Two Cambridge University researchers, Mike Bond and Piotr Zielinski, have devised a way to hack the hardware security modules used in ATMs and Point of Sale terminals, in order to recover a PIN in 15 tries.
These sealed units read the strip on the card, do something with the account number using single DES, and get the PIN. The idea is that someone tapping the wire between the card reader/keypad and the computer will not see the user's credit card info in readable form. Now this gets even more interesting. There is a lawsuit in the UK over a South African couple who experienced 190 fradulent Diner's Club charges totaling $80k in the UK while they were in South Africa. The bank is trying to make them pay the bill, claiming the credit card system is foolproof and cannot be hacked. Bond is testifying at the trial, and Citibank wants a gag order over the ATM vulnerability issue. Ross Anderson has written the court, opposing the gag order. For your further reading enjoyment. http://www.eweek.com/article2/0,3959,899796,00.asp http://cryptome.org/pacc.htm http://www.theage.com.au/articles/2003/02/21/1045638471679.html http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf http://news.zdnet.co.uk/story/0,,t269-s2130897,00.html -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"