Having Fun With Atms & Hsms presented at HITBSecConf Malaysia 2009

by Dimitrios Petropoulos,

Tags: Security Risk Compliance

Summary : Having fun with ATMs & HSMsPresentation AbstractThe cornerstone of every bank’s ATM network is a number of HSMs (Hardware Security Modules) which securely create, store, verify, translate and ultimately destroy the verification PINs (Personal Identification Numbers) associated with each credit/debit card. The protocols used and the APIs exposed by the HSMs are known to suffer from a number of inherent vulnerabilities which make possible a number of attacks, ranging from trivial to highly complex, all of which lead to the same result: the unauthorised disclosure of large numbers of client PINs.The presentation will introduce the basic functionality and deployment architecture of HSMs within a typical financial institution’s ATM architecture, introduce PIN lifecycles, PIN block formats, the attackers’ toolkit/arsenal and then describe in detail a number of PIN attacks, investigate potential associated threat origins and give examples of some successful recent attacks perpetrated using the described vulnerabilities.About Dimitrios PetropoulosDimitrios Petropoulos has over twenty years’ experience in the area of IT, the last 14 of which have been dedicated to the field of Information Security and has a long track record of risk analyses, vulnerability assessments, penetrations tests, technical security and compliance audits on large corporate infrastructures of international organisations. He currently serves as Managing Director of ENCODE Middle East in Dubai, UAE. He holds an MSc in Information Security from Royal Holloway and is a PCI-DSS Qualified Security Assessor.