This week one of my columns on CBC Radio sheds light on a story circulating in network security circles that depicts a new and rather alarming attack on the banking system's transaction process. I'm getting a lot of emails from CBC listeners asking for more info, so here's an article on Wired's Threat Level Blog that elaborates further. Here are some key highlights from the article:

The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.

But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.

Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers."

But until now, no one had confirmed that thieves were actively cracking PIN encryption.

This is what ties it back into the massive TJX breach. I used this as the news hook for my column. However what's clear in the article is that it was not the only case in which this type of attack or fraud has occurred. In fact as it clearly states, the entire system is at risk, as this is less an issue of a technical flaw, but a design flaw. A design flaw that combined with neglect or mismanagement could result in serious damage.

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

"You really have to start right from the beginning," says Graham Steel, a research fellow at the French National Institute for Research in Computer Science and Control who wrote about one solution to mitigate some of the attacks. "But then you make changes that aren't backwards-compatible."

PIN hacks hit consumers particularly hard, because they allow thieves to withdraw cash directly from the consumer's checking, savings or brokerage account, Sartin says. Unlike fraudulent credit card charges, which generally carry zero liability for the consumer, fraudulent cash withdrawals that involve a customer's PIN can be more difficult to resolve since, in the absence of evidence of a breach, the burden is placed on the customer to prove that he or she didn't make the withdrawal.

I suspect this is just the beginning of this story, and that as we start to learn more it will be clear both of the scope of the problem, and the action required to resolve it. Action that may not be financially possible given the current fiscal constraints most financial services face.

Redesigning the global payment system to eliminate legacy vulnerabilities "would require a mammoth overhaul of virtually every point-of-sale system in the world," he says.

Responding to questions about the vulnerabilities in HSMs, the PCI Security Standards Council said that beginning next week the council would begin testing HSMs as well as unattended payment terminals. Bob Russo, general manager of the global standards body, said in a statement that although there are general market standards that cover HSMs, the council's testing of the devices would "focus specifically on security properties that are critical to the payment system." The testing program conducted in council-approved laboratories would cover "both physical and logical security properties."

It is good to hear that action is being taken, however I suspect it may not be enough, and that the damage is already done. When was the last time you changed your PIN?

Paul Nielson contacted me to share his own debit card fraud horror story and pointed out that in many countries customers receive a text message every time their credit card is used. A small but effective service that would go a long way in helping us protect ourselves. Available in Canada? Not that I know of...

Hopefully in the weeks to come we'll hear more about this story and it will put pressure on the banks and other financial institutions to demonstrate that their systems are secure and worthy of our trust.