Great. As if there wasn’t enough to worry about these days with the Conficker worm raising eyebrows and Twitter worms running rampant.
Wired now reports that hackers have found a new way to hack your ATM card PIN number too.
Attacks involve a device called a hardware security module (HSM), a security appliance that sits on bank networks and on switches through which PIN numbers pass on their way from an ATM or retail cash register to the card issuer. The module is a tamper-resistant device that provides a secure environment for certain functions, such as encryption and decryption, to occur.
According to the payment-card industry, or PCI, standards for credit card transaction security, PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer’s bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module’s application programming interface, or API.
Special malware can be run on these units that will grab the PINs from memory and write them to a log file. This file can later be retrieved and because it happens elsewhere, there’s no sign of anything amiss at the ATM.
Mattress anyone?
Get Blippitt via RSS feed, Facebook, Twitter, Google+,
and be sure to get our Daily Email Broadcast.
