[16965] in cryptography@c2.net mail archive
Re: ATM machine security
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Thu Mar 3 14:29:45 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 22 Feb 2005 10:00:35 -0700
From: Anne & Lynn Wheeler <lynn@garlic.com>
To: Lee Parkes <leep@bogus.net>
Cc: cryptography@metzdowd.com
In-Reply-To: <20050217085857.GF8253@blackfell.bogus.net>
Lee Parkes wrote:
> Hi,
> I'm working on a project that requires a benchmark against which to judge
> various suppliers. The closest that has similar requirements is the ATM
> industry. To this end I'm looking for any papers, specifications or published
> attacks against ATM machines and their infrastructure. I'm also looking for what
> type of networks they use and the crypto they use to protect comms.
> Also any standards would be good that the ATM industry has to adhere to.
messages/networks tend to be some flavor of iso8583 (used for both
credit and debit). most associations have requirement for DUKPT (derived
unique key per transaction) DES and transition to 3DES.
do search engine some flavor of 8583, dukpt, and/or x9 (x9 is the
us/ansi financial standards organization ... they have some recognition
at places like NIST where they've gotten around to saying that they no
longer have to rewrite X9 crypto standards for FIPS ... but can directly
reference the X9 documents).
lots of the attacks aren't directly on the ATM machines ... but on the
cards used at ATM machines ... aka skimming attacks. there is the stuff
about overlays on the front of ATM machines to capture information as
the card passes thru for valid transations. the captured information is
then used to manufactor counterfeit cards (i think there was even a
scene on this on one of last seasons CSI tv shows).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
