funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Posturing: A Necessary Evil

From: "Dennis Henderson" <hendomatic () gmail com>
Date: Fri, 1 Dec 2006 08:42:00 -0600
On 12/1/06, Fergie <fergdawg () netzero net> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As anyone considered the fact that, given the scare regarding
ATM PIN compromise potential, that the U.S. Government warning of
foreign attacks against financial resources is somewhat dubious?

I mean, given the timing everything.

But than again, what do I know?

http://redtape.msnbc.com/2006/11/researchers_who.html




Banks have recently made the transition from DES(??!!??) to 3DES for pin
encryption. A good bank security practice is that the key is split in two
with two parties having control over it. These keys are updated on a
regular basis. A very labor intensive task, but a necessary task.  Any bank
that lets its PIN get decrypted and re-encrypted multiple times is ripe for
the kill.

Most banks that follow best practices either  have their own HSM or
outsource to a company like E-Funds which handles all the HSM activities.
The statement in the article that the PIN is decrypted and re-encrypted at
multiple points along the way seems dubious. Perhaps they are mistaking the
transport layer encryption...

The bottom line, a big risk in any company is the insider. It has been and
always will be. Take the time to establish the proper controls around access
and the risk will go down correspondingly. Any bank who is getting the
proper GLBA and SOX auditing will be going through these issues. A well
trained IT/financial auditing team will know where to look to spot possible
collusion access combinations.

Some auditors find it amazing when they go thru a control audit and find out
just who has access to what...




The DHS announcement is odd as Infragard so far has not made mention of it.
Perhap their web person works on the west coast :)

Some OCC folk I know we're mumbling about this quietly yesterday... we'll
see, I guess.


Dennis

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: