Encryption mandate puts strain on financial IT

Upgrading ATMs and servers will cost the retail and banking industries billions

A mandate by credit card companies and related funds-transfer networks to upgrade the security of electronic transactions will cost the banking and retail industries billions of dollars in hardware and software and require several years of intensive work to complete.

MasterCard International Inc., Visa U.S.A. Inc. and associated network providers have established deadlines starting in 2004 for converting electronic funds networks to the Triple Data Encryption Standard. The DES cryptology algorithm currently in use has become vulnerable to attacks as a result of increases in computing power, those organizations say.

Beth Lynn, senior vice president of network administration at San Diego-based Star Systems Inc., the nation's largest debit network, said it won't be long before "it will become easy to buy a DES cracker and break those [encryption] keys."

There have been no reports to date of DES-related break-ins. Instead, hackers have attempted to exploit other network weaknesses. "It's a whole lot easier to find a Windows [or] Unix vulnerability," said Ryan Kalember, a security expert at Guardent Inc. in Waltham, Mass.

In much the same way that Y2k upgrades helped push companies to take advantage of new Web-based technologies, the upgrade to Triple DES may help lay the foundation for new point-of-sale and ATM services, such as bill paying.

Bank One Corp. in Chicago, for instance, has decided to replace all 4,000 of its ATMs with Triple DES-compliant models over the next three years. That effort began in March and will cost at least $150 million, according to a Bank One spokeswoman. In addition to being more secure, the new machines will be Web-enabled and ready to support a host of new features such as online bill payment, account aggregation and brokerage services.

DES is designed to protect personal identification numbers (PIN) entered at ATMs and point-of-sale devices, but using brute-force computing power in a process called an "exhaustion attack," it's possible to unscramble DES-protected information.

Industry Conversion

Led by Purchase, N.Y.-based MasterCard, the major electronic funds companies began seeking an industry conversion to Triple DES several years ago. But with the deadlines looming, banks and retailers are only beginning to deal with the costly conversion, and they're now calling for deadline extensions. Many of the nation's 360,000 ATMs will have to be replaced to comply, as will some back-end systems. Many applications will have to be rewritten to handle Triple DES.

The total cost will be staggering. A new ATM can cost as much as $50,000; costs will range from $1,000 to $5,000 for ATMs that can be upgraded, according to financial industry analysts. Hardware security modules, which sit on transaction servers and process DES keys, can cost up to $50,000 each.

Kurt Helwig, executive director of the Electronic Funds Transfer Association in Washington, said the effort to replace or upgrade old systems will be huge, and financial firms are fuming.

"[Banks] feel they're being asked to bear this burden on behalf of the industry, when it's a problem that's not such a grave threat," said Helwig, whose organization has 600 members, including banks, ATM networks and technology vendors.

"Everyone is convinced that Triple DES is a good idea," said Andi Coleman, Tandem security team leader at Charlotte, N.C.-based Bank of America Corp., who heads a special interest group on security for the ITUG HP NonStop user group. Coleman said she has no doubt that financial services companies will meet the requirements, but she's concerned about whether ATMs widely deployed at retail establishments, which are operated by independent networks, will also comply. "If ever there is a weak link ... it's going to be there," she said.

Star Systems, which is owned by Memphis-based Concord EFS Inc., completed a two-month Triple DES upgrade on its network switches about six months ago. Lynn said the effort was relatively simple and involved updating software on 30 host security modules -- appliances that contain the keycodes for encrypting and decrypting PINs.

For banks and transaction processors, the Triple DES upgrades involve replacing ATM keyboards with keyboards that house an integrated circuit board that encrypts PINs before they're sent to the machine's internal processor. Currently, the PINs are transferred over a 2-foot cable in the clear before being encrypted, said Jerry Silva, an analyst at TowerGroup in Needham, Mass. ATM processing software will also have to be upgraded.

Charles Kennedy, a partner at the law office of Morrison & Foerster LLP in Washington, said industry mandates create a "standard of care" that give state and federal regulators the legal foothold to step in with enforcement proceedings. Those regulators can impose fines on institutions that suffer security breaches because they lack Triple DES, Kennedy said.

The U.S. Department of the Treasury and the U.S. Federal Reserve Bank currently use Triple DES, a standard that has been adopted by the American National Standards Institute and the International Standards Organization as well.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon