I doubt it would work the way you'd want it to anyway. I can't imagine that the data between the ATM and the bank is not encrypted, and you'd need the keys - at least once the ATM was at a point to send any transaction information along.
That's not what this vulnerability is about.
The bank has an HSM somewhere, a box that has physical countermeasures and a bunch of other software countermeasures for auditing and what not and is used to store the very secret data like pin numbers and the like. This box exists to prevent the programmers and engineers for the system from typing 'select * from tbl_pin_numbers' or whatever.
The HSM has an API for which to access pin numbers, and in the general non-trusted mode it is just a SUCCESS/FAILURE mode thing - you ask it whether the pin passed is correct, and it replies yes or no. Generally it would be ineffectual for a bank insider to try to ask the HSM about all 9999 (or whatever) possible pins because there are probably auditing procedures running to alert security about such an attempt, and that it is not a fast enough operation that it could be done quick enough to thwart such notice.
To understand the exploit you need to know a bit how pins work, and I'll totally simplify it from the article. Basically they take your account number, pretend it is a big hexidecimal number, and encrypt it with one of their keys. They take the resultant cypher-text and extract the pin from the first four digits.
That number is HEX though, so it could have A-F in it like 123A or 4B2F. So the system uses a table to map the digits in the pin into base ten digits. The table allows you to explicitly map every digit, you can say 1=2, 2=3, 4=1, a=2, b=4, c=5, d=9, etc... so 123A becomes 2312, etc..
The problem is that the HSM allows you to pass in this table as part of the verification routine ! So, using clever methods you can determine the correct pin by trying different tables.
There best method reduced the number of tries to get a pin from ~5000 to 15.
SO - this isn't a vulnerability that someone can exploit at an ATM, it is a vulnerability that a bank insider can exploit because they have access to their HSM.
That is my understanding of how it works anyway.
oh - and I would recommend not dialing that number, and keeping your mind off of it as much as possible since I understand how tempting such things can be.. :)
Quite honestly the reason to be upset about this is not that there is a flaw with HSM's and ATM PINs, it is because citibank wants to try to get a gag order silencing the researcher who found it. At least, IMHO.
[ Parent ]