Cryptography Reference
In-Depth Information
Trial-and-error recovering the four-digit number customers write on their
ATM cards (that's always the PIN).
Exploiting modified ATMs that pass the typed PIN on to third parties
(this has happened particularly often in Italy, where it was estimated to
account for 0.5 % of total sales loss).
Analyzing the electromagnetic waves an ATM emits.
Violence in any form.
The Hairspray Attack
Cryptologically more interesting is the method of impregnating ATM keyboards
with talcum powder or hairspray. Once a customer has withdrawn money from
the ATM, the 'sprayer' can reveal the digits the customer keyed in. 'This won't
do much', you might say, 'since the thief won't get far without knowing the
sequence of the digits. After all, the card is swallowed after the third failed
attempt.'
Correct, but not entirely. With a four-digit PIN, there are 4! = 24 possibilities
of how the four digits are arranged. Somebody who stole eight bankcards has
8 3 = 24 random attempts for free, which produces one winner on average.
This estimate is too pessimistic, for not all PINs consist of four different digits.
If you get 2222 as the PIN for your ATM card, you should be careful. (I
recommend the impostor to pull a carnival mask over his head in this type of
undertaking, perhaps with the face of the Secretary of the Treasury: you will
certainly be filmed while at it.)
What we have here basically is a dictionary attack launched in parallel against
several systems. (For each card, the dictionary consists of all four-digit numbers
with the given digits.)
I am perfectly aware of such attacks, because they are done for real. There are
simple countermeasures. Once I have typed my PIN, for example, I generally
wipe over all the number buttons and hold an object in my hand as I type. That's
easy to make a habit of, sending the fraudulent attempts described above into
the realm of wishful thinking.
However, I cannot see what happens inside the teller machine. Ideally, I use
only the teller machines in the branches of my bank. But that doesn't actually
belong to cryptology.
Search WWH ::




Custom Search