Comments on: Indiana Bank gets Hacked…Who’s really to blame? http://www.spylogic.net/2008/06/indiana-bank-gets-hackedwhos-really-to-blame/ Sun, 18 Sep 2011 21:48:21 +0000 hourly 1 By: Matt http://www.spylogic.net/2008/06/indiana-bank-gets-hackedwhos-really-to-blame/comment-page-1/#comment-65 Matt Tue, 08 Jul 2008 00:00:16 +0000 #comment-65 Without some serious bruteforcing compromised track data would not of lead to the PIN being revealed. Clear text PIN data should never be stored on the card. I am not aware of any standard that allows this.<br /> <br /> The ISO 7813 standard does not require a PIN to be encoded onto the card but it does allow an "Encrypted PIN" to be encoded onto the card. The "Encrypted PIN" is a 4 digit code that is generated by DES or 3DES encrypting the PIN with the banks PIN Verification Key (PVK). Then that string of cipher text is run through an algorithm that pulls out the four digits that comprise the Encrypted PIN block.<br /> <br /> Given this process an attacker would first need to bruteforce the banks PVK encryption keys. Next they would need to bruteforce the PIN to figure out which PIN matches up with which Encrypted PIN. Because the Encrypted PIN is a subset of the cipher text generated you can not simply decrypt the Encrypted PIN to get the original PIN. Think of it like a hashing function.<br /> <br /> Cheers,<br /> Matt Without some serious bruteforcing compromised track data would not of lead to the PIN being revealed. Clear text PIN data should never be stored on the card. I am not aware of any standard that allows this.

The ISO 7813 standard does not require a PIN to be encoded onto the card but it does allow an "Encrypted PIN" to be encoded onto the card. The "Encrypted PIN" is a 4 digit code that is generated by DES or 3DES encrypting the PIN with the banks PIN Verification Key (PVK). Then that string of cipher text is run through an algorithm that pulls out the four digits that comprise the Encrypted PIN block.

Given this process an attacker would first need to bruteforce the banks PVK encryption keys. Next they would need to bruteforce the PIN to figure out which PIN matches up with which Encrypted PIN. Because the Encrypted PIN is a subset of the cipher text generated you can not simply decrypt the Encrypted PIN to get the original PIN. Think of it like a hashing function.

Cheers,
Matt

]]>