Today, no one questions the integrity of the ATM system. As far as most people are concerned, there are many ways to have one’s identity and information stolen, but ATMs are relatively secure places to input sensitive information. However, this was not always the case. Previous generations of ATM machines did not have all the security features that are considered standard on ATMs around the world today. One of these security features is called Triple DES.
Triple Data Encryption Standard (TDES), also known as TDEA (Triple Des Encryption Algorithm) is the encryption standard set by the National Bureau of Standards and released in the Federal Information Processing Standards Publication 46-3.
The following procedures were defined by this standard:
Key Components must be stored in a secure device (such as a safe or tamper-evident locking box) within a controlled environment.
Key components must be kept secret during the key loading process.
Key components must be shipped in a tamper-evident container.
ATMs must be inspected for tampering prior to loading key components.
If keys and/or terminal show signs of tampering, proper escalation procedures must be followed.
Internal key loading procedures must be followed.
Keys must be entered into the terminal using dual control (two people) split knowledge. Each key component must be loaded by a separate component holder, and bound together by the ATM device. Each key component must be properly destroyed (by custodian) immediately after key entry.
Triple DES protection involves a special kind of encryption software. One of the most convenient things about an ATM is also one of the most dangerous in terms of identity and information theft. To connect to the bank’s server, the ATM needs to connect to a secured Internet network. When the ATM dials into the network, the system is vulnerable to attacks from the outside. To avoid this problem, banks and security companies developed firmware (a physically secure type of keypad) and software (an encryption program) that work in conjunction to ensure that an individual’s Personal Identification Number, also called a PIN, cannot be stolen during the transaction.
Some older ATM machines are not Triple DES-compliant. TDES utilizes 32-byte keys, DES utilized 16-byte keys. This means that they do not have the specialized software and keypad necessary to protect the individual’s PIN number effectively. This kind of ATM should be upgraded, if possible. If it is not possible, then the ATM should no longer be in use. ATM upgrades can be expensive, so if you are interested in buying an ATM for use in your business, you should ensure that the machine you are purchasing is Triple DES compliant. If it is not, the machine must be upgraded, or it cannot be used.
Many jurisdictions within the United States have required Triple DES protocols as mandatory on all ATMs to protect the individual against identity theft. Some non-bank ATM distributors will take advantage of people’s ignorance on the subject of security laws, however, and sell non-Triple-DES compliant machines for very cheap to get rid of ATMs that have not been upgraded to the Triple DES system.