Many Banks Reduce ATM Security
A customer convenience is making it easier for criminals to forge ATM cards.
According to a report from Gartner
, banks are not using an important
security check when verifying ATM cards. As a result, criminals are finding
it easier to forge ATM cards. That security check could ensure that the card
being used to withdraw money via an ATM machine is actually the card the bank
itself issued to that customer.
Many banks no longer use the check, as part of a tradeoff to allow users to
change their PIN without having to go to the bank.
It seems clear that we have all kinds of problems in this space, and the solution
should be to move to smart cards, not to change the way we deal with ATM cards.
While smart cards are expensive and wouldn't thwart all attacks, it's a much
better alternative to the current system which contains multiple vulnerabilities
such as insecure point-of-sale machines, rogue ATMs, and rogue ATM networks.
One way to eliminate these vulnerabilities is to move the encryption from the
system to the card. But will it be done before public trust and confidence in
our current systems is lost?
The U.K. Association of Chief Police Officers, when it submitted a laundry
list of changes to counter terrorism legislation presented within the Regulation
of Investigatory Powers Act, proposed making it an offense to withhold an encryption
key. The Association is also looking to gain authority to actually attack Web
sites that promote terrorism or other undesirable acts. They weren't specific
as to how they would attack such sites, or even how they would qualify the site's
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
If it's criminal to withhold a decryption key, what happens when encrypted
data is stored on a corporate system but the encryption key has never been in
the corporation's possession? Would it become criminal to store encrypted data
for which you don't have an encryption key? What about encryption keys that
expire? How do you decrypt data with a key that no longer holds any validity
to the applications which might allow its use?
Along with those problems is the idea of sanctioning attacks against cyber
resources. While the concept of cyber-warfare is nothing new, granting that
permission to police vs. keeping it in the realm of warfare combatants is a
bad idea. What about jurisdiction? How would law enforcement ensure it was only
harming the intended site, and not, for example, taking out the link to the
site and its hosting facility?
It seems that these ideas haven't been well thought out. What are they thinking?
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.