In this article, we explain how compromising the PIN of a customer’s prepaid debit card may lead to catastrophic losses for a bank and why it is so important to protect their data. We will analyze two ATM “cash-out” hacking stories that are linked to prepaid debit cards.
HSMs (Hardware Security Modules) aren’t just needed “because of PCI-DSS requirements,” which do not explicitly require the use of HSMs. Today, for Fintech companies (and everywhere else as well) penetration or intrusion testing is part of the enterprise culture. Cryptography, encryption, norms, using FIPS-140 security-evaluated products are just “routine.”
Unfortunately, when it comes to real situations, that “routine” is not enough. The IT of banks and more generally, Fintech companies, are protected for a good reason. There are “real” fraudsters and bank robbers out there. The difference is that these robbers won’t operate with masks and guns but rather with a keyboard, a mouse, a screen, and internet access. Similar to how trucks carrying cash to and from the banks are armored and protected by guards wearing bulletproof jackets and guns, financial networks are protected by cryptographic systems, passwords, and PINs.
Anyone involved in IT security in banks or processing companies should always keep in mind that the system he or she works for hasn’t been designed and created by accident. It has been built to address attacks and robberies, and some of these attacks may be quite sophisticated.
In the two examples, we will analyze, the robbers targeted what can be considered as the “Achilles heel” of the banking industry: prepaid debit cards. These cards are not linked to any account and have their own balance. They are anonymous and subject to far less monitoring than the other credit or debit cards.
The RBS cash-out attack of 2008 was performed by a group of men from Estonia, Russia, and Moldova who hacked into Royal Bank of Scotland’s credit card processor, Worldpay. The gangsters started by remotely entering into the computer system of Worldpay.
One of the hackers discovered a vulnerability in the network of RBS Worldpay and started to form an association with other criminals, especially one who had knowledge of cryptography. Using remote access, the hackers were able to break the encryption used by Worldpay because apparently some of their HSMs were poorly configured. It’s obviously not an easy hack to perform, but such attacks do exist.
The tracks of the cards were deciphered. However, even worse, the PINs of the cards were also discovered. It is alleged that techniques like trying 2 PINs per card over the database were used in combination with a botnet. After all, PINs are usually 4 digits with 9999 possible values. Therefore, we can compute the probability p=p(N) of getting one right PIN with 1 or 2 tries per card for N cards tested, using the assumption that PINS are uniformly distributed so that a batch of 9999 cards have all different PINs:
p~N/9999 for 1 try per card
p~2N/9999 for 2 tries per card
The computation with one try is easy: we have probability 1/9999 to find a matching PIN with the first card and probability 9998/9999 not to find the matching PIN… in such a case we have probability 1/9998 to find a matching PIN with the second card and probability 9997/9998 not to find, and so on. By taking the sum over all the branches of the possibility tree we get :
The computation with two tries is slightly more complicated.
We have probability 1/9999+1/9998 to find a matching PIN in the first card and probability (1-1/9999-1/9998) not to find a matching PIN, then in such case, we have probability 1/9997+1/9996 to find a matching PIN in the second card and probability (1-1/9997-1/9996) not to find a matching PIN, etc… at the k^th branch of the possibility tree, we are at the k^th card with probability 1/(9999-2k)+1/(9999-2k-1) to find a matching PIN and probability 1-1/(9999-2k)-1/(9999-2k-1) not to find a matching PIN.
The required probability p(N) is the sum of all the partial probabilities, that is to say
This means that approximately for every 5,000 cards tested, one PIN will be found.
The hackers found 44 PINS linked to 44 accounts. This implies that they allegedly tested approximately 200,000 cards. Using the HSM that they could access, they managed to raise the withdrawing limits of the corresponding accounts, and then increase the balance of the cards. Once they had the PINs, they created cloned cards using magnetic stripe encoders (non-EMV cards). They then hired “mules” that cashed the cards in several countries. Their crews withdrew $9 million in more than 2,100 cash machine transactions worldwide in less than 12 hours. The loss and harm significantly damaged the reputation of the Royal Bank of Scotland.
The RAKBank and the Bank Muscat Cash-Out Attack of 2012 and 2013
The circumstances behind the robberies committed against the Bank Muscat of Oman and the RAKbank (National Bank of Ras Al-Khaimah in the United Arab Emirates) are very similar.
A Turkish hacker named Findikoglu gained access to the networks of certain prepaid debit card payment processors, namely, ElectraCard from 2010 to 2013. The access was used fraudulently to obtain accounts and PINs. Card limits were suppressed while a network of “cashiers” operated all over the world to “cash-out” money at ATMs.
Following these attacks, the Bank Muscat of Oman suffered a loss estimated at $40 million spread over 36,000 fraudulent ATM transactions. The RAKBank suffered $9 million in losses.
Security experts commented that if criminals manage to break into servers at a bank, and gather account and, especially, PIN numbers, there isn’t anything as far as they knew that could be on a device on the other end to stop the attack from happening.
Here we are talking about the non-EMV cards that are still widely used in many countries. However, there are several ways that an EMV chip can be destroyed to force the use of an EMV card’s magnetic stripe (‘EMV fallback’).
Without knowing PINs, none of these crimes could have been accomplished. Therefore, it is fundamental to prevent access to the HSM to protect PINs and prevent unsecured PIN verification.
As exhibited above, any access to a network, even partial, could allow attackers to “guess” the PINs of some cards through a comparison technique and by using PIN verification over a database of cards.
PIN verification API should only be reachable from secure systems with ‘strong’ user authentication otherwise such bank robberies may be occurring more and more.
Acodez is a leading website design and web development agency in India. We offer all kinds of web design and web development services to our clients using the latest technologies. We are also a leading digital marketing agency in India providing SEO, SMM, SEM, Inbound marketing services, etc at affordable prices. For further information, please contact us.
Looking for a good team
for your next project?
Contact us and we'll give you a preliminary free consultation on the web & mobile strategy that'd suit your needs best.
Jamsheer K, is the Tech Lead at Acodez. With his rich and hands-on experience in various technologies, his writing normally comes from his research and experience in mobile & web application development niche.
