South African banks are moving quickly to meet future international security requirements for their ATMs (automatic teller machines).
According to Gerhard Claassen, Managing Director of the Crypto Business Unit at JSE-listed, secure electronic payments company, Prism Holdings, the major card companies - Visa and MasterCard - have stated that by end-2003 all Host-to-Host PIN communication, such as that used in ATMs, must be triple DES (T-DES) based. In addition, by the end of 2005, all PIN entry devices will have to be T-DES based.
"At present, the standard encryption method used in ATMs and POS systems to protect card users` PINs is known as single DES (Data Encryption Standard) or S-DES. However, the S-DES cryptographic algorithm has been cracked," he explains. "While it took a specially built algorithm cracking machine 22.75 hours to break the S-DES code, it means that devices which rely on S-DES for security can no longer be considered totally secure. Hence the requirement that S-DES-based security be upgraded to far stronger T-DES."
T-DES is far stronger as it enables three DES actions on a single piece of information by utilising two or three encryption keys instead of the one used by S-DES.
The problem is that none of the older ATMs currently in use are T-DES compliant. Now, banks are increasingly using a solution provided by Prism solution which enables the S-DES encryption process within the ATM to be converted to T-DES prior to the cardholder`s PIN leaving the ATM to travel across the public network to the bank`s back-end systems. In other words, only T-DES encrypted PINs move across the public network.
"In addition, the Prism system creates an avenue for the use of unique keys for each session depending on the owning financial institution`s needs. This means that every time a card is used in the ATM, the S-DES-encoded PIN information is converted to T-DES using a unique encryption key. So even if the T-DES encryption on one PIN is cracked - an action that has not yet been done successfully - the same process will be required each time a PIN-protected card is used, even if it`s the same card.
"Even if the most sophisticated and well-funded encryption-cracking syndicate breaks T-DES - which is highly unlikely given the difficulty experienced in overcoming S-DES - the cost to decrypt a T-DES data block just to get at just one PIN is likely to be a huge deterrent," he concludes.
Share
JSE-listed Prism Holdings is a world leader in the secure electronic transaction market. With a growing presence in Europe and South-East Asia, Prism is one of the few companies in the world offering services solutions and products that bridge the following core technologies:
* Security - sophisticated cryptographic security solutions, many developed using own intellectual property resources;
* Payment solutions in the physical and virtual (Internet and wireless) realms; and
* Smart card technologies spanning both wireless communications and electronic payments.
Editorial contacts