Criminals attack Pin bank security

Criminals are attacking the Pincode security systems of banks, something previously thought to be theoretically possible but unlikely

Criminals are attacking the Pincode security systemsof banks,somethingpreviously thought to be theoretically possible but unlikely, according to computer forensic researchers.

That theory is now being put into practice, according to Matthijs Van der Wel, head of the EMEA forensics team at Verizon Business.

The forensics team contributed to the Verizon Business 2009 Data Breach Study that found a sharp increase in the number of attacks targeting Pin data in the past year.

As the underground economy has become flooded with stolen credit card details, the big money is now in stealing Pins and related account data, the report said.

"Pin-based attacks and many of the very large compromises from the past year go hand in hand," the report found.

Pins and associated account information is now the most valuable commodity, as it enables criminals to steal money directly from bank accounts, Van der Wel said.

Cybercriminals have put a lot of time and effort into developing highly sophisticated ways of stealing Pins, which is not easy to do, he said.

Hackers are going after encryption keys and encrypted Pins stored on servers within financial institutions, using memory-scraping malware.

Even encrypted Pins have been targeted by intercepting the data at the weakest point in the multi-hop network path between ATMs and the card holder's bank.

This involves finding security flaws in the hardware security module appliances along the route where Pins are decrypted and re-encrypted for the next leg.

Although these vulnerabilities exist and are being exploited, Van der Wel said the attacks do not necessarily threaten to destabilise banks' transaction systems.

Most banks have looked at the theoretical attack models and put the necessary controls in place to detect and protect against these particular threats, he said.

According to Van der Wel, banks that keep up to date with the tools and techniques used by cyber-criminals should be able to come up with adequate security controls.

"Although difficult to detect, there are signs that banks can look for and it would not hurt to pay a little bit of extra attention to this," he said.

Banks could reduce risk simply by using double encryption, said Michael Callahan of encryption firm Credent Technologies.

Read more on Hackers and cybercrime prevention