ATM machine security
Anne & Lynn Wheeler
lynn at garlic.com
Tue Feb 22 12:00:35 EST 2005
Lee Parkes wrote:
> Hi,
> I'm working on a project that requires a benchmark against which to judge
> various suppliers. The closest that has similar requirements is the ATM
> industry. To this end I'm looking for any papers, specifications or published
> attacks against ATM machines and their infrastructure. I'm also looking for what
> type of networks they use and the crypto they use to protect comms.
> Also any standards would be good that the ATM industry has to adhere to.
messages/networks tend to be some flavor of iso8583 (used for both
credit and debit). most associations have requirement for DUKPT (derived
unique key per transaction) DES and transition to 3DES.
do search engine some flavor of 8583, dukpt, and/or x9 (x9 is the
us/ansi financial standards organization ... they have some recognition
at places like NIST where they've gotten around to saying that they no
longer have to rewrite X9 crypto standards for FIPS ... but can directly
reference the X9 documents).
lots of the attacks aren't directly on the ATM machines ... but on the
cards used at ATM machines ... aka skimming attacks. there is the stuff
about overlays on the front of ATM machines to capture information as
the card passes thru for valid transations. the captured information is
then used to manufactor counterfeit cards (i think there was even a
scene on this on one of last seasons CSI tv shows).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list