Attack Exposes ATM Vulnerabilities
Two Cambridge University researchers have discovered a new attack on the hardware security nodules employed by banks that makes it possible to retrieve customers' cash machine PINs in an average of 15 tries.

…The system, used by many ATMs, reads the customer's account number that is encoded on the magnetic strip of the ATM card. The software then encrypts the account number using a secret DES key. The ciphertext of the account number is then converted to hexadecimal and the first four digits of it are retained.

Those digits are then put through a decimalization table, which converts them to a format that's usable on the ATM keypad. By manipulating the contents of this table, it's possible for an attacker to learn progressively more about the PIN with each guess. Using various schemes described in the paper, a knowledgeable attacker could discover as many as 7,000 PINs in a half hour, the authors say.

The researchers' paper has drawn quite a bit of attention and is now part of a controversial court case in the U.K. concerning so-called phantom withdrawals from ATMs. The case concerns a South African couple that claims someone used their Diners Club card to make 190 withdrawals at ATMs all over the U.K. while they were in South Africa. The card's issuer says that's not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card. The couple has refused to pay, according to court documents filed in the case.

As part of the defense, Bond has been asked to testify about the ATM-related weaknesses he and Zielinski address in their paper. However, the plaintiffs, Diners Club SA Ltd., have asked for a secrecy order around the testimony of Bond and other security experts, saying that the publication of the ATM issues described in the paper would harm their business and open their networks up to attack.
http://www.eweek.com/article2/0,3959,899796,00.asp