Insider attacks on PIN generation

Theo Markettos theom+news at chiark.greenend.org.uk
Sat Feb 25 23:53:18 GMT 2012


In article <EC6C6CB7-599C-44D7-8D69-D569E6BA6027 at batten.eu.org> you wrote:
> I have a memory of being told of an insider attack at a bank where
> programmers managed to force the system to issue PINs drawn from a very
> small set, so that with a stolen card they had a better than 50% chance of
> guessing the correct PIN within three attempts.  But I can't find it in
> the literature.  Anyone find it rings a bell?

Ross mentions some cases in Why Cryptosystems Fail, where banks have issued
all their customers with the same PINs or from a tiny subset, either
unintentionally or maliciously:
http://www.cl.cam.ac.uk/~rja14/wcf.html

Theo



More information about the ukcrypto mailing list