ATM keypads

I assumed that ATM keypads were just plugged into the PS/2 port. Apparently not!

The ATM keypad:

If that seems like a lot of trouble over a numeric keypad, you haven't cracked open an ATM lately. The modern "PIN entry device" is a physically and logically self contained tamper-resistant unit that encrypts a PIN within milliseconds of its entry, and within centimeters of the customer's fingertips. The plaintext PIN never leaves the unit, never travels over the bank network, isn't even available to the ATM's processor: malicious code running on a fully compromised Windows-based ATM machine might be able to access the cash dispenser and spit out twenties, but in theory it couldn't obtain a customer's unencrypted ATM code.
Tags: ,
Current Music: Logiq -- Elation ♬

24 Responses:

  1. granting says:

    That is correct. Using a debit card in that sense is vastly more secure than a credit card.

    Credit cards, on the other hand, are anybody's game.

    • otterley says:

      It depends on what you mean by "security." Despite all the fraud protection banks provide (mostly for their own benefit, not so much the customers'), banks tend to trust themselves.

      This can yield hazardous results if, for example, you purchase something at a store which "accidentally" double-charges you after asking you to enter your PIN twice because "the transaction did not complete."

      For this reason, I prefer to pass when asked for my PIN at POS and instead sign for my goods purchased with my debit card. That way, I get to take advantage of Visa's transaction dispute resolution procedures should the bank screw up. Doing so shifts the burden to the bank and the merchant to prove that I did in fact purchase the goods or services in question.

  2. cmdrmoocow says:

    How long before I can buy a full-keyboard version of one of these for my own system?

    • treptoplax says:

      What the heck would you use that for?

      It would be good for secure communications with trusted remote systems if your local system is compromised... I don't see the point. If that's what you're worried about, carry a mini-laptop, or consider insanity such as Tinfoil Hat Linux.

      Makes good sense for banking applications, though.

    • flipzagging says:

      Microsoft's ideas for a 'Next Generation Secure Computing Base' include encrypted keyboards. A special hardware-based thingy called the "Nexus" can open a secure channel, and authenticate that this data really came from the keyboard.

      Reposted this comment because the link had a typo, also further Googling shows that a few months ago, NGSCB was shelved. Great news!

  3. baconmonkey says:

    Given the security involved with ATMs, the security issues surrounding diebold are absolutely baffling. Until, of course, you simply assume that the lax security and ease of corruption is a design feature.

    • ioerror says:

      Really, it just makes me think that we have another round of die bold products with security defaults.

      At least this time, we will get our money back from them!

  4. nibot says:

    All this to protect a sequence that is most likely only four decimal digits, that the customer enters using gigantic, well-lit 1" square keys. Moreover, one wonders whether the ciphertext might be password-equivalent (note use of phrase "knowledge of the cyphertext PIN for that card"). doh!

    • charles says:

      The most common ATM hack over here recently has been skimming - compromise the card reader so you can grab the contents of the magnetic stripe (often just by mounting your own reader on the front of the ATM), and have a camera recording (or just stand back and watch) people entering their PINs.

      Netted one group about $620,000 before they were caught, and there have been quite a few similar cases since.

  5. supersat says:

    Of course, there's very little stopping someone from using a compromised PIN pad, except possibly not being able to get their hands on the PIN encryption key (and thus not being able to submit the transaction). They could either submit the transaction as a credit transaction, or simply eat the cost of the transaction. Either way, the customer wouldn't have any way of knowing his or her PIN was intercepted until (much) later.

    In the case of ATMs, it's probably even easier to compromise the PIN pad because it also sends unencrypted numbers to the main processor (when you're asked how much money you'd like, or how much you're depositing).

    Oh, and all of this security is totally overkill when people use simple PINs.

    • zapevaj says:

      Last sentence=totally. For real ATM card security, I'd like to see a piece of software in those little PIN-setting machines that automatically rejects a card's PIN if it matches the card holder's year of birth or month+day of birth.

      • supersat says:

        Those PINs are even better than some I've seen. I've seen people use 1111, 0000, etc. as PINs.

        It'd be nice if banks started using longer PINs. Even if you can put in a PIN that's longer than 4 digits, it might be no more secure than a 4 digit PIN, depending on the way the PIN is encoded on the magstripe. Most systems compute a "natural PIN" based on the card number, and your chosen PIN is written to the magnetic strip as the offset from the natural PIN. If the natural PIN is only 4 digits, the first 4 digits of an 8 digit PIN will be (almost?) in the clear on the magnetic stripe.

  6. baconmonkey says:

    well, think of the liability if it were just a plain ps/2 port. People could claim that ther person who installed the ATM put a keylogger inline and stole their PIN. Or worse than just claims of that, someone could do just that and harvest PIN codes.

    • ioerror says:

      It's also possible just to crack the damn codes if you can get a swipe of the card.

      Also, on a four-6 digit number, even AES256 isn't going to stop you from creating a rainbow table. But they don't use AES, they use DES or triple DES. 56 bits of protection, its like using half of a broken condom!

      But guess what? Even without another computer, you can just use an ATM!

      If you can swipe the card, you can own the mark.
      If you can get a receipt, you can own the mark.
      If you know enough about a person, you can get their bank to mail you checks tied to their account.

      Banks are a joke.
      Pin numbers are almost totally worthless.

      The irony is that the banks are almost never called on their bullshit.

      • aris1234 says:

        PIN's are encrypted from end to end and not stored on the card at all. So when you go to an ATM - even another banks one, your PIN is encrypted at the ATM, then sent encrypted to the bank who issued that card, verified, then an authorisation sent to the ATM to authorise your withdrawl.

        PIN's are not and have never been on the card (perhaps in the 70's when ATM's first came about - but certainly not in the past 20 years).

        • lars_larsen says:

          Pins were on the card, and might even still be. These days they are verified against a central database. But that was not always the case. Its possible that they're crypting the PIN, the account number, and another number.

          There is a field in track 2 of cards specifically designed for crypted PINs. So it was obviously stored on the card at some point in the past. And it might still be stored.

          I just opened a checking account recently, and they had this fancy machine at the bank that can make a temporary ATM card on the spot. The bank employee typed my account number into the machine manually. Then the machine asked me to enter a PIN twice before it could make me a card. I assumed this was so it could crypt it and store it on the card.

          • aris1234 says:

            I think the article you link to is very outdated. I work in the payments industry and it is definately not the case now. There are ATM solutions out there that put encrypted PIN's on the card - but they are only used in the 3rd world where telecoms infrastructure is weak. In the rest of the world, PIN's are verified online.

            Most of the encryption is done by dedicated encryption boxes such as the ones manufactured by Thales (they used to be Racal). These boxes don't do anything very fancy encryption-wise, but they are workhorses and (supposedly) tamper-proof.

            • lars_larsen says:

              Pins being verified online does not exclude them from being stored on the card as well.

              I provided that document to show that they WERE at one point stored on the card. And I didn't say they still were, I said they might very well still be.

  7. waider says:

    Curiously enough, the fully-certified bank-approved yadda yadda devices I'm currently working with do have all that hardware, but on the main board. The keypad attaches to the board via about six inches of ribbon cable. So, tap the damned cable already. Other possible fun and games left as an exercise for the reader.