funsec mailing list archives
Re: Posturing: A Necessary Evil
From: "Dennis Henderson" <hendomatic () gmail com>
Date: Fri, 1 Dec 2006 08:42:00 -0600
On 12/1/06, Fergie <fergdawg () netzero net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As anyone considered the fact that, given the scare regarding ATM PIN compromise potential, that the U.S. Government warning of foreign attacks against financial resources is somewhat dubious? I mean, given the timing everything. But than again, what do I know? http://redtape.msnbc.com/2006/11/researchers_who.html
Banks have recently made the transition from DES(??!!??) to 3DES for pin encryption. A good bank security practice is that the key is split in two with two parties having control over it. These keys are updated on a regular basis. A very labor intensive task, but a necessary task. Any bank that lets its PIN get decrypted and re-encrypted multiple times is ripe for the kill. Most banks that follow best practices either have their own HSM or outsource to a company like E-Funds which handles all the HSM activities. The statement in the article that the PIN is decrypted and re-encrypted at multiple points along the way seems dubious. Perhaps they are mistaking the transport layer encryption... The bottom line, a big risk in any company is the insider. It has been and always will be. Take the time to establish the proper controls around access and the risk will go down correspondingly. Any bank who is getting the proper GLBA and SOX auditing will be going through these issues. A well trained IT/financial auditing team will know where to look to spot possible collusion access combinations. Some auditors find it amazing when they go thru a control audit and find out just who has access to what... The DHS announcement is odd as Infragard so far has not made mention of it. Perhap their web person works on the west coast :) Some OCC folk I know we're mumbling about this quietly yesterday... we'll see, I guess. Dennis
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Posturing: A Necessary Evil Fergie (Nov 30)
- Re: Posturing: A Necessary Evil Dennis Henderson (Dec 01)