Distributed Brute Forcing of ATM Card PINs Distributed denial of service attacks are a sad reality of today. Coordinated botnets are using their numbers to overwhelm their target, consuming either all processing resources, or all bandwidth. The attacks are incredibly hard to counter, as often there's no detectable difference between the bots and legitimate users; even if there is, the intrusion prevention systems should have enough capacity to process large number of requests, making them target of the attack themselves. But what if the participants of distributed attacks would be not bots but real people? That opens new opportunities for attacks against well-known targets. A good example will be PIN brute forcing in an automatic teller machine (ATM). ATM cards are generally using magnetic strip and require PIN to get the account balance or withdraw cash. You have three times to put the PIN right; after the first or the second time, you can cancel and get the card back. PINs are generally four-digit decimal numbers (0000 to 9999). So one gets two shots at guessing the PIN (ATM swallows the card after the third wrong PIN attempt), and the probability of a successfull guess is therefore 0.02. It will take days of full-time PIN guessing for somebody to get access to the money if they have a card but don't know the PIN. Unless PIN brute forcing is distributed. Copying ATM card is a trivial task. Equipment for it is cheap and widely available. Picture a group of 5000 people doing PIN guessing at the same time: the coordinator distributes magnetic strip information, the force (do we call them hubots?) writes strips on white plastic and uses 5000 ATMs at the same time with preassigned PINs, just two for each hubot. Success is certain, the attack takes just minutes and is as hard to counter as any other distributed attack. Few factors still offset the risk: forming the army of hubots, which is very geographically distributed (thousands of ATMs are needed), requires extraordinary organisational skill; the magnetic trip information is to be obtained somehow, and PIN could be picked up at that stage; and monitoring systems should flag the use pattern and prevent the card use until the owner contacts the bank. But the required resources can be already in place, as criminal economy including its carding segment have significant scale and workforce. Only completely switching from easily clonable card to cryptographic chip cards will fully mitigate the risk of such distributed attacks against bank cards. Shouts to the P&A squad, J.K., Cookie and Nicky. We shall outsmart.