Triple DES Encryption

Overview:

The Data Encryption Standard (DES) was developed by an IBM team around 1974 and adopted as a national standard in 1977. Triple DES is a minor variation of this standard. It is three times slower than regular DES but can be billions of times more secure if used properly. Triple DES enjoys much wider use than DES because DES is so easy to break with today's rapidly advancing technology. In 1998 the Electronic Frontier Foundation, using a specially developed computer called the DES Cracker, managed to break DES in less than 3 days. And this was done for under $250,000. The encryption chip that powered the DES Cracker was capable of processing 88 billion keys per second. In addition, it has been shown that for a cost of one million dollars a dedicated hardware device can be built that can search all possible DES keys in about 3.5 hours. This just serves to illustrate that any organization with moderate resources can break through DES with very little effort these days. No sane security expert would consider using DES to protect data.
Triple DES was the answer to many of the shortcomings of DES. Since it is based on the DES algorithm, it is very easy to modify existing software to use Triple DES. It also has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break DES. However, even this more powerful version of DES may not be strong enough to protect data for very much longer. The DES algorithm itself has become obsolete and is in need of replacement. To this end the National Institute of Standards and Technology (NIST) is holding a competition to develop the Advanced Encryption Standard (AES) as a replacement for DES. Triple DES has been endorsed by NIST as a temporary standard to be used until the AES is finished sometime in 2001.
The AES will be at least as strong as Triple DES and probably much faster. Many security systems will probably use both Triple DES and AES for at least the next five years. After that, AES may supplant Triple DES as the default algorithm on most systems if it lives up to its expectations. But Triple DES will be kept around for compatibility reasons for many years after that. So the useful lifetime of Triple DES is far from over, even with the AES near completion. For the foreseeable future Triple DES is an excellent and reliable choice for the security needs of highly sensitive information.
In Depth
Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits. In Private Encryptor, you simply type in the entire 192-bit (24 character) key rather than entering each of the three keys individually. The Triple DES DLL then breaks the user provided key into three subkeys, padding the keys if necessary so they are each 64 bits long. The procedure for encryption is exactly the same as regular DES, but it is repeated three times. Hence the name Triple DES. The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key.

Consequently, Triple DES runs three times slower than standard DES, but is much more secure if used properly. The procedure for decrypting something is the same as the procedure for encryption, except it is executed in reverse. Like DES, data is encrypted and decrypted in 64-bit chunks. Unfortunately, there are some weak keys that one should be aware of: if all three keys, the first and second keys, or the second and third keys are the same, then the encryption procedure is essentially the same as standard DES. This situation is to be avoided because it is the same as using a really slow version of regular DES.
Note that although the input key for DES is 64 bits long, the actual key used by DES is only 56 bits in length. The least significant (right-most) bit in each byte is a parity bit, and should be set so that there are always an odd number of 1s in every byte. These parity bits are ignored, so only the seven most significant bits of each byte are used, resulting in a key length of 56 bits. This means that the effective key strength for Triple DES is actually 168 bits because each of the three keys contains 8 parity bits that are not used during the encryption process.

read more

UL 291 Security Standard

Most of the ATM machines you see in pubs, convenience stores, supermarkets, clubs and other retail locations, come with two types of safes or security cabinets for securing money. One type of ATM safe is the Business Hours (BH) safe and the other the 24 Hours Level 1 safe. Both safes have to meet the UL 291 security standard designed by Underwriters Laboratories, an independent product-safety testing company. This standard requires that the ATM machine has to offer a degree of protection against unauthorized removal of currency and the removal or manipulation of transaction records. In other words, ATMs with either type of safe must withstand attacks from someone trying to rob money or change the transaction records. Both type of ATM safes have environmental and endurance requirements.

a) Business Hours ATM machine

An ATM machine with a Business Hours safe is designed to store cash only during business hours under the watchful eye of a responsible owner, manager, or employee. The money stored in this type of safe should be removed at the close of the business day. The metal of the Business Hours ATM machine can withstand a physical attack from a robber armed with wires, lines, chisels, pry bars, or wrenches for at least five minutes. This gives enough time for the store owner, manager, or employee to call the police. A business-hour ATM that meets the UL 291 standard usually weighs 125 kg.

b) 24 Hours Level 1 ATM machine

ATMs with Level 1 safes are designed for use 24 hours a day. They weigh around 250 kg and can hold cash unattended. The steel of the Level 1 safe can withstand physical pressure of 50,000 psi. This type of ATM is designed to withstand an attack, using fishing, trapping, and forcing techniques, on the currency container from the customer access panel for 30 minutes. Attacks on other portions of the safe, using picks and portable electric tools like drills and grinders, can be resisted by this type of safe for up to 15 minutes. All of our ATM models have the ATM safe separated from the customer access panel area, which is an extra security feature that makes ATM fraud and robbery that much more difficult.

c) Environmental requirements

All ATM machines have to withstand 85% humidity for 24 hours. This ensures that all ATMs maintain records and the quality of the currency in the cash dispenser.

For more information on the technical aspects of ATM security for our Triton models click here

read more

ATM Security Tips

Because of the variety of ATMs, the unique characteristics of each installation, and crime considerations at each location, no single formula can guarantee the security of ATM customers. Therefore, it is necessary for ATM customers to consider the environment around each ATM and various procedures for remaining safe when using an ATM.

Criminals select their victims and targets, focusing on the unaware or unprepared. Criminals are also drawn to environmental conditions that enhance the opportunity to successfully complete their crime. The attitude and demeanor you convey can have a tremendous effect on potential assailants. There are a number of things you can do to increase your personal security and reduce your risk of becoming an ATM crime victim.

---

The following crime prevention tips can help make the use of ATM’s safer for everyone.

• Walk purposefully and with confidence. Give the appearance that you are totally aware of your surroundings
• Be aware of your total environment and what is going on around you. Criminals tend to avoid people who have this type of demeanor
• Perform mental exercises and think out what you would do in different crime or personal security situations
• Follow your instincts. If you feel you are in danger, respond immediately. Remember that your personal safety is the first priority

ATM Selection Considerations

The law sets minimum standards for ATM lighting, procedures for evaluating the safety of ATM's and requires notices to ATM users outlining basic safety precautions for using ATM's. Although ATM environmental design issues are covered in the law, there are other considerations that an ATM customer needs to consider prior to selecting and using an ATM. For example:

• Do not select an ATM at the corner of a building. Corners create a blind area in close proximity to the customer's transaction. Select an ATM located near the center of a building. An ATM further from the corner reduces the element of surprise by an assailant and increases effective reaction time by the user
• Identify an ATM with maximum natural surveillance and visibility from the surrounding area. This will create a perceived notion of detection by a criminal and increases the potential for witnesses
• Select an ATM at a location void of barriers blocking the line of sight of the ATM. This includes shrubbery, landscaping, signs and decorative partitions or dividers. Barriers provide hiding areas for would-be assailants
• Select an ATM that is in a well-lighted location
• Whenever possible, select an ATM that is monitored or patrolled by a security officer
• Select an ATM with a wide-angle transaction camera and/or a continuous transaction surveillance camera. Consult the bank or location management for this information
• Solicit prior criminal activity statistics from law enforcement for the ATM site and surrounding neighborhood
• Avoid ATM locations with large perimeter parking lots and numerous ingress and egress points

Considerations Prior To and During Transactions

• Always watch for suspicious persons or activity around an ATM. Be aware of anyone sitting in a parked car in close proximity to or at a distance from the ATM location
• If you notice anything strange, leave and return some other time. Even if you have already started a transaction, cancel it and leave.
• Maintain a small supply of deposit envelopes at home, in your car or office. Prepare all transaction paperwork prior to your arrival at the ATM site. This will minimize the amount of time spent at the ATM
• Maintain an awareness of your surroundings throughout the entire transaction. Do not become so involved with your transaction that you are not aware of changing conditions in the area
• Do not wear expensive jewelry or take other valuables to the ATM. This is an added incentive to an assailant
• If you get cash - put it away right immediately. Do not stand at the ATM and count it
• Never accept offers of assistance with the ATM from strangers; ask the bank for help
• Never lend your ATM card to anyone; treat it as if were cash or a credit card
• If you use a drive-up ATM, ascertain your vehicle doors and windows are locked
• During evening hours consider taking a companion along, park close to the ATM in a well lighted area and lock your car. If the lights around the ATM are not working properly, do not use it
• When leaving an ATM location make sure you are not being followed. If you are being followed, drive immediately to a police, sheriff or fire station, crowded area, well-lighted location or open business. Flash your lights and sound your horn to bring attention to your situation
• If you are involved in a confrontation and the attacker is armed with a weapon and demands your money or valuables, GIVE IT TO THE SUSPECT . Do not resist, property may be recovered later or replaced

Fraud Considerations

• Memorize your Personal Identification Number (PIN). Do not write it down or keep it in your wallet or purse. Do not tell ANYONE else your PIN (including bank employees, the police, etc.)
• Shield the ATM keypad from anyone who may be standing or parked nearby or anyone crowding you in an attempt to view your PIN and/or transaction. Use your body as a shield if necessary while you enter your access code
• Make sure you retain your transaction receipt. Do not throw the receipt away at the ATM site
• Immediately report any stolen or lost ATM card to the proper entities

read more

"World ATM Markets " Research Overview

Research Overview

Frost & Sullivan research service titled "World ATM Markets" provides an analyse the current scenario in all the main geographic regions of the world, the drivers and restraints that could impact the market in the future, and market shares of global manufacturers in all geographic regions. Expansive ATM terminal forecasts are provided for various geographic regions to address the growth potential and enable participants to tap emerging opportunities of this market. This analysis is available through our Enterprise Communications Growth Partnership Services program. With this program, clients receive industry-leading market research such as this, along with technical and econometric data as well as many interactive features including Analyst Inquiry Time and Client Councils.

Benefits of this Service

Market Situation Analysis and Forecasts for the Total ATM Market Provide a Comprehensive Insight into the Market
A detailed analysis provides a comprehensive insight for the market participants on the current market scenario, market trends, and revenue forecasts of the world ATM markets.

Competitive Scenario and Market Share Analysis Provide Market Positions of Global Leader

Market share analysis of major ATM manufacturers is provided for the various geographic regions of North America, EMEA, Latin America, and Asia Pacific to provide competitive ranking of the major participants of the market.

Market Situation Analysis for the ATM Market of the Various Geographic Regions Gives a Truly Global Perspective

Analysis on market situation, drivers, and restraints are provided for the various geographic segments such as North America, EMEA, Latin America, and Asia Pacific. The forecasts for the ATM markets, on-premise ATM market, and off-premise market for these regions help in the identification of regions with high growth potential.
Expansive Forecasts for the On-Premise ATM Market Provide a Deep Insight on the Future Growth Potential
This research service analyses the growth rate of the on-premise ATM market during the current year and forecast period of 2005 to 2010 for the various global regions such as North America, EMEA, Latin America, and Asia Pacific.
Expansive Forecasts for the off-Premise ATM Market Provide a Deep Insight on the Future Growth Potential.
This research service analyses the growth rate of the off-premise ATM market during the current year and forecast period of 2005 to 2010 for the various global regions such as North America, EMEA, Latin America, and Asia Pacific
Market Sectors
Expert Frost & Sullivan analysts thoroughly examine the following market sectors in this research:

- Total ATM market worldwide
- On-Premise ATM market forecasts
- Off-Premise ATM market forecasts
- Stand alone ATM market forecasts
- Through-the-wall ATM market
Technologies
The following technology is covered in this research:

- Automatic Teller Machine (ATM): An ATM is an unattended electronic machine in a public place, connected to a data system and related equipment. ATMs are activated by inserting a cash or credit card that contains the users account number and personal identification number (PIN) on a magnetic stripe. The PIN is entered through an encrypted keypad to prevent unauthorized transactions. The ATM calls up the banks computers to verify the balance, dispenses the cash, and then transmits a completed transaction notice. Besides this, most machines can also accept deposits, transfer funds, and provide information on account balances.

Market Overview

Decreasing Transaction Volumes and Profit Margins Cause Concerns
The automated teller machine (ATM) with its cash anytime anywhere facility has revolutionized banking in the last two decades. However, in mature markets such as North America and the United Kingdom, technological advances notwithstanding, cash withdrawals continue to account for 80 percent of all ATM transactions. Manufacturers are facing lower transaction volumes per ATM compelling off-premise and financial institution ATM deployers to reconsider the economics and profitability of their estates.
In the last few years, a majority of the basic cash dispensing ATMs have transformed into customer relationship management (CRM) devices, says the analyst of this research service. They offer customized services based on insight into the behavioral pattern of each individual user, these new services could drive revenues, as they facilitate up-sell of both financial offerings such as loans, investments, and non-financial services such as coupons, and gift certificates. There could be further increase in the use of the ATM through cell phone top-ups, ring tones, and other prepaid services. ATM manufacturers are continuously developing new products with a whole suite of services including Internet banking, advertising, and couponing on to remain competitive.

Focus on India and China for New Revenue and Market Share Opportunities

The ATM industry will concentrate on offering technologically advanced products to emerging markets such as China and India to increase profitability in the long run, states the analyst. With banks and financial institutions in these fast-developing markets building up their customer service offerings, the ATM industry can expect exceptional growth. Both state and privately owned-banks are investing in machines with the latest technologies, as ATMs become an increasingly important component of the distribution channel.
Vendors are focusing on manufacturing ATMs in these regions in order to maximize customer service, address cost concerns and gain a superior understanding of the local market dynamics. For instance, the NCR Corporation has production facilities both in China and India, where it feels there is huge potential to be tapped. China has an installed base of over 60,000 ATMs, with rising demand from the country state-run banks. Although India installed ATM base is lesser, it is growing at a phenomenal rate of over 100 percent every year. However, the biggest challenge for market participants is mainly that of back-end and multichannel integration.

To buy the full report please click here -->"World ATM Market"

read more

China ATM (Automatic Teller Machine) Market Report, 2008-2009

ATM has achieved a rapidly development since the Bank of China installed the first machines in 1987. According to the Payment System Operation Overview, Q3 2008 by the People’s Bank of China, the quantity of networked ATM was totaled at 158,000 by Sep, 2008, and the figure is expected to rise to 167,000 by the end of 2008, and the total of retained ATM in the market will reach as many as 172,000.

Total of Retained ATM and Its Growth in China Market 2003-2008
(Unit: 10,000)

Source: Unipay

Due to the wide branch distribution, considerable client scale and huge capital, the banks of ICBC, ABC, BC, CCB, BCM and PSBC altogether shared 85% of AMT market in China. Especially, BCM and ICBC had 26,135 ATMs and 26,014 ATMs respectively in the middle of 2008.

Compared to the countries like Germany, U.S.A and South Korea, ATM per capita in China is still far lagged behind, the market has a great potential for its growth. The regional distribution of ATM in China is uneven, the 18 cities and regions including Guangdong Province (excluding Shenzhen), Shanghai, Beijing, Zhejiang Province, Shenzhen and Tianjin etc. together have a total number of ATM at 61,200. In addition, the cities and regions that have over 5,000 ATM are Guangdong (excluding Shenzhen), Jiangsu province, Zhejiang province and Shanghai.

The foreign products still dominate Chinese market. The foreign ATM suppliers are mainly NCR, Diebold, Wincor Nixdorf, Hitachi, Fujitsu and Hyosung, among which, NCR, Diebold, and Wincor Nixdorf enjoyed more market benefit. The domestic ATM suppliers are mainly GRGBanking, Eastcom, kingTeller, Shenzhen Xingdatong, Digital China and Shenzhen Chentong, among which, GRGBanking enjoyed the greatest market benefit.

read more

Banking security

Authentication methods:

* smart card, token
* second password requirement
* two-factor authentication
* risk-based authentication (monitoring software)

All Banks should be better protected against fraud and identity theft. Financial institutions – brokerages, banks, credit unions – must add an extra layer of security for high-risk transactions, such as account access and money transfers. A simple name and password combination will no longer be sufficient for most types of transactions.

Federal Financial Institutions Examination Council (FFIEC) is an organization of five financial industry enforcement agencies:

* the Board of Governors of the Federal Reserve System,
* the Federal Deposit Insurance Corporation
* the National Credit Union Administration
* the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

The rules are leading to a scramble by banks to purchase security technology. It has also resulted in a surge of sales in identity and access management compliance products. IDC estimates the market shot up 78% in 2006, worldwide, with about half of that growth in the U.S. market.

The FFIEC recommended that two-factor authentication be used for all online banking, in your case, for making payments. If you're not with a bank, two-factor authentication is still a possible option for protecting online commerce, like your business.

Two-factor authentication:

There are three authentication factors: something you know, something you have and something you are. A user ID and password are examples of something you know. A one-time password (OTP) token or smart card is an example of something you have. Your fingerprint, voice or facial pattern is something you are. Combining two of these methods is called two-factor authentication.

The idea behind two-factor authentication is defense-in-depth. If one factor is breached, the other can still block malicious access.

For Web sites, two-factor authentication can mean customer-issued OTP tokens, or even simple biometric tokens connected to PCs by USB ports. The biometric tokens, which both resemble OTP tokens in size and appearance, check the user's fingerprint.

Kind of extra security:

Banks may turn to hardware-based authentication, such as a smart card or token that can be plugged into the user's USB port. But that is a high-cost, high-maintenance option best suited for high-end customers.

At the lowest-cost end of the spectrum, banks might try to add a second password requirement. But that won't satisfy the FFIEC mandateguidance, according to experts.

Also banks may use software programs that monitor user behavior and compare it to a profile of past behavior to look for anomalies. Such risk-based monitoring tools watch things such as the type of computer normally used, the user's IP address, typical account activities, etc. Only if a user does something odd does the system ask for additional authentication.

read more