Experts systems applied to the analysis of key management schemes
Computers and Security
Communications of the ACM
Weighing Down "The Unbearable Lightness of PIN Cracking"
Financial Cryptography and Data Security
A Proof of Concept Attack against Norwegian Internet Banking Systems
Financial Cryptography and Data Security
Blunting Differential Attacks on PIN Processing APIs
NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Type-based analysis of PIN processing APIs
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Cracking bank PINs by playing mastermind
FUN'10 Proceedings of the 5th international conference on Fun with algorithms
Secure upgrade of hardware security modules in bank networks
ARSPA-WITS'10 Proceedings of the 2010 joint conference on Automated reasoning for security protocol analysis and issues in the theory of security
Non-uniform distributions in quantitative information-flow
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Automatically deriving information-theoretic bounds for adaptive side-channel attacks
Journal of Computer Security
An introduction to security API analysis
Foundations of security analysis and design VI
Electronic Commerce Research and Applications
IBM 4765 cryptographic coprocessor
IBM Journal of Research and Development
Hi-index | 0.00 |
We describe new attacks on the financial PIN processing API. The attacks apply to switches as well as to verification facilities. The attacks are extremely severe allowing an attacker to expose customer PINs by executing only one or two API calls per exposed PIN. One of the attacks uses only the translate function which is a required function in every switch. The other attacks abuse functions that are used to allow customers to select their PINs online. Some of the attacks can be applied in switches even though the attacked functions require issuer's keys which do not exist in a switch. This is particularly disturbing as it was widely believed that functions requiring issuer's keys cannot do any harm if the respective keys are unavailable.