funsec mailing list archives

RE: Triple DES Upgrades May Introduce New ATM Vulnerabilities

From: "Henderson, Dennis K." <Dennis.Henderson () umb com>
Date: Mon, 17 Apr 2006 15:32:48 -0500

-----Original Message-----
From: funsec-bounces () linuxbox org 
[mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie
Sent: Monday, April 17, 2006 11:44 AM
To: funsec () linuxbox org
Subject: [funsec] Triple DES Upgrades May Introduce New ATM 
Vulnerabilities

Interesting.

Thanks to Bruce Schneier who points out this article.

Also, as Bruce points out:

[snip]

Basically, at the same time they're upgrading their 
encryption to triple-DES, they're also moving the 
communications links from dedicated lines to the Internet. 
And while the protocol encrypts PINs, it doesn't encrypt any 
of the other information, such as card numbers and expiration dates.

So it's the move from dedicated lines to the Internet that's 
adding the insecurities.



Any bank that transmits ATM transactions over the Internet without
securing it with VPN or other TLS deserves to be pwned....

The whole context of the article's title is slightly phony.

It does describes several truths in that banks are indeed moving their
ATM transactions from private dial, ISDN, etc to IP. This is more
related to getting off of old, unsupported SNA front end infrastructure
than anything else. 

To relate that effort to the completely separate OCC/FFIEC
recommendation of switching to 3DES to protect the PINS (which is
actually the pin offset not the actual PIN), is like shooting a gun in
the middle of a nervous herd of cows...

------------------------------------------------------------------------------
NOTICE:  This electronic mail message and any attached files are confidential.  The information is exclusively for the 
use of the individual or entity intended as the recipient.  If you are not the intended recipient, any use, copying, 
printing, reviewing, retention, disclosure, distribution or forwarding of the message or any attached file is not 
authorized and is strictly prohibited.  If you have received this electronic mail message in error, please advise the 
sender by reply electronic mail immediately and permanently delete the original transmission, any attachments and any 
copies of this message from your computer system. Thank you.

==============================================================================


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Triple DES Upgrades May Introduce New ATM Vulnerabilities Fergie (Apr 17)
- <Possible follow-ups>
- RE: Triple DES Upgrades May Introduce New ATM Vulnerabilities Henderson, Dennis K. (Apr 17)