Analysis: Identifying crypto holes in Eftpos machines

Powered by SC Magazine
 

Key handling borked.

Security experts charged with testing Australia’s PIN-Entry Devices (PED) before they hit supermarkets have discovered cryptographic holes in nine in ten Eftpos terminals.

The devices encrypt user PINs to prevent information from being intercepted while in transmission. Secret keys are held by sending and receiving parties so that encrypted messages can be read.

But if the keys are stolen, then all the secrecy afforded by even the best modern cryptography systems is lost.

According to Witham Laboratories, up to 90 percent of Eftpos transaction machines fail to secure secret keys before reaching the last stage of production.

The vulnerabilities are typically caught by examiners before the devices hit supermarkets.

Such security checks are required under Australian law. Elsewhere in the world where such laws do not exist, PINs have been siphoned from Eftpos terminals using stolen crypto keys, according to Witham Labs technical manager Andrew Jamieson.

Witham Labs was one of seven organisations in the world certified by the Australian Payments Clearing Association and the Payments Card Industry (PCI) Council to test the security of PIN-Entry Devices (PEDs) such as automatic teller and Eftpos machines.

Jamieson, who has worked with payment systems for more than 15 years, dives deep into the cryptography architecture built into the devices, trying to find vulnerabilities that could expose financial information.

He said that almost all PIN-entry devices he received had security holes where the encryption key used to protect transaction data could be compromised.

"Ninety percent would be non-compliant with key management," Jamieson said.

"These are devices fully-manufactured, with all the marketing and research done, ready for market but are sent to us as a last requirement step before they can be sold."

Andrew Jamieson

The failures of key management were well documented. It was partly responsible for allowing Polish codebreakers to crack the Nazi Enigma cipher machine.

As far back as 1883, the importance of key management was detailed by Dutch cryptographer Auguste Kerckhoffs who observed that a cryptographic system should be secure if everything is known except the key.

"We are lucky now to exist in a time when this can be true - the algorithms we have, such as AES, are very secure," Jamieson said.

"Therefore, the key is the point of attack, and the management of that key is usually the weakest point in the chain." 

Key improvements

Cryptographic key management in Eftpos devices was set to improve under a PCI Council mandate for minimum security requirements for PIN security.

Previously, the drafting of minimum requirements had been driven by Visa and Mastercard.

The PCI council adopted a Visa draft of 32 high-level requirements for PIN security, and called for industry input by the end of July 2011.

The requirements identified "minimum security requirements for PIN-based transactions, outline the minimum acceptable requirements for securing PINs and encryption keys and assist all retail electronic payment system participants in establishing assurances that cardholder PINs will not be compromised”.

PCI council general manager Bob Russo said that by assuming control, the council hoped to “streamline" efforts by merchants, processers and financial institutions to secure PIN data.

“Organisations will have one set of criteria for the protection of PIN data that is recognised by all payment card brands," he said.

Standardisation efforts were also underway to improve the use and understanding of Format Preserving Encryption (FPE).

FPE allowed data formats to be preserved through the encryption process. It could encrypt and de-identify data without changing its length, type, format, or structure.

That effort had been led by standards bodies NIST and ISO, in cooperation with vendors including Voltage and Ingenico, who each had proprietary FPE methods.

“Because FPE is new, there are currently no standards,” Jamieson said.

“There’s a lot of misinformation and a lack of understanding about the technology.”

This led to implementation and integration problems, he said.

Keep it simple

Cryptographic security depended on simple principles:

  • Use Triple DESAESRSA, or ECC
  • Never let anyone know any part of any key
  • Generate keys randomly
  • Only encrypt keys under another key of equal or greater strength
  • Only store plaintext keys in a secure cryptographic device
  • Only use any key for one purpose
  • Don't allow Triple DES keys to be split up

Jamieson advised that any key management scheme could be use if these principles were applied. He warned that complex systems should be avoided, as should moves to create proprietary architectures.

"Key management is one of those things where the more complex you make it, the harder it is to secure," he said.

"As you get more complicated, you introduce more margin for error, and the slightest error in key management can render your systems insecure."

Jamieson suggested using key management schemes such as ANSI X9.24 DUKPT for triple DES key management, with SSL v3 / TLS for more complex data flows.

"If someone is telling you that they can do better, I would be asking for independent evaluation to prove that there are no insecurities."

Copyright © SC Magazine, Australia


Analysis: Identifying crypto holes in Eftpos machines
The Enigma machine was a WWII code breaker.
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
The Enigma machine was a WWII code breaker.
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1452

Vote