Blunting Differential Attacks on PIN Processing APIs
We propose a countermeasure for a class of known attacks on the PIN processing API used in the ATM (cash machine) network. This API controls access to the tamper-resistant Hardware Security Modules where PIN encryption, decryption and verification takes place. The attacks are differential attacks, whereby an attacker gains information about the plaintext values of encrypted customer PINs by making changes to the non-confidential inputs to a command. Our proposed fix adds an integrity check to the parameters passed to the command. It is novel in that it involves very little change to the existing ATM network infrastructure.
KeywordsSecurity APIs Financial Cryptography PIN Verification
Unable to display preview. Download preview PDF.
- 1.Hackers crack cash machine PIN codes to steal millions. The Times online, http://www.timesonline.co.uk/tol/money/consumer_affairs/article4259009.ece
- 2.PIN Crackers Nab Holy Grail of Bank Card Security. Wired Magazine Blog Threat Level, http://blog.wired.com/27bstroke6/2009/04/pins.html
- 3.Verizon Data Breach Investigations Report (2009), http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
- 4.Adida, B., Bond, M., Clulow, J., Lin, A., Anderson, R., Rivest, R.L.: On the security of the EMV secure messaging API (2008)Google Scholar
- 9.Bond, M.: Understanding Security APIs. PhD thesis, University of Cambridge, England (2004), http://www.cl.cam.ac.uk/~mkb23/research.html
- 10.Bond, M., Zielinski, P.: Decimalization table attacks for pin cracking. Technical Report UCAM-CL-TR-560, University of Cambridge, Computer Laboratory (2003), http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
- 11.Centenaro, M., Focardi, R., Luccio, F.L., Steel, G.: Type-based Analysis of PIN Processing APIs. In: 14th European Symposium on Research in Computer Security, ESORICS 2009. LNCS (to appear, 2009)Google Scholar
- 12.Clulow, J.: The design and analysis of cryptographic APIs for security devices. Master’s thesis, University of Natal, Durban (2003)Google Scholar
- 13.IBM Inc. CCA Basic Services Reference and Guide for the IBM 4758 PCI and IBM 4764 PCI-X Cryptographic Coprocessors. Technical report. Releases 2.53–3.27 (2006), http://www-03.ibm.com/security/cryptocards/pcicc/library.shtml