The Bankwatch

Tracking the consumer evolution of financial services

Schneier on Security: Attacking Bank-Card PINs

Being a security expert must be one of the most depressing jobs on the planet.  You can see all the flaws but getting the business folks to buy in or even semi understand is difficult at best.

That’s the challenge Bruce exemplifies with this post. 

One of the most disturbing aspects of the attack is that you’re only as secure as the most untrusted bank on the network. Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank’s ATMs.

Source: Schneier on Security: Attacking Bank-Card PINs

Its worth reading the comments … even just the first 25 or 30.  Clearly there are a mix of folks in here, but there are experts, and that is clear. 

The only small aside I can see in this, is that crimes committed under this flaw are not really scaleable.  At best the bad guys would get some PINs, and by the time they could galvanise enough criminals at enough ATM’s to withdraw cash, while devastating for the individual account holders, the overall take would not be worthwhile for the big gangs.

But that in no way diminishes the risk.

Relevance to Bankwatch:

The real risk in all this is reputational risk.  Reputational risk to the individual banks and their bank cards.  This could promote a drive to cash, or worse a drive to pull money out of a bank.  At worst a classic run on a bank.  The mere fact that criminal gangs can not get much, does not mean this will not happen, because it will.  Banks must take this seriously, and seek ways to eliminate the weakest link in the chain risk, as well as the PIN risk mentioned.


Technorati tags: , ,

Written by Colin Henderson

November 21, 2006 at 12:13

Posted in Security

3 Responses

Subscribe to comments with RSS.

  1. I think this attack does in fact scale “nicely” and is very attractive to gangs. Just bribe a bank employee in a low security payment processor (ATM switch) to put your rouge software on a server attached to the HSM. Sit back and collect 10,000 card numbers + associated PINs. Then hire a hierarchy of low level criminals – 5 area leaders each recruiting 5 lieutenants each of which recruits 5 “soldiers”. Each soldier gets 80 white cards + PINs and a list of a few ATMs. In a single weekend all the withdrawals can be made simultaneously and gross $5M (assuming a $500 withdrawal limit per account).
    What I described here is not far fetched – in fact the Israeli Discount Bank was attacked by such a hierarchal gang a couple of years back. You can read about it here:,7340,L-2467293,00.html (Hebrew news report – $2M withdrawn in just one day). I’m not saying the flaw described by Bruce Schneier was used in this case, but an organized gang was indeed used to simultaneously withdraw large amounts of cash.

    Uri Resnitzky

    November 23, 2006 at 21:55

  2. Found a report in English: it has only partial details, but you get the picture…
    BTW – They managed to arrest and convict those guys (even found garbage bags full of cash), but the technical details of how they got all those bank account numbers + PINs were never disclosed publicly.

    Uri Resnitzky

    November 23, 2006 at 22:29

  3. Thanks for all that Uri, and the research!!



    November 23, 2006 at 22:30

Comments are closed.

%d bloggers like this: