hink about the prospect of someone being able to determine your debit card Personal Identification Number (PIN) after only 15 attempts. Until now, the encryption standards surrounding PIN storage have assumed that a minimum of 5,000 attempts would be required to "correctly guess" the four-digit PIN for any one cardholder's account. Just as our society begins to accept that our payment system evolution is moving inevitably toward a PIN-based debit future, a couple of professors at Cambridge University uncover a potentially serious flaw in PIN-generation integrity. Mike Bond and Piotr Zieli_nski recently published a Technical Report that presents mathematical arguments that current ATM PIN integrity may not be as strong as the banking industry had previously assumed.

Another interesting dimension of this Technical Report is the introduction of "phantom withdrawals" - the condition where a PIN cardholder denies having made the transaction. This document and its authors have been included as expert witnesses for the defense in a UK lawsuit filed by Diners Club against a British couple.

Diners is trying to recover on 190 ATM transactions for $80,000 of withdrawals. The cardholders argue that they were not responsible for these transactions because they occurred while they were out of the country. Diners claims this is not possible because its ATM network and PIN infrastructure are secure. The cardholders are claiming that someone else must have gained access to their card information - hence, these "phantom withdrawals." This Technical Report explains how such an event could occur.

Executive Summary

Before exploring the arguments made by Bond and Zielinski, it would be helpful to first refresh our memories on the longstanding need by financial institutions to identify and authenticate their customers in a manner that isn't unduly offensive or time-consuming. As an example, each time a check is cashed or a new account is opened, the financial institution needs to balance the need for security against making the experience pleasant for the customer.

This principle also applies to processing funds at ATMs or POS terminals. Identification and authentication (I&A)(1) procedures involve at least one or a combination of three types of factors:

1. Something an individual has - such as a driver's license or credit card.
2. Something an individual knows - a confidential piece of information, such as a social security number or PIN or password.
3. Something an individual is - a unique trait, such as a signature, photograph or biometric (fingerprint or iris scan).

This logic process has led us to where we find ourselves today, with the card (something unique that the customer has) and PIN (something the customer uniquely knows) representing the acceptable balance of risk and convenience to both consumers and financial institutions. This also explains why, when you remove the PIN or signature from an electronic funds transfer transaction (cardholder not present), the fraud exposure goes up and the liability shifts to the merchant and away from the financial institution.

Now that we have established the utility of the card/PIN factors as an acceptable framework for funds movement in our increasingly digital world, it is necessary to briefly discuss the concept of transaction integrity.

When a PIN transaction is created, there typically are two numbers that are needed to complete the authorization. One is the Personal Account Number (PAN) found embossed on the face of the card and encoded on the magnetic stripe, and the second is the PIN.

The PIN pads that are found at most checkout lanes and ATMs have been certified as to their ability to immediately encrypt the numbers taken from the card swipe (PAN) along with those keys entered by the cardholder (PIN) to ensure that these digits are never "in the clear."

That means that, as soon as the customer swipes the card and enters the PIN, these confidential numbers are encrypted or scrambled in such a fashion that a third party can't monitor the phone lines to record and re-use these numbers in the form of a fraudulent transaction.

Once the encrypted transaction is routed to the cardholder's bank, the data is reassembled within a computer security module for account look-up and authorization. Without this end-to-end transaction integrity, cardholder banks could not stand behind the settlement of transactions on behalf of their customers - thus, the Diners Club lawsuit.

Now we can turn to the Bond/Zielinski Technical Report to discuss their findings. The authors acknowledge that the flaw they uncovered can only be exploited by trusted employees - computer programmers, most likely - within a bank's operations center who have access to technical documentation on the PIN generation/encryption and decryption process.

They also acknowledge that the degree to which this fraud exposure varies is based on the ATM hardware manufacturers' PIN-generation methodology. The focus of their discussion is directed toward IBM's approach, which was the forerunner of ATM deployments and set the benchmark followed by most other ATM manufacturers today.

Those interested enough to read this Technical Report will find that Bond/Zielinski employ a series of complex mathematical proofs that are beyond the scope of this column to explain in detail. In layman's terms, the researchers have taken an unexpected approach to bridging the security barrier known as "brute force" attacks on breaking an encrypted PIN.

Secure environments, such as ATM systems, operate through a set of hardware security modules that can give a "yes or no" answer for a given gate-opening instruction - such as gaining access to one's checking account balance or making a funds transfer. The level of security is typically measured by how many attempts, on average, it would take to correctly guess the "yes" answer if you were not the authorized party. In the current ATM PIN world, the number of attempts ranges between 5,000 and 10,000 - a number felt to be adequate security by most banks.

At the physical ATM, these devices can be programmed to restrict the number of times a cardholder can incorrectly enter a PIN before the ATM denies access or "eats" the card and instructs the customer to contact the bank for a re-issue. Therefore, the attack described by the authors of this Technical Report needs to originate at the data center, where access can be gained to the bank's security module along with access to the technical documentation on these modules.

Bond/Zielinski focused their research on testing PIN vulnerability on the internal tables found within the ATM bank's security modules that are used to mathematically translate between the various transformations a PIN makes from the key pad to the ATM memory and across the network back to the security module within a bank's mainframe.

These tables are referred to as "decimalization tables" - hence, the Technical Report's title. The authors have developed a series of mathematical deductions starting from an individual PAN and narrowing the possibilities of the correct PIN down to 15 attempts rather than the expected 5,000-10,000 assumed by most security auditors. The practical effect of using this technique, as stated in the Technical Report's introduction is:

"In a single 30-minute lunch break, an attacker can thus discover approximately 7,000 PINs rather than 24 with the brute force method. With a œ300 withdrawal limit per card, the potential bounty is raised from œ7200 to œ2.1 million and a single motivated attacker could withdraw œ30-50,000 of this each day. The attack thus presents a serious threat to bank security."

Of course, we realize that the threat described requires a series of succeeding assumptions that narrow the probability of this cracking attack from taking place. Nonetheless, Citibank responded to this discovery with a legal filing to suppress the disclosure of the Bond/Zielinski Technical Report. Before the British courts could act on Citibank's petition, it was published on the Internet - or I may never have had a chance to discuss this document in this column.

Citibank would argue that the details of this document should not get in the hands of the "bad guys." On the other hand, if Citibank has this concern, does it not logically follow that the security risk is real and deserves further validation and, possibly, increased security measures?

Recent history has shown that software companies as large as Microsoft have chosen to ignore fixing their security defects until external pressures build to a point that it becomes necessary to take corrective action. One could argue that the banking industry, more than other industries, needs to take a proactive approach to any newly found vulnerability in order to preserve the public confidence.

This principle is especially important to the ISO community as our society migrates from physical/trusted documents, such as the check, to digital replacements, such as PIN-based check cards.

Web Sites for More Information