Encryption mandate puts strain on financial IT
Upgrading ATMs and servers will cost the retail and banking industries billions
Computerworld - A mandate by credit card companies and related funds-transfer networks to upgrade the security of electronic transactions will cost the banking and retail industries billions of dollars in hardware and software and require several years of intensive work to complete.
MasterCard International Inc., Visa U.S.A. Inc. and associated network providers have established deadlines starting in 2004 for converting electronic funds networks to the Triple Data Encryption Standard. The DES cryptology algorithm currently in use has become vulnerable to attacks as a result of increases in computing power, those organizations say.
Beth Lynn, senior vice president of network administration at San Diego-based Star Systems Inc., the nation's largest debit network, said it won't be long before "it will become easy to buy a DES cracker and break those [encryption] keys."
There have been no reports to date of DES-related break-ins. Instead, hackers have attempted to exploit other network weaknesses. "It's a whole lot easier to find a Windows [or] Unix vulnerability," said Ryan Kalember, a security expert at Guardent Inc. in Waltham, Mass.
In much the same way that Y2k upgrades helped push companies to take advantage of new Web-based technologies, the upgrade to Triple DES may help lay the foundation for new point-of-sale and ATM services, such as bill paying.
Bank One Corp. in Chicago, for instance, has decided to replace all 4,000 of its ATMs with Triple DES-compliant models over the next three years. That effort began in March and will cost at least $150 million, according to a Bank One spokeswoman. In addition to being more secure, the new machines will be Web-enabled and ready to support a host of new features such as online bill payment, account aggregation and brokerage services.
DES is designed to protect personal identification numbers (PIN) entered at ATMs and point-of-sale devices, but using brute-force computing power in a process called an "exhaustion attack," it's possible to unscramble DES-protected information.
Led by Purchase, N.Y.-based MasterCard, the major electronic funds companies began seeking an industry conversion to Triple DES several years ago. But with the deadlines looming, banks and retailers are only beginning to deal with the costly conversion, and they're now calling for deadline extensions. Many of the nation's 360,000 ATMs will have to be replaced to comply, as will some back-end systems. Many applications will have to be rewritten to handle Triple DES.
The total cost will be staggering. A new ATM can cost as much as $50,000; costs will range from $1,000 to $5,000 for ATMs that can be upgraded, according to financial industry analysts. Hardware security modules,
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts