A serious weakness in the computer systems used by banks to protect Personal Identification Numbers (PINs) used in cash machine transactions has been identified by two computer scientists.
Michael Bond and Richard Clayton at the University of Cambridge, UK, say the computer systems used to check that the numbers are valid can be 鈥渃racked鈥.
In a single day, using an 拢800 computer, the pair cracked encryption software than should have taken more than two billion years of computational number crunching to break.
Advertisement
鈥淩ather than being a theoretical attack this is realistic and we want banks to pay attention to it,鈥 says Bond. 鈥淭heir software looks plausibly secure but it鈥檚 not.鈥
However, only insiders would be able to pull off the attack. This is because at least one of three access keys would need to be known in advance. Key bank officials possess these individual keys.
Clayton says: 鈥淎 crooked bank manager could duplicate our work on a Monday and be off to Bermuda by Wednesday afternoon.鈥
鈥淏lack boxes鈥
Whenever someone uses a cash machine, an armada of security software is used to safeguard the transition of information from the machine to the bank鈥檚 computer, where account details are held.
Crucial to this process are tamperproof 鈥渂lack boxes鈥 called cryptoprocessors, which encrypt the data between the two points. They also encrypt the programs used by the bank鈥檚 computer to check that a valid PIN has been used.
This encryption process involves generating normally uncrackable 鈥渒eys鈥 known as Triple-DES keys, which are passed between computer systems. But Bond and Clayton discovered that the way the system is designed allows the keys to be treated as two separate halves.
Brute force
These halves are much easier to crack 鈥 and it is then just a question of using a 鈥渂rute force鈥 approach to try to guess the key.
Hardware built by Clayton can try out 33 million keys per second. But even at this rate, it could take 70 years before the right key is found. But Bond has developed a technique that generates more than 16,000 keys simultaneously. This speeds up the process, so that it should take only about 25 hours.
This sort of attack would only be available to bank insiders. But a recent survey carried out by consultancy firm Ernst and Young revealed that 82 per cent of known business fraud in 2000 was carried out by employees.