Comments on: PAC Access Control PIN Security Flaw?! http://blog.seb.me.uk/2007/05/28/pac-access-control-pin-security-flaw/ thoughts. ideas. ponderings of an internet entrepreneur Tue, 29 Jun 2010 02:23:23 +0000 hourly 1 http://wordpress.org/?v=3.1.4 By: seb http://blog.seb.me.uk/2007/05/28/pac-access-control-pin-security-flaw/comment-page-1/#comment-245 seb Tue, 05 Jun 2007 16:27:25 +0000 http://blog.seb.me.uk/2007/05/28/pac-access-control-pin-security/#comment-245 I recall something on this line.. I think it was from Security Engineering by Ross Anderson.. It remember getting very enthralled reading it when I was supposed to be revising for exams at university. There's something about offline verification fraud in Chapter 9 of that book here: http://www.cl.cam.ac.uk/~rja14/book.html I recall something on this line.. I think it was from Security Engineering by Ross Anderson.. It remember getting very enthralled reading it when I was supposed to be revising for exams at university.

There’s something about offline verification fraud in Chapter 9 of that book here: http://www.cl.cam.ac.uk/~rja14/book.html

]]> By: David Kaspar http://blog.seb.me.uk/2007/05/28/pac-access-control-pin-security-flaw/comment-page-1/#comment-244 David Kaspar Tue, 05 Jun 2007 15:28:31 +0000 http://blog.seb.me.uk/2007/05/28/pac-access-control-pin-security/#comment-244 I recently read that ATM cards have had a similar vulnerability as well. The designers wanted ATM machines to be able to authorise a card even in off line mode (or maybe not having to pass PINs across the network). At the same time they did not want all PINs for all cards in every ATM (naturally) so they devised a way to deduce the card's pin from the card number! It involved DES(?) hashing a part of the card number together with a secret salt. If the user chose a personal PIN then a record of an offset was kept. This apparently allowed a compromised ATM worker to collect peoples' card numbers and deduce their PINs. Ultimately when "something you know" becomes deducible from "something you have" then security is lowered But now I am rambling! I recently read that ATM cards have had a similar vulnerability as well.

The designers wanted ATM machines to be able to authorise a card even in off line mode (or maybe not having to pass PINs across the network).

At the same time they did not want all PINs for all cards in every ATM (naturally) so they devised a way to deduce the card’s pin from the card number!

It involved DES(?) hashing a part of the card number together with a secret salt. If the user chose a personal PIN then a record of an offset was kept.

This apparently allowed a compromised ATM worker to collect peoples’ card numbers and deduce their PINs.

Ultimately when “something you know” becomes deducible from “something you have” then security is lowered

But now I am rambling!

]]>