Until recently most ATM skimmers had to go through the inconvenient process of extracting PIN numbers from a video of the PIN pad when it was entered. Problems with the camera being blocked or discovered would cause many PINs to be lost. The only improvement implemented was sometimes replacing the entire PIN pad in order to directly save every number entered. Replacing the pad solves the video problem but requires a level of physical access that is rarely possible without being detected.
Visa certifies many ATMs based on their requirements for PIN Entry Devices (PEDs). These requirements are supposed to define how to implement a PED so that no PIN is stolen from the ATM. As an example, one of these requirements is the use of 3DES to encrypt the PIN when sent to the ATM. In the definition of the requirements it states that the PIN must be encrypted even within the PED. Of course because the entry from the pad can not be directly encrypted there must be some interpretation as to how soon the encryption takes place.
Despite this certification process there are several terminals, such as the Ingenico i3300, that have been discovered to be vulnerable by a pair of researchers from Cambridge named Steven Murdoch and Saar Drimer. They discovered that in several models of ATM there were cables from the PIN pad that contained unencrypted PIN data. While the ATMs were designed to detect physical tampering the researchers found that it was not difficult to insert a paperclip that would avoid detection and tap the critical line from the PIN pad.
These ATM devices were allowed to be certified presumably because the unencrypted data is considered to be within the PED or because the data is only single key entries and not a complete PIN. However, these details do not make a significant difference to an attacker. The ATM PIN problem is similar to what would happen if a web user viewed an encrypted web site through an unencrypted web proxy. While the traffic appears encrypted to the server or central ATM computer there is still a large opening for viewing the unencrypted data on the user’s side.
Visa has claimed that this threat is not a real-world threat because it requires specialized knowledge of the ATM terminal. What attack of this type doesn’t require specialized knowledge? Attackers have to research in advance to make sure their second magnetic stripe reader and their camera are well positioned and hidden. Finding out where in the case to insert the paperclip to connect to the PIN wire is not a difficult additional item to research.
Awareness of identity theft and fraud is increasing in the general population. Criminals who make a living from large databases of ATM and credit card numbers are always looking for new ways to steal that information. This new vulnerability will allow fraudsters to gather data on even the most paranoid individuals.
March 1st, 2008 at 10:52 pm
Reports on fraud show that the government and banks should realise that their data protection and Chip and PIN systems are failing to deter fraudsters.
This shows that fraud will continue to grow until they exploit ID KEY system described on website http://www.xwave.co.uk to make signature and PIN systems reliable and foolproof.
Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.