16^th April 09 Revelations that hackers have discovered a method of cracking PINs from payment cards as they travel from an ATM to a banking computer are the direct result of sloppy security practices, says Credant Technologies, the military grade encryption specialist.

 

"The report, from Verizon Business, claims to show that criminal fraudsters are intercepting the weakest links in the multi-hop network path between one bank's ATM and the home network of the card being used," said Michael Callahan, Credant's senior vice president.

 

"The fraudsters appear to have realised that each HSM (hardware security module) at each 'stop' on the transaction authorisation route has to decrypt the PIN and its associated card data string and then re-encrypt the data stream using its own algorithms for next leg," he added. 

 

According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – this can give the fraudsters a chance to take advantage of a smaller bank's HSM security.

 

What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder's view.

 

All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.

 

This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.

 

"Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks," he said. "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so
ensuring their cardholders are safe from this new type of hacking exploit," he added.

For more on the weakest link in the ATM chain story: http://tinyurl.com/c8uag9

For more on Credant: http://www.credant.com or contact Yvonne on 020 71832 832

 

ENDS

According to Callahan, with card ATM-to-bank-computer routes typically traversing several network hops - especially in North America – this can give the fraudsters a chance to take advantage of a smaller bank's HSM security.

 

What many people overlook, he says, is that the branding of various ATMs - Cirrus, Visa, MasterCard etc - is just that, a brand, and the convoluted path a card authorisation and transaction request can make is hidden from the cardholder's view.

 

All is not lost, he explained, as it is perfectly possible for a bank - or group of banks - to encrypt the PIN and other security data at the ATM end of the link, and then further encrypt the data string for each leg of its journey, as required by the banking network.

 

This means, he says, that if the origin data is encrypted to a very high level, when the data is decrypted at its destination HSM, it can be further decrypted before being handed on to the relevant bank computers.

 

"Double levels of encryption are nothing new in high level security circles. It's a shame that the banks appear to have overlooked this issue when designing their ATM networks," he said. "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so
ensuring their cardholders are safe from this new type of hacking exploit," he added.

For more on the weakest link in the ATM chain story: http://tinyurl.com/c8uag9

For more on Credant: http://www.credant.com or contact Yvonne on 020 71832 832

 

ENDS