About
Subscribe

Security upgrade for bank ATMs

Johannesburg, 14 Feb 2003

A new international payments standard is to be adopted by South African , in line with standards worldwide, which will make the encryption on host-to-host PIN communication virtually impossible to crack.

According to Gerhard Claassen, MD of the Crypto Business Unit at secure electronic payments company Prism Holdings, by the end of 2003 all host-to-host PIN communication such as that used in ATMs must be triple DES (T-DES)-based. DES stands for encryption standard.

In addition, by the end of 2005, all PIN entry devices will have to be T-DES-based.

"At present, the standard encryption method used in ATMs to protect card users` PINs is known as single DES or S-DES. However, the S-DES cryptographic algorithm has been cracked," says Claassen.

"Although it took a specially built algorithm cracking machine 22.75 hours to break the S-DES code, it does mean that devices which rely on S-DES for security can no longer be considered totally secure. Hence the decision to upgrade S-DES-based security to the far stronger T-DES."

T-DES is a better system as it enables three DES actions on a single piece of information, by utilising two or three encryption keys instead of the one used by S-DES.

"We need to ensure that encryption methods keep pace with technological developments. The point of moving to T-DES is to pre-empt the possible cracking of S-DES by criminal elements," says Chris Winter, general manager at Visa SA.

"The whole point of Visa is to allow people to use it anywhere in the world, it would be wholly unacceptable if we weren`t able to ensure that our client`s data is secure."

He says there is no security risk at the moment and that the move to T-DES is purely to enhance security measures, in much the same way that banks are beginning to migrate from magnetic stripe technology to chip-based technology.

"It is purely a matter of staying ahead in terms of technological developments and to be proactive in terms of security, rather than reactive."

Claassen says the real problem is that none of the older ATMs in use are T-DES-compliant.

"Banks are beginning to use a solution provided by Prism which enables the S-DES encryption process within the ATM to be converted to T-DES prior to the cardholder`s PIN leaving the ATM to travel across the public network to the bank`s back-end systems. In other words, only T-DES-encrypted PINs move across the public network.

"In addition, the Prism system creates an avenue for the use of unique keys for each session, depending on the owning financial institution`s needs. This means that every time a card is used in the ATM, the S-DES-encoded PIN information is converted to T-DES using a unique encryption key."

He says this means that even if the T-DES encryption on one PIN is cracked - an action that has not yet been done successfully - the same process will be required each time a PIN-protected card is used, even if it`s the same card.

"Even if the most sophisticated and well-funded encryption-cracking syndicate breaks T-DES, although this is highly unlikely, given the difficulty experienced in overcoming S-DES, the cost to decrypt a T-DES data block to get at just one PIN is likely to be a huge deterrent."

Related articles:
Taking banking securely into Africa - NamITech

Share