Students crack bank PIN codes

Patrick McGowan12 April 2012

Two Cambridge students have designed a computer programme which can crack bank security codes, giving them access to hundreds of thousands of customers' secret PIN numbers within 24 hours.

The PhD students have shown that it is theoretically possible for a potential thief to steal vast amounts of cash once large amounts of confidential financial information has been downloaded.

The datum makes it possible to translate the 16-digit number on cash cards.

They now plan to put details of how to crack the systems on the internet in an effort to ensure security is improved.

One, Michael Bond, 22, said although security could only be breached by bank staff with access to bank computers, it needed only a single individual with the level of

access granted to a temporary computer contractor to extract and download information.

The security system is based on IBM's 4758 crypto-processor used by banks, the military and governments across the world to protect their networks.

The students have found they can breach security using a combination of software developed by Mr Bond and off-the-shelf hardware costing less than £750 developed by mature student Richard Clayton.

They say within 20 minutes it is possible to find the secret "key" from the crypto-processor used by banks to scramble customer PINs.

Once taken home on a floppy disk, it would then take about a day using the Cambridge equipment to reveal the secret "key" which translates the PIN into the 16-digit number on the front of cash cards. This would mean a criminal could then plunder thousands of bank accounts.

"The banks' approach to security at the moment is too closed," said Mr Bond. "They are relying on outdated concepts such as security through obscurity.

"What they really need to do is pay more attention to the open community, including academia, and get more peer review on some of the systems that they are using. We need to see banks being more accountable for the security of people's money."

Alan Cox, a computer operating system developer, said: "This is a military-grade protected encryption-system where you have to have licences to possess them. I would expect the reaction of the banking industry is probably one of pure horror ... shared by the military and a considerable number of other bodies."

The students have sent their studies to IBM but say they have yet to receive a satisfactory response.

IBM said in a statement: "Normal bank practice and procedure would prevent any possibility of launching such an attack.

"This academic study is based on specific laboratory conditions. In the real world there are too many physical safeguards and authority protections for such an attack to be successful."

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in