PIN Processing APIs in the Cash Machine Network
(Video runs from 01:03:00 to 02:08:31)
The international cash machine network is governed by standards which mandate the use of hardware security modules (HSMs) to encrypt, decrypt and verify PINs. However, flaws or misconfigurations in these APIs can lead to attacks that permit attackers to harvest PIN codes. Real life exploits include the RBS/Worldpay hack in 2008.
In this lecture we will look at how these APIs work and how they can be attacked. We will also examine the operation of a formal tool, Anablock, that uses probabilistic model checking to reason about attacks on PIN processing APIs. We comment on future lessons for API design.
Graham Steel Graham Steel holds a masters in mathematics from the University of Cambridge and a Ph.D. in informatics from the University of Edinburgh. He is currently a researcher at INRIA, the French national agency for computer science research, where he is part of the Prosecco project team based in central Paris.
Steel's main research interests are in formal analysis of information security and applied cryptography. His current work on cryptographic API verification involves using formal techniques to construct and analyse abstract models of cryptographic device interfaces. In addition to international conference and journal publications, his recent results have featured in Wired magazine and the New York Times.