The California based company Redspin made a recent “discovery” about the true nature of traffic of ATM banking traffic, it’s unencrypted. Now, sadly, this is not news, let alone for anyone in the banking industry.
Essentially, unencrypted ATM transaction data is floating around bank networks, and bank managers are completely unaware of it. The only data from an ATM transaction that is encrypted is the PIN number.
The assertion that bankers were caught unaware is blatant garbage. Now, a quick Google search found an article on this subject dating from 2004. I personally have known about this since 1998 when the Russian mob in Toronto (and elsewhere) was busted for skimming data from the ATM machines in the city with DAT recordings. The traffic was a no brainer for them to decipher. The PIN being the only portion that had any sort of encryption. DES having been broken since the early 90’s.
Bank officials said yesterday that they would probably continue to use the DES code until officially warned against it, or until another
Government-approved encryption package was made available.
This quote I should point out is from 1991. This was, at the time, considered to be an “acceptable risk” for banks. Now, as banks move away from their dedicated line ATM networks to IP connectivity the skeletons are starting to tumble out of the closet.
In additional to Visa’s certification program, MasterCard has set an 1 April, 2005 deadline for ATMs that accept its card to switch their PIN encryption from DES to the more secure Triple DES algorithm (some large networks negotiated a more lenient deadline of December 2005)
Now the audit firms have rolled into action and we are seeing the first light to be shed on this subject by someone other than a member of the banking industry. The UK’s GCHQ warned about this in 1991 in the Daily Telegraph. I had a fit about it in 1998. It’s 2006 and this is now news?
“We were in the middle of an audit, looking at network traffic, when there it was, plain as day. We were surprised. The bank manager was surprised. Pretty much everyone we talk to is surprised. The card number, the expiration date, the account balances and withdrawal amounts, they all go across the networks in cleartext, which is exactly what it sounds like — text that anyone can read,”
Redspin is late to the party and they only brought a 6 pack of light beer. Welcome to the nightmare.
Reference: Link
Reference: Link
Reference: Link
Reference: Link
[tags]Triple DES, DES, Redspin, ATM, Vulnerabilities[/tags]