The unbearable lightness of PIN cracking

Authors:
Omer Berkman;Odelia Moshe Ostrovsky
Affiliations:
The Academic College of Tel Aviv Yaffo, School of Computer Science;Algorithmic Research Ltd. and Tel Aviv University, School of Computer Science
Venue:
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Year:
2007

Citing 2
Cited 11

Experts systems applied to the analysis of key management schemes

Computers and Security
Why cryptosystems fail

Communications of the ACM

Weighing Down "The Unbearable Lightness of PIN Cracking"

Financial Cryptography and Data Security
A Proof of Concept Attack against Norwegian Internet Banking Systems

Financial Cryptography and Data Security
Blunting Differential Attacks on PIN Processing APIs

NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Type-based analysis of PIN processing APIs

ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Cracking bank PINs by playing mastermind

FUN'10 Proceedings of the 5th international conference on Fun with algorithms
Secure upgrade of hardware security modules in bank networks

ARSPA-WITS'10 Proceedings of the 2010 joint conference on Automated reasoning for security protocol analysis and issues in the theory of security
Non-uniform distributions in quantitative information-flow

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Automatically deriving information-theoretic bounds for adaptive side-channel attacks

Journal of Computer Security
An introduction to security API analysis

Foundations of security analysis and design VI
Evaluation of a template protection approach to integrate fingerprint biometrics in a PIN-based payment infrastructure

Electronic Commerce Research and Applications
IBM 4765 cryptographic coprocessor

IBM Journal of Research and Development

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe new attacks on the financial PIN processing API. The attacks apply to switches as well as to verification facilities. The attacks are extremely severe allowing an attacker to expose customer PINs by executing only one or two API calls per exposed PIN. One of the attacks uses only the translate function which is a required function in every switch. The other attacks abuse functions that are used to allow customers to select their PINs online. Some of the attacks can be applied in switches even though the attacked functions require issuer's keys which do not exist in a switch. This is particularly disturbing as it was widely believed that functions requiring issuer's keys cannot do any harm if the respective keys are unavailable.