An informal survey of the Australian financial industry has revealed an alarming lack of interest in implementing the new triple data encrypting standard (DES) for Automated Teller Machines (ATMs).
The Triple DES is a new standard for ATM security designed to eliminate the possibility of a consumer's PIN being hacked or compromised. The data or PIN is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key -- hence the name Triple DES.
However, during the recently conducted NCR security and standards seminar in Sydney, only 52 percent of the 130 delegates surveyed considered Triple DES as the top security issue. Around 18.5 percent said the personal security of staff and customers is more important.
Those surveyed represented every tier-one and tier-two bank, as well as regional banks from Queensland, Victoria and Western Australia, credit unions, card companies, independent ATM deployers (ISOs), cash-in-transit (CIT) operators and security consultants.
Card companies Mastercard and Visa have set encryption compliance deadlines on April 2005 and 2007 respectively. The mandate states that all ATMs and point of sale devices must have pinpads that support Triple DES.
Around 68.5 percent of the delegates cited the cost as the biggest obstacle of the implementation of Triple DES while a quarter of all banks polled were worried about disruption to the network. Some 16.7 percent were not convinced of the value-payback, and 9.3 percent lacked executive support to implement the new standards.
NCR regional marketing communications manager for Asia Pacific Phil Chant, said the card companies are considering a shift of liability if banks do not follow the new mandate. For instance, if a fraudulent act took place on a non Triple DES compliant ATM, the card companies will pass on the liability towards the operator of the ATM.
Although none of the card companies have finalised things, Chant said there are talks of imposing similar fines implemented in other countries of up to US$10,000 per day on operators not upgrading their systems.
"Card companies have not stated if they will be imposing those fines in Australia, but time will come when this will come into force," Chant said.
He believes that further down the line, financial institutions that run Triple DES-compliant ATMs will ask for extra charges if a customer uses a non Triple DES-compliant machine.
NCR security and standards specialist Fiona Wesslink said the survey in Australia reflects the situation in overseas markets but issued a word of caution that fraud migrates both geographically and between type and method.
"Geographical migration sees fraud target countries that are the least well-prepared to counter it," Wesslink said. "This was seen recently when Malaysian ATM fraudsters hit Sydney after success in their own country and then Thailand. Migration between types of fraud also occurs, moving between card-trapping, cash-trapping, skimming and physical attacks. Such types of fraud always exploit the weakest links."
However, even with the incidents, Wesslink said not all financial institutions have begun upgrading their ATM key pads to comply. "This survey reinforces that there is still a long way to go to improve security and until those steps are taken, Australia will remain a target for criminal gangs," she added.
Wesslink admitted that the cost of upgrading PIN pads to be Triple DES compliant is the main inhibitor. However she also justified the move to be a very important step for future protection of ATMs. "With ATM fraud on the increase, the cost of that fraud is increasing to a level that the banks and financial institutions cannot ignore."
Chant thinks although some financial institutions might find it cheaper to just pay for the fines rather than pay for the upgrade of their systems, there might also be companies who will take the opportunity to upgrade other areas in their systems, such as shifting towards a different OS or adding audio sockets for audio guidance on transactions.