When was the last time you stuck your debit card in an ATM and thought twice about the security of your four-digit code? For years, it has been considered the one secure point of the banking process, barring any physical skimming devices attached to the actual ATM.
According to this Wired story, the code breakers are here and they're actively seeking more efficient ways of pulling the PINs from customer accounts without their knowledge.
Until now, it was believed that after you had entered your PIN, the code would be transmitted to the bank, completely encrypted and invisible to third parties. It was once assumed to be impossible to grab PIN data in the system, but a number of academic reports, including one from Israel have shown it is not only possible, but actively happening in various hacker circles.
In simple terms, the hack has been made possible due to a breakdown in the security process, where certain contractors have different systems in place for the data process that's transmitted from the ATM (or merchant) to the branch. In between, the PIN data must flow through a series of hardware security modules, known as HSMs and according to Wired's report, it's across these HSMs that the hack on encrypted PIN data is occurring.
One of the more troubling aspects of this emerging threat, is that unlike credit card transactions, it's very hard for the customer to prove the fraudulent activity has taken place. If cash is removed from a customer's account using a secure PIN (that has been compromised covertly), it becomes very hard for the customer to prove they are not at fault, due to the lack of evidence.
Although it's not clear how this impacts the Australian banking industry, it's clear that this won't be the last time we'll be hearing about PIN fraud.