 |
MemeStreams Discussion |
|
| This page contains all of the posts and discussion on MemeStreams referencing the following web page: Decimalisation Table Attacks for PIN Cracking [PDF]. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet. |
| Decimalisation Table Attacks for PIN Cracking [PDF] by Jeremy at 1:26 pm EST, Feb 22, 2003 | |||
We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30-50 thousand of this each day. This attack thus presents a serious threat to bank security. Ross Anderson's students are getting into the act. (You can also find a mirror copy of this paper, with slightly different formatting, at http://cryptome.org/dtapc.pdf ) | |||
| Link - Reply | |||
There is a redundant post from Darwin not displayed in this view.
