Saturday, May 30, 2009

3DES, DUKPT & E2EE Explained

I received a couple questions via email and wanted to take the time to provide a "coupla" of answers. If you have any questions about anything I've blogged about over the past year, feel free to shoot me one. I've got my email below:

Here's the first question:

Q: Is Triple DES a better encryption standard than DUKPT? (Derived Unique Key Per Transaction)?

A: I've used the terms Triple DES and DUKPT quite a bit in recent posts. To clarify, let's just start by saying that DUKPT does not really compete with Triple DES. Let's go over them one by one.

Worldwide, POS devices handle billions of transactions per day. If the keys to even a small portion of that traffic was discovered, we'd have a tremendously huge problem. Which is my segway to DUKPT.

The benefit of DUKPT is that even if an attacker discovered the key to a particular transaction, none of the other transactions from the same device could be decrypted with that key.

The DES stands for Data Encryption Standard, a block cipher that was selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976.

Triple DES, sometimes shortened further as 3DES, increases the difficulty of cracking the encryption by applying three rounds of action: an encryption, a decryption and an encryption, each with independent keys.

3DES has become popular for encrypting financial transactions because it is potentially far more secure than DES, which has been shown to yield its secrets somewhat quickly to relatively cheap hardware.

Both DES and 3DES use a symmetric key. In other words, the same key enciphers and deciphers the protected data. To keep the key secret, a secure key-management system is required.

One way to prevent fraud is to use a different key for "each transaction," (Derived Unique Key Per Transaction) HomeATM's secure devices (and thus your transactions) are "Protected by DUKPT" and each one is initialized with a master key. The master key is from which the unique keys are derived, one for each"per" transaction.

That said, a potential attack point (from a fraudster) would be the master key stored in the encrypting device. However, because HomeATM utilizes DUKPT, our device is built so that tampering with the device wipes this master key out.

These derived keys are used to encrypt transaction data with a symmetric cipher such as 3DES. HomeATM also takes it one step further and encrypts the Track 2 data as well. If you ever have any questions regarding financial transaction security or how HomeATM provides true end-to-end-encrypted transactions, feel free to email me.

Before I get to the next question, I've got one for you.

When you "type" your card number into a "box" on a merchant website, is it protected by DUKPT? Is it encrypted? If so, DES or 3DES? First one to send me the correct answer gets a Free HomeATM PED!

Q: What is TRUE end-to-end encryption? (E2EE)

A: First of all, "true" end-to-end encryption can only occur with a PIN based transaction. It doesn't exist outside of that scope because there is a point in the process where the cardholder data is decrypted and before it is re-encrypted is that is the point where it is vulnerable.

With that said, Heartland's proposal for end-to-end encryption has promulgated E2EE into a hot topic.

I would point out that Heartland's E2EE proposal came "AFTER" their breach...while HomeATM instituted their end-to-end encryption from "the very beginning." I'm not bragging. I'm proudly displaying our insight into the weaknesses inherent in the payments system and how we improved upon said weaknesses.

But let's get back to Heartland, shall we? In this post I will attempt to explain why they CANNOT magically snap their fingers and introduce E2EE on their own. They need cooperation from others in the industry.
While it's true that some large U.S. retailers encrypt cardholder data while in transit, it's also true that most don't. order for E2EE to work, a lot of retailers would need to revamp their system(s). Very costly indeed.

In addition, the top full-service U.S. payment processors don't currently support E2EE; thus, retailers that encrypt card data in transit typically must decrypt it before they send it to their processor.

The key word here is decrypt. That is the weak point, the vulnerability, and as such, also the problem.

That said, PIN Debit is an entirely different animal. Card brand standards require that PINs are encrypted end-to-end. In fact, speaking about Heartland's quest for E2EE, Distinguished Gartner Analyst Avivah Litan stated:

End-to-end encryption would be most effective if data was encrypted from the timea card was swiped at a POS until it reached the card issuer, similar tothe way personal identification numbers (PINs) currently are encrypted according to card brand standards.
Starting to get the point? If not here's some more insight as Ms. Litan went on to state:

"Heartland is limited by the scope of systems it manages and from which it accepts data;it can only seek to influence the card industry to carry end-to-end encryption beyond the processor stage, through the card networks and onto the card issuers.

"The proposal's success also depends on merchants' willingness to invest in terminal upgrades that support card data encryption."

(Editor's Note: For instance...HomeATM's PCI 2.0 Certified SafeTPIN PED which also encrypts the Track 2 data.) Avivah continues:

"If Heartland implements its proposed project more securely than it hasmanaged in the past with its network, it will make payment cardprocessing more secure for merchants, especially if they don't managethe encryption keys and leave key management to their processor.

Nevertheless, the process will always include vulnerabilities at the point where data is encrypted and decrypted.

"These vulnerabilities can be limited by using "sound key management practices" and enforcing extra security measures, such as "requiring two separately managed sets of keys for cryptographic operation"

HomeATM practices what she preaches by incorporating a"sound key management practice."

That is why HomeATM is the closest thing to TRUE end-to-end encryption in the industry. (our industry being eCommerce payments and Real Time Money Transfer.)

In the bricks and mortar world, end-to-end encryption doesn't exist and the whole system would need to be revamped. You can learn more about that in this related post where Avivah Litan asks:
Hacked! Is Visa Next? (

Hole in the Whole Card Security System

Credit Cards' Unintended Security Hole - CBS News
Credit Cards' Unintended Security Hole
Retail Realities: Why Zero Liability Programs Are a Wonderfully Early Holiday Gift to Cyber Thieves Everywhere

Editor's Note:  First of all, I call it "Zero Lie Ability." because the truth is that signature debit vs. pin debit brings "nothing to the table, yet Visa pushes it over the more secure 2FA PIN debit system.  Lie Ability also has the dual meaning that the banks have "no clue" (zero) on how Visa fooled them into agreeing to partake in this so-called "zero liability" program...the one that pushes the "LIE" in order to provide Visa with the "ABILITY" to make more profits.  It doesn't take a rocket scientist to PIN down the fact that Visa's "Signature" product, given the two choices (PIN or SIG) is the less secure of the two. 

I'll expand further on Tuesday.  For now, here's Evan Schuman's rant...which by the way...contains zero lies!

(CBS) This column was written by Evan Schuman, the editor of, a site that tracks retail technology, e-Commerce and security issues. He can be reached by e-mail and on Twitter.

In one of the most delicious ironies in retail today, the single most significant element that makes it easier for cyber thieves to steal consumer credit and debit card information from retailers is something the credit card companies themselves cooked up.

To be fair, this unintended consequence is a domino effect, where the innocuous-seeming program has set off a series of chain reactions that, today, makes credit and debit card breaches a lot more likely and more lucrative for the thieves. The program is called zero liability and it was initiated by some of the major credit card players many years ago to try and make consumers more comfortable making purchases online. The premise is that any fraudulent purchases will not have to be paid for by the consumer. Some banks have spoken of no liability beyond $50, but in operation, almost all banks cover all of the charges.

The program worked wonderfully and consumers quickly did become comfortable making E-Commerce purchases. But as identity theft and straight-out stealing from credit cards became much more common, large retailers became popular targets. The onus was on the retailers-not the banks-to pay millions of dollars to install and manage sophisticated security programs. But these costs were almost impossible to justify. After all, no chain was going to advertise: "We just installed state-of-the-art firewalls and encryption systems. Come shop with us." And the risk of being breached seemed too remote to make a compelling argument to a board of directors.

Then came the retail world's wakeup moment.  (Continue Reading...but Editor's Note)

Editor's Note:  When will the e-tail world "wakeup?"  AFTER or BEFORE the next big breach?  Look for Tuesday's PIN Payments News Blog for an analysis of why an e-Breach is inevitable...unless online shoppers swipe instead of type.  I've long said, that if cardholders data is going to be swiped, should it not be the cardholder doing the SwipePIN? 

BTW: It's ironic that this story was run on CBS, because there's a lot of BS that I C. involving e-payment security on the web.  (includinig BSMS)  When it comes to asking who "nose" this more than anyone, the engineering team at HomeATM has been conscious of this fact for years.  So what is Visa doing?  Jiminy Cricket!  Where's the conscience? 

Heartland Update: 656 Institutions Impacted

While it's hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.

Read Entire Article

Reblog this post [with Zemanta]

NACS Says Interchange Reform Badly Needed

'A penny times billions adds up'
Trade group (NACS) representing convenience stores and grocers upset with recent credit card fee increase
Date published: 5/29/2009

An association of retailers is upset about a recent fee increase charged to merchants each time a customer uses a credit card to pay.

The National Association of Convenience Stores calls last month's usage-fee increases by Visa and MasterCard "beyond outrageous." The fees, which took effect April 17, increase a merchant's per-charge transaction cost by more than a penny. Merchants are now charged about 2 cents per transaction on usage fees, which are in addition to other costs.

"A penny may not seem like much, but a penny times billions adds up quick," said NACS spokesman Jeff Lenard. "And when business costs go up, they get passed along to consumers, so we are all the losers."

MasterCard spokesman Chris Monteiro declined to comment on the pricing adjustments but noted that "every business establishes a price for the goods and services it provides, and the electronic payments industry is no exception.

Continue Reading

In related news, the NACS also ran an editorial on their website complaining that Interchange Fees need to be regulated or the benefits to the recent Credit Card Bill of Right will be badly affected:

Editorial: Merchants Need Interchange Reform 

Unless interchange fees are regulated, the benefits to consumers of recent credit card reform will be sharply reduced

MINNEAPOLIS, MN – An editorial in the Minneapolis Star-Tribune
welcomed the passage of the Credit Cardholders’ Bill of Rights as one
protecting cardholders, although the bill failed to address interchange

 The editorial urged Congress or courts to act and
eliminate interchange fees, costs that total $45 billion annually. The
Craig Wildfang and Mark Williams, recommended the following:

  • Congress should regulate interchange fees, those charged to
    merchants by card-issuing banks. Collectively, the fees total $45
    billion annually and are rising.
  • U.S. interchange fees are among the world’s highest and are
    not supported by commensurately higher costs to banks or card networks.
    In fact, the costs of running computer hardware and software — “the
    principal costs of running a payment card network” — have been
  • Interchange fees are essentially a privately enacted sales
    tax by the country’s largest banks (creators of Visa and MasterCard),
    “except that the revenue goes to the country’s largest banks, not to
    the government.” No controls have been in place to regulate these
    “fixing of prices to merchants” by the banks. Indeed, “the five largest
    card-issuing banks account for 80 percent of all cards.”
  • Other countries have contested interchange fees, including
    Australia and the European Union. In those cases, authorities lowered
    or eliminated the fees.
  • Canada’s Interac debit network, as well as other foreign debit card networks, voluntarily do not charge interchange fees.

Wildfang and Williams summarized that eliminating the $45
billion interchange fee would provide an immediate stimulus to the
economy. And noting that Citibank and Bank of America have accepted
hundreds of billions of dollars of taxpayer funds to endure the current
financial crisis, a reciprocal gesture is especially merited. Without
doing so, the benefits of the Cardholders’ Bill of Rights are sharply
reduced. And if Congress fails to act, merchants will turn to the
courts to seek relief.

Cybersecurity Tsarina - ISR

In an article written by Kevin M. Nixon, he muses as towhether Melissa Hathway is the next Cybercrime Czar...

Is She America’s New Cybersecurity Tsarina?

May 29, 2009 by ADMIN · 2 Comments
By Kevin M. Nixon, Security Editor

Information Security Resources staff had received an advance copy of the official White House Press Release (05/29/2009)and was all ears today during President Obama’s East Room remarks onthe highly anticipated and long awaited release of the “CyberspacePolicy Review: Assuring a Trusted and Resilient Information andCommunications Infrastructure”.

The report has become known as “TheHathaway 60-Day Report” in “homage” to Melissa Hathaway, the personPresident Obama picked as “Acting Senior Director for Cyberspace of theNational Security Council (NSC) and the Homeland Security Council(HSC)”.

Not only did the President bestow atitle too long to technically print on a normal sized business card,also he gave her a the shortest runway I have ever seen to assemblerecommendations, gain consensus, and publish a report for the ChiefExecutive.

Just pulling together all agencies,departments, stove-piped information while overcoming all the turfbattles can only be likened to attempting a huge worm wrestle.

Ms Hathaway accomplished the task anddelivered the goods and so everyone anticipated that the Presidentwould recognize her “get it done” work ethic and also announce from theEast Room today, her appointment as America’s Cybersecurity Tsarina.

However, everyone holding their breathin the East Room today probably passed out from lack of oxygen.  ThePresident was blatantly and conspicuously silent on his appointment.

The President’s silence left everyonewondering “does she or doesn’t she” and left reports attempting to findany hints of the President’s plan.  ISR think that we may be on tosomething. As POTUS stepped in front of the gathered experts, somewherein the back offices of the White House there was a shadowy figurehunkered over a keyboard waiting for the exact moment to press enterand publish an article on the White House Blog.

Could that person have even beensitting in the East Room audience with the President holding onto herthree Blackberry devices just waiting for President Obama to give thesecret word or phrase to “press the send” button?

We may never know, but President Obamadid acknowledge Melissa Hathaway at about the same time that an articleby her was posted on the White House Blog.

What is noticeable is in Ms Hathaway’sarticle is her title in the article’s by-line.  Gone is “MelissaHathaway, Acting Senior Director for Cyberspace of the NationalSecurity Council (NSC) and the Homeland Security Council (HSC)”.  Thenew by-line reads:  Melissa Hathaway, Cybersecurity Chief at theNational Security Council.

Which still leaves us wondering andwaiting?  Is the White House making new robes as the Catholic churchdoes when a new Pope is elected or has Ms Hathaway been appointed“Camerlingo” (1st runner up in a papal contest).  Guess we will justhave to wait.

Melissa Hathaway’s Blog post “Securing Our Digital Future” is re-published here:
Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation’s digital future:

Published:  FRI, MAY 29, 10:00 AM EST — The White House Blog

The globally-interconnected digitalinformation and communications infrastructure known as cyberspaceunderpins almost every facet of modern society and provides criticalsupport for the U.S. economy, civil infrastructure, public safety andnational security.

The United States is one of theglobal leaders on embedding technology into our daily lives and thistechnology adoption has transformed the global economy and connectedpeople in ways never imagined. 

My boys are 8 and 9 and use theInternet daily to do homework, blog with their friends and teacher, andemail their mom; it is second nature to them.

My mom and dad can read thenewspapers about their daughter on-line and can reach me anywhere inthe world from their cell phone to mine.  And people all over the worldcan post and watch videos and read our blogs within minutes ofcompletion.  I can’t imagine my world without this connectivity and Iwould bet that you cannot either.   Now consider that the same networksthat provide this connectively also increasingly help control ourcritical infrastructure.

These networks deliver power andwater to our households and businesses, they enable us to access ourbank accounts from almost any city in the world, and they aretransforming the way our doctors provide healthcare.  For all of thesereasons, we need a safe Internet with a strong network infrastructureand we as a nation need to take prompt action to protect cyberspace forwhat we use it for today and will need in the future.

Protecting cyberspace requiresstrong vision and leadership and will require changes in policy,technology, education, and perhaps law.  The 60-day cyberspace policy review summarizesour conclusions and outlines the beginning of a way forward in buildinga reliable, resilient, trustworthy digital infrastructure for thefuture.

There are opportunities foreveryone–individuals, academia, industry, and governments–to contributetoward this vision.  During the review we engaged in more than 40meetings and received and read more than 100 papersthat informed our recommendations.   As you will see in our reviewthere is a lot of work for us to do together and an ambitious actionplan to accomplish our goals.

It must begin with a national dialogue on cybersecurity and we should start with our family, friends, and colleagues.

We are late in addressing thiscritical national need and our response must be focused, aggressive,and well-resourced.  We have garnered great momentum in the last fewmonths, and the vision developed in our review is based on theimportant input we received from industry, academia, the civilliberties and privacy communities, others in the Executive Branch,State governments, Congress, and our international partners.  We nowhave a strong and common view of what is needed to achieve change.

Ensuring that cyberspace issufficiently resilient and trustworthy to support U.S. goals ofeconomic growth, civil liberties and privacy protections, nationalsecurity, and the continued advancement of democratic institutionsrequires making cybersecurity a national priority.
Kevin M. Nixon, MSA,CISSP®, CISM®, CGEIT®, has testified as an expert witness before theCongressional High Tech Task Force, the Chairman of the Senate ArmedServices Committee, and the Chairman of the House Ways and MeansCommittee. He has also served on infrastructure security boards andcommittees including the Disaster Recovery Workgroup for the Office ofHomeland Security, and as a consultant to the Federal Trade Commission.
The Author gives permissionto link, post, distribute, or reference this article for any lawfulpurpose, provided attribution is made to the author and to

Reblog this post [with Zemanta]

Disqus for ePayment News