By Kim Zetter
April 14, 2009
Hackers have crossed into new frontiers by devising sophisticated ways
to steal large amounts of personal identification numbers, or PINs,
protecting credit and debit cards, says an investigator. The attacks
involve both unencrypted PINs and encrypted PINs that attackers have
found a way to crack, according to the investigator behind a new report
looking at the data breaches.
The attacks, says Bryan Sartin, director of investigative response for
Verizon Business, are behind some of the millions of dollars in
fraudulent ATM withdrawals that have occurred around the United States.
"We're seeing entirely new attacks that a year ago were thought to be
only academically possible," says Sartin. Verizon Business released a
report Wednesday that examines trends in security breaches. "What we see
now is people going right to the source ... and stealing the encrypted
PIN blocks and using complex ways to un-encrypt the PIN blocks."
The revelation is an indictment of one of the backbone security measures
of U.S. consumer banking: PIN codes. In years past, attackers were
forced to obtain PINs piecemeal through phishing attacks, or the use of
skimmers and cameras installed on ATM and gas station card readers.
Barring these techniques, it was believed that once a PIN was typed on a
keypad and encrypted, it would traverse bank processing networks with
complete safety, until it was decrypted and authenticated by a financial
institution on the other side.
But the new PIN-hacking techniques belie this theory, and threaten to
destabilize the banking-system transaction process.
Best Selling Security Books and More!