As Germany’s famous technology website heise online conveys today, two security experts named Omer Berkmann and Odelia Moshe Ostrovsky of the “School of Computer Science” in Tel Aviv have published a couple of attack scenarios against Bank Card PINs (ATM PINs) which require only only two guesses for a successful hack of the PIN of a certain account.

Abstract. We describe new attacks on the financial PIN processing API. The attacks apply to switches as well as to verification facilities. The attacks are extremely severe allowing an attacker to expose customer PINs by executing only one or two API calls per exposed PIN. One of the attacks uses only the translate function which is a required function in every switch. The other attacks abuse functions that are used to allow customers to select their PINs online. Some of the attacks can be applied on a switch even though the attacked functions require issuer’s keys which do not exist on a switch. This is particularly disturbing as it was widely believed that functions requiring issuer’s keys cannot do any harm if the respective keys are unavailable.

The problem with these attacks is the fact that this just requires access to (or an insider inside of) one of the forwarding switches between the bank terminal used and the data center of the issuing bank. As Bruce Schneier names it in his blog, this renders the complete PIN authentication process as weak/insecure as the least trusted element in this chain. He continues

Instead of just having to trust your own issuer bank that they have good security against insider fraud, you have to trust every other financial institution on the network as well. An insider at another bank can crack your ATM PIN if you withdraw money from any of the other bank’s ATMs.

The reason for this security hole in the process can be found in the distance between bank terminal and bank data center, especially if you access your bank account from out of a foreign country. This involves so-called Switches, other data centers, which decrypt and re-encrypt the submitted data packets with the help of so-called Hardware Security Modules. If an employee of these Switches is corrupt and has access to these HSMs he can easily hack the PIN, just by using some API methods of the Financial PIN Processing API.

The problem is severe in that way that you as a customer have been able to recognize a manipulated terminal easily, but these attacks do not require any hardware modifications to a bank terminal, so you can no longer recognize whether there is some bad guy waiting for a Man in the Middle attack to duplicate your bank card including your PIN. For this reason Berkmann and Ostrovsky didn’t want to disclose their findings, but due to a lack of response of the international banks they contacted they did not see any chance other than disclosing these severe security issues.