Your PIN number is not secure

Cashpoint PIN numbers are not secure according to two Cambridge University researchers who have just revealed serious security holes in the system.

The two researchers say they can get genuine customer details that could be used to raid accounts in less than 24 hours. This means unscrupulous insiders could get access to your money.

The security hole is in the software that encrypts customer data as it travels from the bank's ATM machine to the bank's central computers. The Data Encryption Standard (DES) which all banks use, was previously thought to be practically invulnerable, with the fastest hardware running random number sequences estimated to take 70 years to crack.

However, DES has recently been replaced by AES - the Advanced Encryption Standard - and some experts are now saying it is time the banks caught up with the latest technology. Tim Pickard, marketing director for encryption specialist RSA Security said: "Banks need to look at the new standards. Technology moves on and the banks have to move too if they want to stay secure."

The new method attacks the Application Programming Interfaces (APIs) of the cryptoprocessors - the boxes that run the encryption software. The discoverers of the flaw, Michael Bond and Richard Clayton, say they will publish their findings on the internet in a bid to force the banks to improve their security.

Much of the security industry works by an open peer-review system, whereby bugs and holes are published for public scrutiny, so patches and solutions can be found and reviewed.

Some, including most recently Microsoft, have criticised this system, saying it gives hackers the information and resources they need. However, the Cambridge researchers say this flaw is an example of the problems caused by the closed view of security which banks rely on.

RSA's Pickard added: "Banks have always been very secretive about their security technology, but the open review method makes for stronger technology. It is time to change the culture."