A court case under way in the Durban High Court focusing on an alleged "phantom ATM" withdrawal has highlighted potential security problems in the ATM network.
Citibank of the US and credit card company Diners Club International are presently involved in a civil case against two individuals, Anil Singh and Vanitha Singh, who are accused of defrauding the ATM network.
In order to check how secure the ATM network actually is, the defence team asked two researchers from Cambridge University, Mike Bond and Piotr Zielinski, to look into how difficult it is to "crack" a cashpoint card`s personal identity number (PIN).
The researchers discovered that - despite numerous security controls - a bank insider could crack a PIN on an internal bank network in an average of 15 tries, rather than the 5 000 tries that the ATM networks claim, meaning that someone with inside knowledge could easily steal a large amount of money in a very short time.
William Ramwell, spokesman for First National Bank (FNB), says the research report indicated that unskewed, randomly-generated PINs, stored encrypted in an online database, are significantly more secure than those focused on in the study.
"This is the case with FNB. The keys used for PIN verification are stored in a Resource Access Control Facility database, where they are protected against unauthorised access, whether internal or external," says Ramwell.
"FNB does not even use the PIN verification technique that was the subject of this research paper, as we use Visa PIN Verification Values instead. A different algorithm is used in this instance, which renders PIN verification more secure."
He says that besides these security measures, the bank is converting from the current security standard, known as the single data encryption standard (S-DES), to a new international payments security standard, known as triple-DES (T-DES).
"This is in line with Visa requirements, and our target date for ATM and branch systems is April 2003, while point-of-sale systems should be converted during the second half of 2003.
"Once T-DES is enabled, PINs will be even more securely encrypted, since the key-length for T-DES is at least doubled. T-DES also enables three DES actions on a single piece of information - by utilising two or three encryption keys - where S-DES only uses a single one."
According to Johan van Schalkwyk, director, card division at Standard Bank, the bank cannot supply detailed information regarding its security systems, in order to protect sensitive customer information.
"Our customers can be assured, however, that the security systems of the bank are under constant review and revision by both internal and external audit establishments as well as security experts, to ensure that risk management in the bank`s IT systems and operations are both effective and adequate," says Van Schalkwyk.
At the time of going to press, ITWeb had been unable to contact the relevant people at Absa and Nedbank for comment.
Related articles:
ATM numbers cracked in 15 attempts
Security upgrade for bank ATMs
Share