This one is juicy (cryptome.org):

We present an attack on hardware security modules used by retail banks for
the secure storage and verification of customer PINs in ATM (cash machine)
infrastructures. By using adaptive decimalisation tables and guesses, the
maximum amount of information is learnt about the true PIN upon each guess.
It takes an average of 15 guesses to determine a four digit PIN using this
technique, instead of the 5000 guesses intended. In a single 30 minute
lunch-break, an attacker can thus discover approximately 7000 PINs rather
than 24 with the brute force method. With a $300 withdrawal limit per card,
the potential bounty is raised from $7200 to $2.1 million and a single
motivated attacker could withdraw $30{50 thousand of this each day. This
attack thus presents a serious threat to bank security.

posted by js at 14:28

A funny story from the Register.

A Nottingham schoolgirl managed to turn the tables on a cracker who'd pinched her father's credit card details by tricking him into revealing his identity online.

posted by mt at 13:18

A quiet week and suddenly everything I read is post-worthy. The NYTimes has 2 good ones in the Tech section. A piece on electronic disruption weapons, which will likely be employed in Iraq. And this request for hackers to behave during the potential conflict.

GOVERNMENT officials have warned for some time that pro-Iraqi hackers might take aim at computers in the United States as international tensions rise. But now officials are also trying to discourage Americans who might be tempted to mount attacks on the computers and Web sites of Saddam Hussein's supporters.

posted by mt at 10:17

Salon's running an interesting article on the inherent weaknesses of computerized voting - namely their ability to be cracked.

"Computerized voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering. It is therefore crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked. Many of the electronic voting machines being purchased do not satisfy this requirement. Voting machines should not be purchased or used unless they provide a voter-verifiable audit trail; when such machines are already in use, they should be replaced or modified to provide a voter-verifiable audit trail. Providing a voter-verifiable audit trail should be one of the essential requirements for certification of new voting systems."

posted by mt at 09:59

If you get the chance, yesterday's WSJ had an interesting article on the security challenges facing modern architects and engineers.
posted by mt at 07:59

It's up to 8 million cards, the FBI's investigating and the name of the processing company has been released.

In what is believed to be the biggest credit card hacking incident so far, Omaha-based Data Processors International, which processes transactions involving Visa, MasterCard, American Express and Discover Financial Services for merchants, said in a statement that it had "recently experienced a system intrusion by an unauthorized outside party."

posted by mt at 07:58

Sorry for the lack of posts.
posted by mt at 07:56

CNN reports that a cracker has accessed over 2 million valid accounts from Visa and Mastercard.

The hacker breached the security system of a company that processes credit card transactions on behalf of merchants, Visa and MasterCard said.

Whew - that's a big one...
posted by mt at 08:08

Good thing I didn't get my gf any flowers for V-day this year:

In a terse e-mail statement today, Downers Grove, Ill.-based FTD acknowledged the problem and called it "a brief technical issue in which a limited number of customers may have been able to view a subset of another customer's data...
...In his security advisory, Gerald Quakenbush wrote that the flaw on the site allowed credit card information to be obtained by "any hacker with kindergarten level skills."

posted by js at 10:20