Researchers at Cambridge have discovered a vulnerability in the way hardware security modules of ATMs encrypt, store and retrieve PINs. With each guess, attackers can discover more about the PIN being guessed.
The researchers found they could crack a PIN in an average of 15 tries. Using various schemes an attacker could obtain up to 7000 PINs in half an hour.
While most ATMs lock out a card after three attempts, someone on the inside of a bank could circumvent this security measure. The research is being used in a court case of a couple whose credit card had $80,000 in "phantom" charges.