Article
Triple DES dare you
First Y2K. Then ADAAG. The latest acronym to inspire industry-wide angst is DES - as in Data Encryption Standard - or more accurately, Triple DES.
May 28, 2002
First there was Y2K, the millennium bug that, despite all of the hype, was resolved with surprisingly little fuss in the ATM world.
Then came the federal government's proposed changes to the ADAAG (Americans with Disabilities Act Accessibility Guidelines), a more vexing concern that will require the ATM industry to make its machines more accessible for all users, chiefly by adding the ability to make them talk.
Although challenges remain, the industry seems well on its way to resolving the ADAAG issue.
The latest acronym to inspire industry-wide angst is DES - as in Data Encryption Standard - or more accurately, Triple DES.
What DES is
Developed by an IBM team in the mid 1970s, adopted by the National Institute of Standards and Technology (NIST) in early 1977 and approved by the American National Standards Institute(ANSI X3.92) in 1981, DES is an encryption algorithm used to protect sensitive data -- such as PINs.
With DES, a binary number called a key is used to encrypt and decrypt data. The DES algorithm uses a 56-bit key length; Triple DES specifies three rounds of encryption, effectively increasing the key length to 168 bits.
While there have been no cases of fraud linked to a breach of DES, a group called the Electronic Frontier Foundation won a "DES cracking" contest in 1998 by breaking a DES key in less than three days using a specially developed computer. Developed for less than $250,000, the DES Cracker computer was powered by a chip capable of processing 88 billion keys per second.
More recently, in early 1999, a group called Distributed.Net used the DES Cracker and a worldwide network of nearly 100,000 PCs to win a DES cracking contest in 22 hours and 15 minutes. The DES Cracker and PCs combined were testing 245 billion keys per second when the correct key was found.
Concerned that a hacker could eventually tap into PINs as computers become faster and more powerful, the United States EFT industry had been quietly discussing alternatives to DES for some time, according to Jim Shaffer, a senior product manager at ACI Worldwide. As with most previous regulatory issues, Shaffer said, early meetings were coordinated by Visa.
Yet MasterCard was the first to take an official stand on the matter. After adopting triple DES requirements for its Cirrus ATM and Maestro debit networks in 2000, MasterCard released a bulletin in January of 2001 informing its members that ATMs must be "Triple DES compliant" by April 1, 2002.
Industry reaction
An outcry ensued, said Hugh Burke, vice president of internal audits for Star Systems. "The original rule said 'compliant,' which we assumed meant actually running Triple DES. No one would ever have been able to comply with that," he said.
Burke said MasterCard made some incorrect assumptions. "When MasterCard decided to draw a line in the sand, they didn't do the due diligence to ensure the hardware was available," he said.
Key dates April 1, 2005 |
While she acknowledged that there had been some confusion over the word "compliant," Carol Jonak, MasterCard's director of debit product management, said MasterCard has taken an undue amount of heat for its implementation schedule.
"It wasn't easy putting pen to paper and coming out with these dates, but it's the responsibility of the network to protect itself," she said.
Earlier discussions on Triple DES had reached an impasse, Shaffer said. "The vendors wanted banks to commit to spending the money to upgrade, the banks didn't want to spend the money unless they had to, and the card associations didn't want to make a mandate until the vendors had the equipment."
Visa, operator of the Plus ATM network, has yet to release any implementation dates for Triple DES. "I think they're probably enjoying letting MasterCard catch all of the arrows on this one," Shaffer said.
Most industry observers believe Visa's deadlines will lag somewhat behind those of MasterCard. In reality, said Rob Evans, NCR's director of industry marketing, it won't matter. "Duality is a fact of life in the ATM world," he said. "Most deployers are bugged with both networks, so it's a moot point whatever Visa does."
Before MasterCard released its dates, Shaffer said it seemed likely that Triple DES implementation would begin at the host level and migrate downstream. Once the April 1, 2002 deadline was announced, however, the focus shifted to individual ATMs.
"If the issue is mitigating risk, it seems like you would have gotten more bang for the buck by focusing first on those high-volume interchange links," he said.
Dean Stewart, director of product planning and management for Diebold, said he can see advantages to both approaches. He agreed that focusing on areas with the fewest points of contact first and working down to the most numerous seems logical.
However, he said, ATM owners are the most likely to delay making the needed changes until other upgrades are made to the ATM.
"It reduces the costs for them. The ATM operations director has concerns other than PIN security to address. His priorities may be different than the priorities of the risk management director."
Breathing a little easier
MasterCard attempted to clarify its Triple DES policy in an operations bulletin dated March 29, 2002, two days before the new regulation was to take effect. In that bulletin, it dropped the apparently loaded word "compliant," and replaced it with "capable."
According to the bulletin: "All newly installed ATMs, newly installed merchant terminals that accept PINs, and cardholder-activated terminals must be Triple DES capable. That is, they must be capable of processing triple DES at the point of interaction. 'Newly installed' also includes replaced and relocated ATMs and POI terminals."
Several manufacturers, including Diebold, NCR, Fujitsu and Wincor Nixdorf, made hardware changes to their new machines to comply with the guidelines - generally providing a secure encryption device that is integrated into the keyboard.
In previous generations of ATMs, the encryption device was often located within the vault and connected to the keyboard via a cable. NCR's Evans said this dated back to the days when most ATMs were installed in bank branches, and only bank employees had access to the vault.
Call them 'capable' Tranax -- All existing models, including MiniBank-1000, MiniBank-2000, MiniBank-2100, MiniBank-2200, Nano Cash |
Bill Jackson, Triton's chief technical officer, said that many of his company's ATMs already had what Triton calls a SPED (Secure PIN Entry Device); a firmware upgrade was added to make it Triple DES capable, and the terminal code was modified to support the multiple keys used by Triple DES. All new Tritons began shipping with a SPED this month, he said.
Danny Langston, national sales director for GTI, said his company's machines have always had an integrated encryptor as well. No cables connect GTI's modules.
"Some people thought we were rinky dink for not having that maze of wires you see in most ATMs, but the truth is it's just a slick design. Now that Triple DES has come along, it looks even slicker," Langston said.
The next step
Once Triple DES capable ATMs are in the field, then what? According to the March 29 MasterCard bulletin, member and host processor systems must use Triple DES for PIN-based transactions at devices able to run Triple DES by April 1, 2003.
Kent Schrock, director of marketing for Fujitsu, said that, to his knowledge, no network or transaction processor has begun the process of certifying Triple DES capable ATMs.
"We're at the beck of the networks, and they have finite resources," Schrock said. "So much else is going on right now, with financial institutions and vendors pushing them to certify NT and other new applications."
According to Star's Burke, only one ATM manufacturer had delivered hardware and software to Star for testing as of mid-March. He said his network hoped to begin limited testing in May.
To complete full regression testing, however, Star must coordinate with transaction processors and host systems, and not all are prepared. "There are some stragglers," he said.
Star must create new coding on its switch for each make and model of machine, using specifications provided by the manufacturers. The first certifications could take up to 90 days, although subsequent ones will likely be quicker, Burke said
Mike Cowart, director of ATM operations for Lynk Systems, said the Atlanta-based transaction processor has received software from a few, though not all, ATM vendors.
During the next year Lynk must modify its connections to each of the networks - no mean feat, he said, considering that Lynk has six connections to Star alone (from its two data centers to Star East or Honor, Star West and Star Northeast or MAC).
Lynk also must modify its encryption boxes - the physical facilities that house encrypted data. And all makes and models of ATMs must be certified separately.
Because processors like Lynk are in essence a "middleman" between the networks and the manufacturers and their distributors, Cowart said, he fears they could bear the brunt of Triple DES fallout.
"We're caught in the middle on this, and we could end up looking like the bad guy," he said, noting that processors are on the front lines of enforcement since they maintain the most direction connection to ATMs.
Final deadline
The final date listed in MasterCard's March 29 bulletin: April 1, 2005, when "all ATMs must be triple DES compliant." According to most manufacturers, all of their current models and usually one previous generation will be upgradeable.
Costs will vary. Diebold's Stewart suggested it would cost about $800 to $1,000 to add an EPP (Encryption PIN Pad) to existing Diebold ATMs. Fujitsu's Schrock said it could cost up to $1,700 to upgrade his company's already-installed Series 8000, 7000AP and 7000 machines with both hardware and software. Triton's Jackson said a retrofit cost hadn't yet been determined, but that it would be "reasonable."
MasterCard's Jonak said the 2005 deadline gives ATM owners ample time to eliminate their oldest machines that are not capable of running Triple DES and reduce the number of machines that will require hardware upgrades.
But Henry Dorfman, vice president of the ATM Exchange, a Cincinnati-based refurb shop, said the pending requirements have already left some deployers in the lurch.
"I got a call from a guy last week who had just bought 15 Triton 9500s," he said. "He can't install them anywhere because they can't be upgraded to run Triple DES."
Included In This Story
Triton Systems
Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost
Diebold Nixdorf
As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.
