Banks, retailers face costly ATM upgrade

A mandate by credit card companies and related funds-transfer networks to upgrade the security of electronic transactions will cost the banking and retail industries billions of dollars in hardware and software and require several years of intensive work to complete.

MasterCard International Inc., Visa U.S.A. Inc. and associated network providers have established deadlines starting in 2004 for converting electronic funds networks to the Triple Data Encryption Standard (DES). The DES cryptology algorithm currently in use has become vulnerable to attacks as a result of increases in computing power, those organizations say.

A Visa Canada Association spokesperson indicated there are no definitive timelines set in Canada. “We are ready to migrate to Triple DES and we will migrate at a pace that makes sense for the Canadian payment card market,” noted Terri Tweddle.

Beth Lynn, senior vice president of network administration at San Diego-based Star Systems Inc., the nation’s largest debit network, said it won’t be long before “it will become easy to buy a DES cracker and break those (encryption) keys.”

There have been no reports to date of DES-related break-ins. Instead, hackers have attempted to exploit other network weaknesses. “It’s a whole lot easier to find a Windows (or) Unix vulnerability,” said Ryan Kalember, a security expert at Guardent Inc. in Waltham, Mass.

In much the same way that Y2k upgrades helped push companies to take advantage of new Web-based technologies, the upgrade to Triple DES may help lay the foundation for new point-of-sale and ATM services, such as bill paying.

Bank One Corp. in Chicago, for instance, has decided to replace all 4,000 of its ATMs with Triple DES-compliant models over the next three years. That effort began in March and will cost at least US$150 million, according to a Bank One spokeswoman. In addition to being more secure, the new machines will be Web-enabled and ready to support a host of new features such as online bill payment, account aggregation and brokerage services.

DES is designed to protect personal identification numbers (PIN) entered at ATMs and point-of-sale devices, but using brute-force computing power in a process called an “exhaustion attack,” it’s possible to unscramble DES-protected information.

Led by MasterCard of Purchase, N.Y, the major electronic funds companies began seeking an industry conversion to Triple DES several years ago. But with the deadlines looming, banks and retailers are only beginning to deal with the costly conversion, and they’re now calling for deadline extensions.

Many of the United States’ 360,000 ATMs will have to be replaced to comply, as will some back-end systems. Many applications will have to be rewritten to handle Triple DES.

The total cost will be staggering. A new ATM can cost as much as $50,000; costs will range from $1,000 to $5,000 for ATMs that can be upgraded, according to financial industry analysts. Hardware security modules, which sit on transaction servers and process DES keys, can cost up to $50,000 each. (All figures US dollars.)

Kurt Helwig, executive director of the Electronic Funds Transfer Association in Washington, said the effort to replace or upgrade old systems will be huge, and financial firms are fuming.

“(Banks) feel they’re being asked to bear this burden on behalf of the industry, when it’s a problem that’s not such a grave threat,” said Helwig, whose organization has 600 members, including banks, ATM networks and technology vendors.

“Everyone is convinced that Triple DES is a good idea,” said Andi Coleman, Tandem security team leader at Charlotte, N.C.-based Bank of America Corp., who heads a special interest group on security for the ITUG HP NonStop user group. Coleman said she has no doubt that financial services companies will meet the requirements, but she’s concerned about whether ATMs widely deployed at retail establishments, which are operated by independent networks, will also comply. “If ever there is a weak link . . . it’s going to be there,” she said.

Star Systems, which is owned by Memphis-based Concord EFS Inc., completed a two-month Triple DES upgrade on its network switches about six months ago. Lynn said the effort was relatively simple and involved updating software on 30 host security modules — appliances that contain the keycodes for encrypting and decrypting PINs.

For banks and transaction processors, the Triple DES upgrades involve replacing ATM keyboards with keyboards that house an integrated circuit board that encrypts PINs before they’re sent to the machine’s internal processor. Currently, the PINs are transferred over a two-foot cable in the clear before being encrypted, said Jerry Silva, an analyst at TowerGroup in Needham, Mass. ATM processing software will also have to be upgraded.

Last December, NCR Corporation and TNS Smart Network Inc. announced the launch of Triple DES-compliant ATMs and ATM processing services for the Canadian self-service marketplace.

While NCR Canada recognizes that when adopted, these security standards will have an impact on the Canadian financial services market, it declined to comment on the specific costs as its ATM technology, software and services are but one aspect of the end-to-end operation of a financial self-service network.

The Canadian Bankers Association declined to comment on costs. A communications advisor reported that the banks are each working on their own regarding Triple DES.