PINs 'strongly protected' by Aussie ATM network

Stephen Withers
Tuesday, 21 April 2009 07:20

Business IT - Technology

"Unused HSM functionality must be disabled to remove all unnecessary calls that could lead to the capture of decrypted PINs, and physical and logical access to HSMs must be managed in accordance with strict controls.   

"There have been no reported instances of attacks against HSMs in Australia's payments system."

Well, that's encouraging - but there have been persistent stories over the years of banks not reporting or admitting to security breaches, so perhaps we should take that last assertion with a pinch of salt.

It's also good to hear that the local rules require the disabling of unused HSM features as that was reportedly one of the ways the devices were being exploited for nefarious purposes.

According to a source on the technical side of the industry, inside knowledge is almost certainly required due to the need to understand the proprietary code used in HSMs. Getting the stolen information from the devices would also be problematic.

Furthermore, there are a variety of measures in place including background checks on employees, change logs, auditing and regular reviews.

So while you'd have to be brave to say that attacks on HSMs can't succeed under Australian condition, it seems that those devices may not be the weak point that they reportedly represent in some other countries.