Triple DES Upgrades May Introduce New ATM Vulnerabilities

["Fergie" <fergdawg () netzero net>]

Interesting.

Thanks to Bruce Schneier who points out this article.

Also, as Bruce points out:

[snip]

Basically, at the same time they're upgrading their encryption to triple-DES, they're also moving the communications 
links from dedicated lines to the Internet. And while the protocol encrypts PINs, it doesn't encrypt any of the other 
information, such as card numbers and expiration dates.

So it's the move from dedicated lines to the Internet that's adding the insecurities.

[snip]

http://www.schneier.com/blog/archives/2006/04/tripledes_upgra.html

Via Payment News.

[snip]

In a press release today [13 April 2006], Redspin, an independent auditing firm based in Carpinteria, CA, suggests that 
the recent mandated upgrades of ATMs to support triple DES encryption of PINs has introduced new vulnerabilities into 
the ATM network environment - because of other changes that were typically made concurrently with the triple DES 
upgrades.

[snip]

More:
http://www.paymentsnews.com/2006/04/redspin_triple_.html

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.