The last frontier of personal finance fraud may have been hit this week with a report claiming that hackers are now able to steal large numbers of personal identification numbers (PIN).
Bryan Sartin, director of investigative response for Verizon Business, claimed that the attacks involve both unencrypted and encrypted PINs, that attackers have found a way to crack.
He has refused to reveal which institutions were hit or indicate exactly how much stolen money was being attributed to the attacks. He did claim that ‘what we see now are people going right to the source, and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks'.
Verizon's 2009 Data Breach Investigations report claims that the hacks have resulted in ‘more targeted, cutting-edge, complex and clever cybercrime attacks than seen in previous years'.
The report claimed that some of the attacks involve grabbing unencrypted PINs while they sit in the memory of banking systems during the authorisation process, although the most sophisticated attacks involve encrypted PINs.
So how exactly does this work, and why has this only come to light now? Sartin explained that the attacks involving encrypted PINs involve a device called a hardware security module (HSM) that sits on bank networks, through which PIN numbers pass on their way from an ATM or retail cash register to the card issuer.
This is tamper-resistant that provides a secure environment for certain functions, such as encryption and decryption, to occur.
As PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data, the problem lies in the fact that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer's bank.
These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, and then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is generally stored in the module or in the module's application programming interface.
So the problem is at the level of the HSM, which Verizon has pinpointed as being the weakest link. Sartin claimed that the root of this problem is that hackers are said to be tricking the HSM into providing the encryption key.
He said that this was possible due to poor configuration of the HSM, or vulnerabilities that are created from having bloated functions on the device.
Michael Callahan, senior vice president of Credant Technologies claimed that the discovery is the direct result of sloppy security practices.
Callahan said: “The report claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank's ATM and the home network of the card being used. The fraudsters appear to have realised that each HSM at each 'stop' on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg.”
Sartin says HSMs need to be able to serve many types of customers in many countries where processing standards may be different from the US. As a result, the devices come with enabled functions that aren't needed and can be exploited by an intruder into working to defeat the device's security measures.
Therefore once a thief captures and decrypts one PIN block, it becomes trivial to decrypt others on a network.
Callahan claimed that with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – the fraudsters are given a chance to take advantage of a smaller bank's HSM security.
“Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks. There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit,” Callahan added.
Verizon also pointed to another failure of the HSM, as once an encrypted PIN arrives at the HSM at the issuing bank, the HSM communicates with the bank's mainframe system to decrypt the PIN and the customer's 16-digit account number for a brief period to authorise the transaction.
Sartin claimed that during that period, the data is briefly held in the system's memory in unencrypted form and some attackers have created malware that scrapes the memory to capture the data.
Describing it as a ‘huge vulnerability', Sartin said: “Memory scrapers are in as much as a third of all cases we're seeing, or utilities that scrape data from unallocated space.
“These victims don't see it. They rely almost purely on anti-virus to detect things that show up on systems that aren't supposed to be there. But they're not looking for a 30-gig file growing on a system.”
Quite how this is going to be tackled remains a dilemma for the banks, which may have bigger fish to fry at this moment. The best advice seems to be to control when you withdraw money from an ATM, get a receipt every time and check the status of your account. If you don't, the hacker will.