Many Banks Reduce ATM Security -- Microsoft Certified Professional Magazine Online

Many Banks Reduce ATM Security

A customer convenience is making it easier for criminals to forge ATM cards.

By Russ Cooper
09/06/2005

Privacy
According to a report from Gartner, banks are not using an important security check when verifying ATM cards. As a result, criminals are finding it easier to forge ATM cards. That security check could ensure that the card being used to withdraw money via an ATM machine is actually the card the bank itself issued to that customer.

Many banks no longer use the check, as part of a tradeoff to allow users to change their PIN without having to go to the bank.

It seems clear that we have all kinds of problems in this space, and the solution should be to move to smart cards, not to change the way we deal with ATM cards. While smart cards are expensive and wouldn't thwart all attacks, it's a much better alternative to the current system which contains multiple vulnerabilities such as insecure point-of-sale machines, rogue ATMs, and rogue ATM networks. One way to eliminate these vulnerabilities is to move the encryption from the system to the card. But will it be done before public trust and confidence in our current systems is lost?

Governance
The U.K. Association of Chief Police Officers, when it submitted a laundry list of changes to counter terrorism legislation presented within the Regulation of Investigatory Powers Act, proposed making it an offense to withhold an encryption key. The Association is also looking to gain authority to actually attack Web sites that promote terrorism or other undesirable acts. They weren't specific as to how they would attack such sites, or even how they would qualify the site's intent.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

If it's criminal to withhold a decryption key, what happens when encrypted data is stored on a corporate system but the encryption key has never been in the corporation's possession? Would it become criminal to store encrypted data for which you don't have an encryption key? What about encryption keys that expire? How do you decrypt data with a key that no longer holds any validity to the applications which might allow its use?

Along with those problems is the idea of sanctioning attacks against cyber resources. While the concept of cyber-warfare is nothing new, granting that permission to police vs. keeping it in the realm of warfare combatants is a bad idea. What about jurisdiction? How would law enforcement ensure it was only harming the intended site, and not, for example, taking out the link to the site and its hosting facility?

It seems that these ideas haven't been well thought out. What are they thinking?

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.