All the latest UK technology news, reviews and analysis
|
|
|
04 Apr 2006
Last year's 600,000 debit card breach in the US revealed that hackers had easily obtained the cards' magnetic strips, Pins and encryption keys.
Current rules governing the security of transactions require that retailers immediately erase and/or encrypt transaction data at the point of sale when the transaction has been completed.
However, some point of sale devices are retaining the data within maintenance and troubleshooting software called 'trace utilities'. Worse yet, the keys used to encrypt the Pin are also being stored.
It is therefore relatively simple for the hacker to grab the file from the maintenance and troubleshooting software and use the encryption key to reveal the underlying Pin. The theft did not require physical access to the point of sale devices.
A researcher from Gartner has suggested that, in this particular case, it is likely that the hackers simply plucked the Pins out of thin air using a laptop computer while parked outside the retailer.
As has been typical in recent data breaches it was not a single weakness but a combination that made the Pin theft possible.
• The maintenance and troubleshooting software that stored the data was never intended to be used in a production environment.
• The encryption key used to immediately encrypt the Pin after it is entered in to the keypad was stored along with the encrypted Pin.
• The transmission of the data over a wireless network carries the inherent risk that the data can be captured and ultimately revealed in clear text.
The use of Pins to replace signatures in card transactions is now mandatory in the UK. Hopefully the news of the Pin theft in the US will be a wakeup call to ensure that the underlying technologies and methodologies do not offer cyber-criminals the same opportunities.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
(Roc Search - Network Support Engineer, 2nd line, 3rd...
3rd Line Engineer / Infrastructure Engineer - Berkshire...
MySQL SQL SERVER DBA / Database Administrator - Online...
PMO Analyst - Banking Client A financial organisation...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
No confusion
The rest of the world processes online PINs the same as US And Canada. Keys are injected or loaded into PIN pads and the key is shared with the first processing switch in the network. The merchant does not have access to the key unless it is acting as a switch. All implementations that I am aware of use HSMs for the key translation. Keys for PIN encryption/decryption are NOT stored in merchant's servers.
Posted by: Scott 06 Apr 2006
PIN Confusion???
I'm confused or maybe just naive on how the rest of the world works?.. I've see a few stories like this one of late where they refer to PIN's and decryption keys. Here in the US and in Canada, the bank or processor injects the PIN pads with the keys and any merchant or vendors in the middle do not have access to these keys so storing the encrypted PIN with the key is highly unlikely unless you are referencing the bank or processor? If the rest or the world handles PIN's and specifically PIN pads differently, please let me know otherwise, where are these facts coming from?
Posted by: Steve Sommers 05 Apr 2006
PIN encryption keys
I keep reading that the PIN encryption keys, used to immediatly encrypt PINS in the PIN pad were stored on a database. I work in the industry and do not believe this is the case. PINs are injected into PIN pads at key loading facilities and are used between the PIN pad and the first processing node. The cryptogram passes through the in store system. Cryptograms of PINs and card stripe data are likely to have been stored in a trace log or some other database, but it is highly unlikely that the PIN encryption keys were as well.
Posted by: Scott 04 Apr 2006