ARX Reveals PIN Processing Weaknesses that Allow Payment-card Fraud

Algorithmic Research (ARX), a provider of electronic signatures and data-security solutions, has uncovered a serious security vulnerability in the Financial PIN (Personal Identification Number) Processing systems of banks worldwide.

The discovery was made together with Dr. Omer Berkman from the Academic College of Tel-Aviv Yaffo and Mrs. Odelia Ostrovsky from the Tel-Aviv University. The research paper may be accessed here.

"The vulnerability could enable the exposure of the PIN codes of Magnetic strip and EMV cards used by millions of customers," says Ezer Farhi, VP of R&D, ARX.

The flaw would allow an attacker to discover PIN codes, for example, when entered by customers while withdrawing cash from an ATM (Automatic Teller Machine).

Attacks based on these vulnerabilities are extremely severe and could be undertaken by anyone with access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time,” says Ostrovsky. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent."

ARX professional cryptographic experts offer solutions implemented in the PrivateServer HSM, as well as a list of recommendations of how to confront the weaknesses that make these attacks possible.

For further information visit the ARX booth No. 4M112 at the Cartes 2006 show or visit www.arx.com/products/private-server-hsm.