Criminals are attacking the
Pincode security systemsof banks,somethingpreviously thought to
be theoretically possible but unlikely, according to computer
forensic researchers.
That theory is now being put into practice, according to
Matthijs Van der Wel, head of the EMEA forensics team at
Verizon Business.
The forensics team contributed to the
Verizon Business 2009 Data Breach Study that found a sharp
increase in the number of attacks targeting Pin data in the past
year.
As the underground economy has become flooded with stolen credit
card details, the big money is now in stealing Pins and related
account data, the report said.
"Pin-based attacks and many of the very large compromises from
the past year go hand in hand," the report found.
Pins and associated account information is now the most valuable
commodity, as it enables criminals to steal money directly from
bank accounts, Van der Wel said.
Cybercriminals have put a lot of time and effort into developing
highly sophisticated ways of stealing Pins, which is not easy to
do, he said.
Hackers are going after encryption keys and encrypted Pins
stored on servers within financial institutions, using
memory-scraping malware.
Even encrypted Pins have been targeted by intercepting the data
at the weakest point in the multi-hop network path between ATMs and
the card holder's bank.
This involves finding security flaws in the hardware security
module appliances along the route where Pins are decrypted and
re-encrypted for the next leg.
Although these vulnerabilities exist and are being exploited,
Van der Wel said the attacks do not necessarily threaten to
destabilise banks' transaction systems.
Most banks have looked at the theoretical attack models and put
the necessary controls in place to detect and protect against these
particular threats, he said.
According to Van der Wel, banks that keep up to date with the
tools and techniques used by cyber-criminals should be able to
come up with adequate security controls.
"Although difficult to detect, there are signs that banks can
look for and it would not hurt to pay a little bit of extra
attention to this," he said.
Banks could reduce risk simply by using double encryption, said
Michael Callahan of encryption firm Credent Technologies.