The RDV Group InfoSec Blog

Thursday, March 09, 2006

PINs Aren't a Magic Bullet

Bob Sullivan, a top expert on Identity theft, has a dead-on piece in today's (03/09) MSNBC's Tech & Sci Security area. There's some interesting exploits afoot using what was previously thought to be a secure technology, pairing your ATM with it's PIN.

He and I have discussed this issue, and think there's interesting ramifications re: what I call "residual data". That is, all the little places personal data (in this case the PINs) can hide and resist scrubbing. Commonly called "data remanance" (you CISSP'ers know this term), it's like owning a home. Water is getting in somewhere and it's not obviously coming in from where it looks like it is.

Your CISSP'ers also know the drill: two-factor authentication is a combination of "something you have", the ATM card with "something you know", a password, or a PIN. But the PINs are supposed to be sacrosanct, and now we know they're not.

From Bob's article: "... The incident calls into question the security of the four-digit code that for years has made PIN-based transactions less subject to fraud than signature-based credit card transactions. 'This is the absolute worst hack that has happened, the biggest scam to date," said Gartner analyst Avivah Litan'"

Maybe it's from one source: "... In each case, the banks have blamed a third-party company — in some cases, more specifically identified as a merchant or retailer. Speculation has been rampant that the source of the stolen data is office supply store OfficeMax, starting with an article last month in the San Francisco Chronicle indicating 200,000 account numbers had been stolen from the firm. OfficeMax denies it's to blame."

But it's beginning to look like it's not: "... many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen."

And here's where the data remanance comes in: " ...The software is storing PINS just because it can. No one is paying attention to this stuff, it's deep in the software... "

My wife knows this exploit, because she was a victim over the holidays. Her credit card and ATM card were stolen, and to her surprise, it was no problem to drain the $ out of her checking. The PIN was absolutely no barrier to the thief.

UPDATE: Bob was on NBC Nightly News tonight (03/09) to discuss this problem further. We definitely haven't heard the last of this yet.


Post a Comment

<< Home