Encryption mandate puts strain on financial IT
Upgrading ATMs and servers will cost the retail and banking industries billions
Computerworld - A mandate by credit card companies and related funds-transfer networks to upgrade the security of electronic transactions will cost the banking and retail industries billions of dollars in hardware and software and require several years of intensive work to complete.
MasterCard International Inc., Visa U.S.A. Inc. and associated network providers have established deadlines starting in 2004 for converting electronic funds networks to the Triple Data Encryption Standard. The DES cryptology algorithm currently in use has become vulnerable to attacks as a result of increases in computing power, those organizations say.
Beth Lynn, senior vice president of network administration at San Diego-based Star Systems Inc., the nation's largest debit network, said it won't be long before "it will become easy to buy a DES cracker and break those [encryption] keys."
There have been no reports to date of DES-related break-ins. Instead, hackers have attempted to exploit other network weaknesses. "It's a whole lot easier to find a Windows [or] Unix vulnerability," said Ryan Kalember, a security expert at Guardent Inc. in Waltham, Mass.
In much the same way that Y2k upgrades helped push companies to take advantage of new Web-based technologies, the upgrade to Triple DES may help lay the foundation for new point-of-sale and ATM services, such as bill paying.
Bank One Corp. in Chicago, for instance, has decided to replace all 4,000 of its ATMs with Triple DES-compliant models over the next three years. That effort began in March and will cost at least $150 million, according to a Bank One spokeswoman. In addition to being more secure, the new machines will be Web-enabled and ready to support a host of new features such as online bill payment, account aggregation and brokerage services.
DES is designed to protect personal identification numbers (PIN) entered at ATMs and point-of-sale devices, but using brute-force computing power in a process called an "exhaustion attack," it's possible to unscramble DES-protected information.
Led by Purchase, N.Y.-based MasterCard, the major electronic funds companies began seeking an industry conversion to Triple DES several years ago. But with the deadlines looming, banks and retailers are only beginning to deal with the costly conversion, and they're now calling for deadline extensions. Many of the nation's 360,000 ATMs will have to be replaced to comply, as will some back-end systems. Many applications will have to be rewritten to handle Triple DES.
The total cost will be staggering. A new ATM can cost as much as $50,000; costs will range from $1,000 to $5,000 for ATMs that can be upgraded, according to financial industry analysts. Hardware security modules,
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts