News
Special security
Despite the high volume or data and cash involved in operating ATMs, security is rarely an issue, thanks to secure procedures and encryption techniques.
January 7, 2002
ATM users place a great deal of trust in a system they know little about. They surrender personal banking information to a machine, and trust that the machine will accurately keep records of their activity.
With all the cash involved, ATMs have been an irresistible target for enterprising criminals, seeking easy marks by getting their hands on sensitive financial information transmitted with a swipe of the card.
Fortunately, experts say the security of an ATM network has never been breached or hacked into successfully. Wiretapping has worked on phone networks, but not ATMs. And in a day when the firewalls at Microsoft proved penetrable, that's pretty impressive.
Why ATM networks are so well protected, those in the industry say, is because of the established system of redundant security checks developed by banking networks. The networks audit any company granted access to their networks, and even those client companies perform regular self-audits. The resulting blend of human honesty and machine alacrity has-to date, anyway-helped banks stay ahead of any dishonest parties attempting to tap into their networks.
"Being that we're affiliated with banks, we're also audited by the FDIC," said Brian Mecca, manager of data center operations at NYCE, a Woodcliff, N.J.-based processor. "They look at everything from physical security to data security. And we use a group to do self-audits every quarter just to make sure we're in compliance with our own standards."
Safety from the Beginning
To ensure that the conversion of a lease line terminal to dial-up goes safely, multiple security procedures are taken right at the terminal. First, segments of the code, or "master key" that will allow the ATM to operate online, is issued to the two, and sometimes three, technicians on hand to install the modem. Each is given only a portion of the total key so that no one person ever has the entire key.
When the modem is installed and ready to contact to the network for the first time, each technician takes a turn entering his portion of the key. The ATM then automatically encrypts the key under a complex algorithm called DES, short for data encryption standard.
Today, Visa and MasterCard are leading an effort to increase the security level at this stage, because it has been proven that computer running number combinations have the capability of hacking into DES. The new level of security is called Triple DES.
Danger from corrupt technicians is not a factor. If the technicians shared their parts of the code, they still couldn't crack the network. Once contacted by the ATM's new modem, the host recognizes the master key as one coming from a terminal requesting access to the network. The host is programmed to then generate and send back a new master key to which no human has access.
From that point, that ATM and that host will communicate only by exchange of that second master key until a new one is issued. The new key could be issued as soon as the next transaction.
Kent Phillips, director of business development at PSINet in Dallas, said such rapid reissue of keys is a recent innovation called dynamic key support. A few years ago, banking networks mandated regular key changes for both the host and the terminal.
"No one would know what the encryption keys -- the working keys - are. It's a multiple encryption scheme they use," he said.
"These are sophisticated techniques that occur right in the terminal," said David Howe, senior vice president of ATM services division at Lynk Systems, Inc., a third-party processor based in Atlanta. "That encrypted number then becomes a component in the transaction format that is sent to us."
As the transaction moves throughout the network, it is decrypted and re-encrypted every time it comes to a router, switch or host, enabling each to determine-at light speed-the transaction's destination. Upon return from the ATM customer's bank, the message travels the same path, and through the same decryption-encryption cycles.
Under optimum conditions, the entire transaction is completed in a few seconds. During peak traffic loads, network processes can slow down slightly.
Out On the Line
In theory, one could say that a lease line network is more secure than its dial-up counterpart because it uses private rather than public lines. But that argument doesn't hold water, said Phillips.
"Someone will say that you can (hack into) anything if you put enough time into it," he said, adding that cracking the sophisticated ATM network would only be a first step, and that encryption changes provide a bigger hurdle for hackers. "There's nothing that's given up in terms of security in a typical ATM transaction, whether it's across a lease-line network or a dial-up network. The encryption is the same; it's very secure."
ATM networks using public lines typically acquire a VPN, or virtual private network, to move data. This is a portion of a public network cordoned off to create a private local-area network (LAN) dedicated to that banking network.
It's Safe Inside
Attempting to break into an ATM and steal its modem or computer circuitry is equally challenging, according to Bob Nemens, senior marketing manager for Diebold Global Marketing in Dayton, Ohio. In Diebold machines, he said, both are located inside the secure chest, and neither will work if removed improperly.
"The most important thing is the encryption, and that encryption is on the mother board," said Nemens. "So nobody can actually hack into the unit and try to take that because it won't work. It's tamperproof."
Nemens said studies have shown ATMs are perceived as the most trusted way to obtain cash, even more than from humans. So the security risk, he added, isn't inside the machine. The larger risk to consumers is outside where hands and eyes have access to cash and information. Lynk's Howe agrees.
"There have been cases of 'shoulder surfers,' (criminals watching customers enter PIN numbers), and people taking pictures of that," said Howe. "(ATM crime) is usually much more low-tech than breaching encryption, and I've never heard of that happening."
Included In This Story
Diebold Nixdorf
As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.
