Sister CISA CISSP

Apr 15 2009   7:01PM GMT

The Beginning of the End for PIN Codes



Posted by: Arian Eigen Heald
Tags:
Automatic Theft Machines
Data Breaches
PCI DSS
Security Devices

Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS.

This “minor detail” was buried in an affadavit last year, but Wired has put it together with some other information afloat on the NET, and the article is a really good read on what happens to your PIN from your debit card as it transits various networks to receive approval. Your PIN gets decrypted and re-encrypted by a Hardware Security Module (HSM) each time it transits a network. Lots of opportunities for capture with the help of an insider or some sniffing malware.

“While statistically not a large percentage…in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” says the report. “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.”

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

Ouch.

Clearly, PIN-based authentication has been cracked, and will be cracked more and more. Leave your debit card at home and Pay Cash Instead.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: