|
|
|
|
Banks face cost of ATM upgrades12 April 2004
Original article copyright 2004, and can be found at Dominion Post New Zealand banks face a bill of a few million dollars upgrading their ATM machines over the next two or three years to meet security standards being imposed by Mastercard and Visa. Claire Shufflebotham, a security consultant with American technology giant NCR, says some ATMs have yet to be upgraded to read chip-based smartcards to meet a January 2006 target. Most ATMs also need new keypads called Encrypting Pin Pads (EPPs) to support a new encryption standard called Triple DES by a deadline of July 2007. There are nearly 2000 ATMs in New Zealand, most of which were built by NCR, Ms Shufflebotham says. So long as ATMs are less than 10 years old it is generally cheaper to upgrade rather than replace them, she says. New ATMs cost between US$5000 and $30,000. Banks can save on cost and time by doing both upgrades at once, and by taking the opportunity to carry out any other work on their machines at the same time, she says. ANZ has made good headway in understanding what needs to be done to its machines over the next 18 months so they may only need to take machines out of service once, she says. The security upgrades are an opportunity for banks to replace the software on older machines to support windows-like screen displays, she says, and some may want to consider fitting audio jacks to their machines. In Australia, a law has been passed requiring ATMs to have audio jacks so people with impaired eyesight can use them by issuing voice commands. ANZ New Zealand spokeswoman Cathy Wood says the bank doesn't intend to copy the move here at this stage, but it is watching the initiative. Visa and Mastercard are trying to ensure all ATMs and eftpos terminals in New Zealand are capable of reading EMV-compliant chip cards to eliminate a fraud known as "skimming". This involves fraudsters using hidden equipment rigged into eftpos terminals and ATMs to copy cardholders' information from stripe-based cards. Ms Shufflebotham says implementing Triple DES to replace less secure Single DES encryption involves replacing ATMs' existing keypads and inserting a "secure data signing system" underneath them. She says all ATMs shipped since January 2003 are Triple DES compliant, as should be all eftpos terminals installed since the beginning of the year. Some of the cost of upgrading older machines should be offset by the fact that, once installed, Triple DES lets banks update ATMs' master encryption keys remotely. Master encryption keys need to be changed to keep ATMs secure if they are moved or suffer a power outage and, till the advent of Triple DES, this has involved sending out two "trusted staff members" to physically perform the work, says Ms Shufflebotham. Even once ATMs are updated, the additional security provided by Triple DES and EMV cards won't come into play till chip-cards become widespread and Triple DES encryption software is turned on by the banks, she says. Banks should consider fitting basic physical devices to prevent skimming to shore up security in the interim, since organised crime gangs in Malaysia and eastern Europe are searching the world for soft targets as the security noose tightens, she says. Low-cost devices which can provide a temporary fix include a "jitter" card reader that moves bank cards sideways slightly as they are swiped to make it hard for skimming devices to read data off the card. Another is a simply piece of plastic which sits around the card reader to make skimming devices harder to put in. Ms Shufflebotham says banks need to ensure keypads themselves are secure. The technology exists for fraudsters to overlay a membrane over keypads that can reflect and record people's pin numbers, she says. The British Government recently signalled it will issue its citizens with chip-based ID cards and Ms Shufflebotham predicts the future of card payments globally will be for bank cards and ID cards to merge. Eftpos, credit card and ATM access would then be governed by an application residing on an EMV compliant chip in a government-issued ID smartcard. "At the end of the day, it's what I think the consumer would want." Original article copyright 2004, and can be found at Dominion Post |
|
Send mail to
webmaster with questions or comments about this web site.
|
