Banks opt for cheap EFTPOS alternative

The upgrading of Australia’s EFTPOS (Electronic Funds Transfer at Point of Sale) network to triple DES (data encryption standard) has been labelled a cheap alternative to securing online transactions because IT executives are afraid to ask for the cash required to address real threats that are set to emerge in the next five years, according to Key2IT Pty. Ltd. Chief Technology Officer, Lyal Collins.

By 2005 when Australia’s 400,000 EFTPOS terminals are upgraded to the new encryption standards-from a single-length key to a double-length key-Collins said the terminals will be 10 years old.

“It is a minimum of A$200 million (CDN$176.5 million) to replace these terminals, but IT professionals in the banking industry are afraid to approach the board for money on these sorts of projects so they just go for the easy option; that is they will simply do a cheaper upgrade,” he said.

“The board is not going to invest hundreds of millions of dollars if it doesn’t guarantee increased revenue so they will just upgrade encryption without replacing the terminals.”

As a former Commonwealth Bank IT employee and communications specialist with the Department of Foreign Affairs and Trade, Collins said Australia is out of step with the rest of the world despite a mandate from MasterCard for Australian financial and retail institutions to have secure links in place as part of the network upgrade by March 31, 2003.

As reported last week in Computerworld, the EFTPOS network is upgrading to triple DES because the current single-length key encryption can be cracked by brute force in 14 hours. A real-time attack is likely within four years.

“Payments and business support by banks is in the 1980s mindset, so profitability and hence the economy suffer a greater burden than it otherwise would due to the higher cost of back office support and cash flow management in retailers and their supply chain,” Collins said.