers using the flawed protocols.
Ostrovsky said her company shared the research with the Visa credit card association's risk management team and other U.S. financial industry security experts six months ago, and recommended systemwide ATM network changes. But U.S. banks weren't reacting fast enough to the risk, she said, so ARX decided to go public with its information and two weeks ago published a paper titled "The Unbearable Lightness of PIN cracking," which is now available on the Internet (in Adobe Acrobat format).
Kim Bruce, a spokeswoman for the Secret Service, confirmed that the agency had been in contact with ARX to discuss the paper's findings, but declined to provide additional detail.
Visa: Attack 'highly unlikely'
A spokeswoman for Visa, which owns part of the ATM network and helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats they pose are minimal.
"This research paper addresses an area that has been known for some time to the payments industry," said Rosetta Jones. "There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties – that make this kind of attack highly unlikely. Through these layers of security, Visa and our member financial institutions are working to prevent the kinds of attacks theorized in the paper."
She also said there is no evidence the attacks outlined by ARX have been attempted by criminals.
"We are not aware of any instance where this kind of attack has actually occurred, and there is no link between the attack outlined in this paper and any recent data compromises," she said.
It is clear, however, that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic.
Russian Web sites indicate organized attacks
Russian-language Web sites are abuzz with discussions about ATM network attacks, including discussion of the Israeli report, according to data gathered by the Secret Service and viewed by MSNBC.com.
"In the fall of 2005 work for everyone was so successful because an employee of one of America's processors sold a database of material that went through its processing center," wrote a hacker who belongs to an online gang called Mazafaka, according to an English translation of a Russian Web site compiled by the Secret Service. "This material was then successfully exploited by our carder friends. The consequences of this deal could even be monitored on CNN, as well as in our own work (this applies to cashers). You may have noticed that after this event, ATMs more and more frequently give 'transaction declined' notices or give a small sum on the first transaction and then block the card."
In another exchange cited in the Secret Service memo, a hacker offers to pay for databases of encrypted PINs, which theoretically should be useless someone had discovered a way to translate the data into valid PINs. In still another post, one claims to have recovered account data by "hijacking" hardware security modules.
Industry downplays the threat
Nessa Feddis, a spokeswoman for the American Bankers Association, also downplayed the scenario outlined by the Israelis and the overall hacking threat, saying that while PINs "are always going to be a target," the ABA is "not aware of any ability to undo the encryption."
A spokesman for First Data Corp., which owns the STAR network, one of the largest ATM processing networks, said the company would not comment on the research paper.
Other bank security groups also downplayed the threat.
Catherine Allen CEO of the Financial Services Roundtable's BITS organization, a consortium of security experts from the nation's top 100 financial institutions, said the risk suggested by the PIN-hacking paper is minimal because U.S. banks have already addressed the security concerns.
But banking analyst Avivah Litan, an industry consultant with security firm Gartner, said banks aren't reacting strongly enough to the report.
"This is nothing short of startling," she said. "No one is paying attention to this and I don't know why. It undermines the whole premise of ATM security."
How the attacks would work
The attacks described in the ARX paper could not be conducted remotely over the Internet. They would require a criminal to be on the same local network as the hardware security module. Because ATM switches are heavily guarded and monitored, such access is unlikely, argued a BITS representative, who spoke on condition of anonymity.
But such ATM switches can be located anywhere in the world, Ostrovsky countered. That creates a "weakest link" vulnerability in which one poorly guarded switch could theoretically be used to compromise every bank whose debit cards have flowed through that switch, she said.
Each switch contains a hardware security module, which is a simple computer in a tamper-proof box designed to perform a few PIN-related functions, beginning with decrypting and encrypting. But the boxes also contain other small programs, or functions, which allow the machines to change a customer's PIN or calculate other PIN-related values. Most ATM switches don't need these tools; however, they are often available by default.
This unnecessary software is exploited in some of the attacks described by the paper, which recommends that switch operators turn off the unnecessary functions. But even that's not enough, Ostrovsky said. The one essential function of a switch -- encrypting and decrypting, a process known as "translate" -- is all an attacker needs to trick the machine into divulging PINs, a hack that would put nearly every ATM switch at risk, she said.
"This is not an attack on a certain configuration or installation. This is an attack on the protocol itself. It must be updated," Ostrovsky said.
There are competing protocols, or PIN block formats, in use in the ATM network, and each machine must support all those formats, she explained. In one version, the 16-digit PIN block contains two formatting characters, four PIN characters, and 10 additional slots with information about the customer's account number. That's the standard used in the U.S. Another standard combines the formatting characters and PIN characters with random digits, and sends the account number separately.
The translate function not only assists in encrypting – it also allows the machine to translate the PIN block from one format to another. This allows an attacker to take advantage of the weaknesses of both, creating"least-common denominator" vulnerability, Ostrovsky said.
The BITS representative who spoke on condition of anonymity conceded such attacks are feasible, but called the risk "very, very, very, very remote." He added that bank robbers have much easier ways of stealing money than complicated PIN prediction tactics.
Litan is not so sure. She said the research paper undermines the basic premise of ATM network security – the idea that only a computer loaded with the encryption key created by the issuing bank can reveal a PIN.
"The premise was 'It doesn't matter what happens along the path,' so even people who could access the PIN blocks couldn't do anything with them," she said. "This blows that out of the water."
'A worrisome thing'
Michael McKay, an independent consultant who helped design Hewlett Packard's hardware security module, called Atalla, described the ARX attack was "a worrisome thing, a real concern."
"It's commonly thought that there are some organized crime groups have made concerted efforts on this," he said. "So we believe there have been people who've cracked parts of the system."
Ross Anderson, a cryptologist expert at the University of Cambridge in the United Kingdom who has written several papers on ATM security, called the research paper "a fairly big deal."
But he noted that previous research also has demonstrated widespread vulnerabilities in the ATM PIN system. He cited a paper he co-wrote with student Mike Bond in 2001 that showed that many supposedly tamper-proof cryptographic systems can be fooled into divulging information by sending them confusing commands. (Acrobat). Another paper authored by Bond, showed that a would-be ATM hacker could use flaws in the way banks generate PINs that could reduce the number of average guesses required to mathematically discover a PIN from 5,000 to as few as 15. (Acrobat)
"Customers can't rely on bank assurances that 'our systems are secure,'" Anderson said.
Banks hit by a successful attack like the one described by the Israeli researchers may not even know the origin of the theft, Ostrovsky said. An insider would simply steal the PINs, create associated fake debit account cards, and steal money from ATMs around the world. Consumers who complained that money was missing from their accounts might be met with skepticism, she said.
Consumers should watch their accounts for any signs of suspicious activity, but other than that there isn't much they can do in response to this research, McKay said.
Bank industry officials point out that the attacks must be carried out by someone with direct access to an ATM switch, limiting the potential for abuse. But Litan said the limitation is hardly reassuring.
"It's not much comfort that they have to be on the inside," she said. "As we've already seen, it's easy for criminals to open up their own ATM network. And banks do have insiders with flaws."
Clarification: Omer Berkman's name was originally omitted from this article as co-author of "The Unbearable Lightness of PIN Cracking." MSNBC regrets the omission.