ARX Reveals PIN Processing Weaknesses that Allow Payment-card Fraud

Algorithmic Research (ARX), a provider of electronic signatures and data-security solutions, has uncovered a serious security vulnerability in the Financial PIN (Personal Identification Number) Processing systems of banks worldwide.

The discovery was made together with Dr. Omer Berkman from the Academic College of Tel-Aviv Yaffo and Mrs. Odelia Ostrovsky from the Tel-Aviv University. The research paper may be accessed here.

"The vulnerability could enable the exposure of the PIN codes of Magnetic strip and EMV cards used by millions of customers," says Ezer Farhi, VP of R&D, ARX.

The flaw would allow an attacker to discover PIN codes, for example, when entered by customers while withdrawing cash from an ATM (Automatic Teller Machine).

Attacks based on these vulnerabilities are extremely severe and could be undertaken by anyone with access to the online PIN verification facility or switching processes.

“A bank insider could use an existing Hardware Security Module (HSM) to reveal the encrypted PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time,” says Ostrovsky. “Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent”.

ARX professional cryptographic experts offer solutions implemented in the PrivateServer HSM, as well as a list of recommendations of how to confront the weaknesses that make these attacks possible.

For further information visit the ARX booth No. 4M112 at the Cartes 2006 show or visit www.arx.com/products/data-encryption.php

About PrivateServer™

PrivateServer is ARX’s highly secure network attached, Hardware Security Module (HSM) that provides a secure environment for conducting sensitive cryptographic operations, secure key storage and management of a large number of keys.

PrivateServer provides a cost-effective, highly secure (FIPS validated), and reliable solution. PrivateServer offers solutions to a versatile range of industries: financial, commercial, and governmental. More information about PrivateServer is available here

About Algorithmic Research (ARX)

Algorithmic Research (ARX) is a leading global provider of electronic-signature and data-security solutions. The company offers a wide range of high-end and state of the art products and services designed to simplify, secure, and accelerate electronic transactions. ARX specializes in designing and implementing easy to use, simple to deploy, electronic signature and security solutions, combining software and hardware products, for small, medium and large computing environments.

ARX has more than 18 years of experience in assisting financial institutions, governmental organizations and commercial sectors to secure and streamline their processes and transactions.