ATM PIN number in 15 guesses

Printable View

February 21st, 2003, 08:44 PM
cwk9

ATM PIN number in 15 guesses

The Source: http://www.theregister.co.uk/content/55/29425.html
The Paper its self: http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf <-- !may contain confusing math.

This just reinforces my feelings that credit and debt cards should be scraped and replaced with a more secure system.

Quote:

Cambridge researchers have documented a worrying PIN cracking technique against the hardware security modules commonly used by bank ATMs.

Mike Bond and Piotr Zielinski have published a paper detailing how a complex mathematical attack can yield a PIN in an average of 15 guesses. By design, it shouldn't be possible to guess a four-digit pin in less than an average of 5,000 attempts.

The attack, documented in a paper published earlier this week, is directed against the decimalisation tables used to translate between a card PIN and the hexadecimal value of a PIN generated when the hardware security module checks the validity of a number.

The attack works not by going after the PIN number directly but by manipulating the contents of the decimalisation table in order to gain clues (such as which digits are or are not present in the PIN).

Refining the technique, which allows a PIN to determined in an average of 24 iterations, might allow an attack to succeed in 15 guesses. The methodology of the attack, too mathematically complex to be properly explained in the context of a news story
February 21st, 2003, 11:09 PM
Tedob1

wow interesting and scarry using four digits for a des crypto key and then making it even easier. go figure.

Dont ATM machines limit the number of wrong tries in a given time period? even if they do it wouldn't them take too long, i imagine, to make 15 guesses even given a waiting period.

thats it from now on my money goes inside my matress that way they have to get past a dog and a gun if they want to steal it. and my dog is a dammed good shot.
February 21st, 2003, 11:21 PM
dspeidel

Quote:

Originally posted here by Tedob1

Dont ATM machines limit the number of wrong tries in a given time period? even if they do it wouldn't them take too long, i imagine, to make 15 guesses even given a waiting period.

To the best of my knowledge you lose your card after 3 wrong guesses (I knew people in colleage who forgot the pin and lost the card after 3 guesses).

Cheers,

-D
February 21st, 2003, 11:26 PM
slarty

I'm not worried in the slightest:

1. To the best of my understanding of this article, this attack requires some level of access to the bank's systems - whether this can be achieved by tapping the phone line is unclear, but I expect that's the minimum level of access required.
2. There are much easier ways of getting someone's PIN. Shoulder surfing and duress, being the most straight-forward ones which spring to mind.
3. In posession of my PIN, the attacker still needs to obtain my card, or a clone of it, and know that that is the card that it belongs to (if you have 1,000 cards and PINs, and they are all correct, you still need to know which are which)

So I won't be giving up my convenient use of ATMs, which, let's be honest, enables me to carry much less cash around than I'd otherwise require, hence lessens the chance (and damage) of me getting mugged.
March 4th, 2003, 02:02 PM
DragonK

Yeah, 3 wrong guesses + you need a card which is not yours, don't you? :) + the ATM's security cam = trip to jail...