Encryption mandate puts strain on financial IT
Upgrading ATMs and servers will cost the retail and banking industries billions
Computerworld - A mandate by credit card companies and related funds-transfer networks to upgrade the security of electronic transactions will cost the banking and retail industries billions of dollars in hardware and software and require several years of intensive work to complete.
MasterCard International Inc., Visa U.S.A. Inc. and associated network providers have established deadlines starting in 2004 for converting electronic funds networks to the Triple Data Encryption Standard. The DES cryptology algorithm currently in use has become vulnerable to attacks as a result of increases in computing power, those organizations say.
Beth Lynn, senior vice president of network administration at San Diego-based Star Systems Inc., the nation's largest debit network, said it won't be long before "it will become easy to buy a DES cracker and break those [encryption] keys."
There have been no reports to date of DES-related break-ins. Instead, hackers have attempted to exploit other network weaknesses. "It's a whole lot easier to find a Windows [or] Unix vulnerability," said Ryan Kalember, a security expert at Guardent Inc. in Waltham, Mass.
In much the same way that Y2k upgrades helped push companies to take advantage of new Web-based technologies, the upgrade to Triple DES may help lay the foundation for new point-of-sale and ATM services, such as bill paying.
Bank One Corp. in Chicago, for instance, has decided to replace all 4,000 of its ATMs with Triple DES-compliant models over the next three years. That effort began in March and will cost at least $150 million, according to a Bank One spokeswoman. In addition to being more secure, the new machines will be Web-enabled and ready to support a host of new features such as online bill payment, account aggregation and brokerage services.
DES is designed to protect personal identification numbers (PIN) entered at ATMs and point-of-sale devices, but using brute-force computing power in a process called an "exhaustion attack," it's possible to unscramble DES-protected information.
Led by Purchase, N.Y.-based MasterCard, the major electronic funds companies began seeking an industry conversion to Triple DES several years ago. But with the deadlines looming, banks and retailers are only beginning to deal with the costly conversion, and they're now calling for deadline extensions. Many of the nation's 360,000 ATMs will have to be replaced to comply, as will some back-end systems. Many applications will have to be rewritten to handle Triple DES.
The total cost will be staggering. A new ATM can cost as much as $50,000; costs will range from $1,000 to $5,000 for ATMs that can be upgraded, according to financial industry analysts. Hardware security modules,
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!