Researchers have discovered a way to retrieve customers' cash machine PINs in an average of 15 tries
It is due to a weakness in the cryptographic model used by many HSMs to encrypt, store and retrieve PINs. The paper, written by Mike Bond and Piotr Zielinski, goes on to say that typical security countermeasures such as intrusion detection systems are all but useless against this attack. Many banks have systems in place that prevent users from trying another PIN once they've failed three times in a row. These failures generate alerts within the bank. But, as the authors point out, an internal attacker "can discover a PIN without raising the alarm by inserting the attack transactions just before genuine transactions from the customer which will reset the count." Read more about it here.