funsec mailing list archives
RE: Triple DES Upgrades May Introduce New ATM Vulnerabilities
From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
Date: Mon, 17 Apr 2006 15:32:48 -0500
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie Sent: Monday, April 17, 2006 11:44 AM To: funsec () linuxbox org Subject: [funsec] Triple DES Upgrades May Introduce New ATM Vulnerabilities Interesting. Thanks to Bruce Schneier who points out this article. Also, as Bruce points out: [snip] Basically, at the same time they're upgrading their encryption to triple-DES, they're also moving the communications links from dedicated lines to the Internet. And while the protocol encrypts PINs, it doesn't encrypt any of the other information, such as card numbers and expiration dates. So it's the move from dedicated lines to the Internet that's adding the insecurities.
Any bank that transmits ATM transactions over the Internet without securing it with VPN or other TLS deserves to be pwned.... The whole context of the article's title is slightly phony. It does describes several truths in that banks are indeed moving their ATM transactions from private dial, ISDN, etc to IP. This is more related to getting off of old, unsupported SNA front end infrastructure than anything else. To relate that effort to the completely separate OCC/FFIEC recommendation of switching to 3DES to protect the PINS (which is actually the pin offset not the actual PIN), is like shooting a gun in the middle of a nervous herd of cows... ------------------------------------------------------------------------------ NOTICE: This electronic mail message and any attached files are confidential. The information is exclusively for the use of the individual or entity intended as the recipient. If you are not the intended recipient, any use, copying, printing, reviewing, retention, disclosure, distribution or forwarding of the message or any attached file is not authorized and is strictly prohibited. If you have received this electronic mail message in error, please advise the sender by reply electronic mail immediately and permanently delete the original transmission, any attachments and any copies of this message from your computer system. Thank you. ============================================================================== _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Triple DES Upgrades May Introduce New ATM Vulnerabilities Fergie (Apr 17)
- <Possible follow-ups>
- RE: Triple DES Upgrades May Introduce New ATM Vulnerabilities Henderson, Dennis K. (Apr 17)