Friday, November 11, 2005 

PINs and Encryption...a Bad Idea?

void listen()
Currently Listening to:
Magic Affair
'Night of the Raven'

string intro()
Taken from "Everything you ever wanted to know about CC's" by
Joe Ziegler:

"There are many types of fraud that can be perpetrated by tapping data communication lines, and using protocol analyzers or computers to intercept or introduce data. These types of fraud are not widespread, mainly because of the need for physical access and because sophisticated computer techniques are required. There are message authentication, encryption, and key management techniques that are available to combat this type of fraud, but currently these techniques are far more costly than the minimal fraud they could prevent. About the only such security technique that is in widespread use is encryption of PINs."

return "hmmm";

void main()
This is an interesting essay to read in its entirety. It does an excellent job of detailing the internals of the credit card systems we've all grown to love and hate.

OK, so in his essay, Ziegler also pointed out that the PINs of credit (and ATM) cards may or may not be encrypted by a standard encryption scheme (DES) or some proprietary scheme (which as we all know is just a plain bad idea). In the above quote, he also mentioned that the PINs might be the ONLY data present on the magnetic strip that is encoded. I will attempt to explain just how much such a thing could weaken the entire credit card system (if it is in fact true).

Lets assume a semi-secure possibility-- your PIN is encrypted with Triple DES and stored on the back of your card. The average person might say "Hey, yea, that’s great. You can’t run it through a magnetic card reader and get my PIN. I'm safe."

In fact, this couldn't be further from the truth. The reasoning is something that is very hard to protect against once you take into account the widespread knowledge that a PIN is a 4-digit NUMBER. 2 Big weaknesses here--

1- Four is a ridiculously small secret length.

2- Ten digits is a ridiculously small secret key space.

Let's do the math.

10 digits.
4 spaces to put them in
equals 10^4 different unique combinations of PINs.

That means 10000 different PINs ever-in life for anybody in anyplace using standard 4-digit numeric PINs.

In other words, if I knew the encryption scheme, I could encode all the numbers from 0000 to 9999. Then I can decode (via rainbow table method) any encrypted PIN I get my hands on.

BUT lets say they use a proprietary system. Simple, I get me and 10 friends. And we each change our PIN 1000 times and order new cards. And record the encrypted data and store it beside the actual PIN. We would have just constructed a full rainbow table for their scheme and let the [insert favorite FI here] do all the encoding.

Obviously this is an exaggeration, but it’s certainly possible, especially taking into account the strong possibility that these encoding schemes are rarely (if ever) changed. A group of dedicated individuals could churn out a rainbow table in a few years at the least.

Although PINs are designed to be an efficient security measure, requiring people to remember a small number that would be hard to guess (.01 percent), the availability of magnetic strip readers combined with people who aren’t careful with their cards could easily result in the ability to wipe out a significant portion of someone's account via ATM. I don't need to snipe your PIN. I'll just get it from your card.

Keep in mind, this applies to PINs that are actually stored on the card and verified by comparing the "hashed" input with what’s stored on the card. In other words, if the PIN is stored elsewhere (on a central server somewhere) this obviously won’t be feasible. But for other cards, which stupidly keep this info on the card itself, they are simply asking for trouble.