Wired is running a nice story about hackers that may be able to steal PIN codes during ATM transactions. The nice part of the story is of course the way in which these guys steal the codes. Since the story takes place in the USA, there is no smart card involved. The PIN codes are encrypted on the ATM, and then sent on the network for verification. The article mentions at some point that the encryption may be broken, which sounds strange, but this is of course not the way it happens.
The idea is here to hack the HSM’s (Hardware Security Module) through which the PIN code transits. I am not an expert, but by reading the article, it seems that the PIN is first encrypted with a key from the ATM’s owner; then, it gets to an HSM in which it is decrypted and reencrypted with an interchange key. At some point, it gets to the cardholder’s bank’s HSM, where it is finally decrypted and compared to the actual PIN. This sounds quite amazing, since all of this goes very fast. But the main point is not here in the complexity of the process: it is on the HSM’s. Of course, these specialized computers are highly secure, with a lot of security precautions and all. I have worked on some of these things, and they sure look a lot like big smart cards, complete with a bunch of security features.
So, how can it fail?
Like usual, through sloppy programming and administration. If an HSM is poorly configured, if its “root” access keys are not well protected, if the development of the applications is outsourced without proper control, then there is a significant risk that hackers will be able to get in these systems. And since the incentives for hackers are very high (having card data is interesting, having card data together with the associated PIN code is much more interesting), I would not be surprised if this happened.
Of course, the solution that I will propose is the same as usual: stay local. Your secrets are better protected if they stay with you at all times. In a smart card transaction, the PIN code is verified directly on the card. The bank’s servers only verify the cryptogram provided by the card (after you present the proper PIN code). There are plenty of other solutions in which your PIN code does not travel through a maze of potentially unsure computers, including the CAP readers that I mentioned recently. As far as I know, as of today, even your mobile phone is quite a safe place (unless of course, it is one of these Symbian phones that somehow seem to get all the attacks of the world). At least, it is under your control, so you have a chance to notice if it is being hacked.