ARX Reveals PIN Processing Weaknesses That Allow Payment-Card Fraud.PARIS Paris, in Greek mythology Paris or Alexander, in Greek mythology, son of Priam and Hecuba and brother of Hector. Because it was prophesied that he would cause the destruction of Troy, Paris was abandoned on Mt. -- Algorithmic Research (ARX), a provider of electronic signatures and data-security solutions, has uncovered a serious security vulnerability in the Financial PIN (Personal Identification Number) Processing systems of banks worldwide. The discovery was made together with Dr. Omer Berkman from the Academic College of Tel-Aviv Yaffo and Mrs. Odelia Ostrovsky from the Tel-Aviv University. "The vulnerability could enable the exposure of the PIN codes of Magnetic strip and EMV EMV Elektromagnetische Verträglichkeit (German: Electromagnetic Compatibility) EMV EuroPay, MasterCard, Visa (Smart debit cards) EMV Europay, Mastercard and Visa EMV Eftermiddagsverksamhet cards used by millions of customers," says Ezer Farhi, VP of R&D, ARX. The flaw would allow an attacker to discover PIN codes, for example, when entered by customers while withdrawing cash from an ATM (Automatic Teller Machine See ATM. ). Attacks based on these vulnerabilities are extremely severe and could be undertaken by anyone with access to the online PIN verification facility or switching processes. "A bank insider could use an existing Hardware Security Module (HSM (1) (Hierarchical Storage Management) The automatic movement of files from hard disk to slower, less-expensive storage media. The typical hierarchy is from magnetic disk to optical disc to tape. ) to reveal the encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science PIN codes and exploit them to make fraudulent transactions, or to fabricate cards whose PIN codes are different than the PIN codes of the legitimate cards, and yet all of the cards will be valid at the same time," says Ostrovsky. "Even worse, an insider of a third-party Switching provider could attack a bank outside of his territory or even in another continent". ARX professional cryptographic experts offer solutions implemented in the PrivateServer HSM, as well as a list of recommendations of how to confront the weaknesses that make these attacks possible. For further information visit the ARX booth No. 4M112 at the Cartes CARTES Computer Arts Centre at Espoo 2006 show or visit www.arx.com/products/privateserver.php. About PrivateServer[TM] HSM PrivateServer is ARX's highly secure network attached, Hardware Security Module (HSM) that provides a secure environment for conducting sensitive cryptographic operations, secure key storage and management of a large number of keys. PrivateServer HSM provides a cost-effective, high-performance (+5,000 typical card TPS (1) (Transactions Per Second) The number of transactions processed within one second. TPS is a better rating for the performance of hardware and software than the common MHz and GHz rating of the computer. ), tightly secure (FIPS-140 validated), and reliable solution. PrivateServer HSM offers solutions to a versatile range of industries: financial, commercial, and governmental including Setefi of the Intesa Banking Group, Polcard, Cetrel, G&D Spain and Getronics, among others. For more information, visit www.arx.com |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion