Re: HELP, Vulnerability in Debit PIN Encryption security, possibly
From: contact (contact_at_eversealsolutions.com)
Date: Wed, 7 May 2003 01:20:04 -0700
It's an interesting article but as you say, it's ten years old. The writer
seems to address this from the UK point of view. Just in general, at that
time, the difference in systems between the US and Europe were profound.
In the US, all the systems I have ever worked on have been real-time,
on-line systems that checked PINs with the issuing bank. In Europe this was
not the case (unless it has changed recently) where PIN encryption had to be
derived from the card number because the card PIN was checked at the
terminal. In fact, I believe the entire background and impetus driving
Smart Cards was the desire to securely use PINs on a local verification
system (not necessarily the case now) so they did not have to go on-line for
verification. I will agree that a great many large acceptors of Debit cards
do indeed do a better job of encrypting PINs than the banks do (because it's
their wallet on the line, not the bank's).
A well made PIN entry and encryption device should protect its Key data and
I believe most do. Most big users at least have some method of verifying
operation and security, if only by using previously accepted industry
standards (yeah, I know, it's the everybody does it syndrome). However,
it's not entirely a false paradigm. If a PIN entry device was known to be
vulnerable, that company would face an enormous problem and loss of business
since word would get around pretty quickly.
The DUKPT is one of the better systems and a lot of systems use this and are
now looking at using triple-DES along with DUKPT. I believe a few still use
MasterKey/Session key systems but these are going away. The good part about
DUKPT, is that if it is implenmented correctly, a person who spent large
amounts of time and dollars decrypting a single PIN would only have that one
PIN. He does not have the keys to decrypt any other PIN on the system. Note
the qualifier "implemented correctly".
As late as two years ago, in Germany (the origin of the original poster),
the banks had a lock on the devices that could be used for verifying PINs at
a remote location. In fact for the unattended devices we were designing for
the German market, there were only three approved PIN entry devices that had
to be key loaded by the banks because they were off-line systems. So who
knows how they really work.
Your comments and the comments in the article about implementation failures
are well noted, but I took the original poster to be concerned about the PIN
entry devices themselves and the encryption systems themselves.
The points in the article about the ATMs are interesting and match what I
have observed. I have seen a ATM service man enter the entire main key by
himself. I also have heard that many ATMs share the same key but I can't
confirm this. The banks seem to have the idea that it's their money and
they'll do what they want. In general, I have noticed that the restrictions
they place on third party PIN/key/device handlers are more severe than the
ones they subject themselves too.
If someone knows and can answer the question, it was my understanding that
some Smart Cards allowed/required the entry of an authenticating PIN into
the card itself to be in the CLEAR. Creating an unencrypted path for easy
Still, I think the article you cite simply enforces my belief by the
sentence in his second paragraph:
"It turns out that the threat model commonly used by cryptosystem designers
was wrong: most frauds were not caused by cryptanalysis or other technical
attacks, but by implementation errors and management failures."
A well designed system should prevent any employee from having access to a
customer's PIN. Unfortunately, I don't think that that is the case with
most banks (I could be wrong, but I know bank employees can assign a PIN
number for you, and they obviously know it when they key it into the
system). But at least, in the USA, PINs are not dervied from the PAN.
For now, I think I'll stick by my original assertion but I'm open to being
corrected. The image of the guy peeling open the PIN entry device and
recovering the keys to the kingdom is not one I would worry about a great
deal with the devices I have designed, used, and seen. And yes, I still
think shoulder surfing is one of the main ways of obtaining a PIN in the
Which brings up an interesting point. I believe most of the fraud is a
result of the US credit card system, not the debit card system (stolen
numbers on white cards, fake VISA cards, re-encoded cards, etc.). All of
this encryption stuff is subject to economic considerations in the real
world. Until the banks and card issuers find it more expensive to deal with
fraud than upgrade their systems, they will continue to absorb the fraud
dollars as a cost of doing business. What's interesting is that nearly every
card issuer could make it's fraud dollars go to near zero by simply
requiring a PIN entry on every transaction, including credit card (as
opposed to debit cards) transactions. They don't do this because they don't
want to inconvenience their customers. But I can't think of a store that I
have been in lately that didn't have the ability to accept a PIN entry so I
believe the banks could change the model for credit card use to require a
PIN almost overnight if they chose to do so. Nobody wants to go first and
drive their customers away.
"Roger Fleming" <firstname.lastname@example.org> wrote in message
> contact wrote:
> > No I'm not. While there are numerous reports of academia breaking
> > encryption schemes, I repeat, there has never been a case to my
> > where a criminal has obtained PIN numbers by actually breaking the
> > encryption. [...]
> > Before you lose your lunch laughing, try giving us a few facts backing
> > your claim.
> > Show us a link in the REAL WORLD where a PIN number has been stolen by
> > breaking the PIN entry encryption. I'll be waiting.
> That was not the question. Mr. Michaels was concerned about
> vulnerabilities in the architecture, or software defects, allowing
> keying material to be educed. You initially replied that "there has
> never been an instance that I am aware of where the PIN encyrption
> system has been breached" - a statement which seems to be addressing
> his question, rather than being restricted to breaking the cipher. To
> that extent, you are certainly wrong (well, apart from the "that I am
> aware of" qualifier), since PIN encryption systems have been breached
> by criminals many times.
> "chaussette" asked if you were joking, and correctly pointed out that
> vulnerabilities have been discovered in PIN generation and
> cryptoprocessor APIs. However this is not merely academic; there have,
> in fact, been thefts committed by people exploiting defects in system
> architecture or protocols. For the classic, fascinating introduction
> to this topic see:
> This paper from Prof. Anderson is now a bit old, but there are other
> newer ones on the same site that may also interest you.
> I note that you claim "Shoulder surfing is the most prevalent way".
> This does not accord with Prof. Anderson's research, which seems to
> indicate that postal interception, and administrative blunders by the
> banks, are the most common problems . Nevertheless it is *claimed*
> to be the case by the banks, who have traditionally adopted a "deny
> everything, and lie if cornered" approach to the problem. Indeed,
> recently a bank has obtained a court injunction on publication of
> research by some of Prof. Anderson's students (on a vulnerability in
> hardware security modules which potentially enables a dishonest bank
> employee to untraceably steal up to fifty thousand pounds a day from
> customer accounts).
> You also claim "Inside jobs account for many stolen PINs and PANs."
> This is true but cold comfort to the victim, and represents a failure
> of the protection mechanisms since they are specifically designed to
> avoid disclosure to bank employees (that being the most common form of
> *all* bank fraud), and is exactly the sort of thing Mr. Michaels
> should look at.
> Note 1:
> Actual examples of allegedly common malpractices include: external
> maintenance engineers being given both halves of the master keys
> because senior branch officers don't like standing around waiting
> while ATMs are serviced; and banks which allow replacement card
> production and PIN mailer printing to be done by the same person,
> apparently without audit (in at least one case, this was a deliberate
> decision in order to reduce staff numbers).