Electronic fund transfer processing systems are widely used for communicating financial transaction information between banks and remote terminals, such as point of sale terminals (POS) and automated teller machines (ATM).
In today's systems, information is transmitted between respective nodes over telecommunication lines which may be intercepted by an adversary. Though the intercepted electronic data is not immediately readable, it can be made readable through the use of a typical home computer. With this data and readily available hardware, counterfeit plastic cards can be produced and used to fraudulently withdraw funds from legitimate customer accounts.
Since the information transmitted over these systems must be maintained under intense security, and the interception of messages cannot realistically be prevented, the information or data is typically encoded or encrypted prior to transmission over the system.
Data encryption is the coding of data to render it unreadable to anyone who does not possess the proper decoding information. In an ATM transaction, a customers personal identification number (PIN) is transmitted along with a transaction request to allow the customer's financial institution to verify that the person making the request is authorized to do so. If the customer's PIN is not encrypted before transmission, it is readily available to an eavesdropper for use with counterfeit or stolen cards.
However, if the PIN is encrypted before it is transmitted, this type of theft can be prevented. Even if the encrypted PIN is intercepted, the encrypted PIN would be unintelligible. Without a usable PIN, a counterfeit card would be useless. While many financial transactions travel directly from a remote terminal to a financial institution over secure telecommunication lines, the trend today is toward large, shared networks in which transaction requests entered on a remote terminal are relayed through several network nodes before they arrive at the customer's financial institution.
The first link in a typical network arrangement, after the remote terminal, is the financial institution which has contracted to acquire transactions from the terminal. This institution is called the "acquirer." The acquirer forwards the request to a regional switch which receives transactions from many acquirers. The switch then forwards the request to an institution which verifies the PIN and authorizes or rejects the transaction. This institution may be the institution which issued the card or it may be an agent of the card issuer.
The use of data encryption to protect PINs in this environment requires that each remote terminal have the ability to encrypt PINs before transmitting them in a transaction request, and that each card issuer have the information necessary to decrypt the PINs upon receiving them for verification.
This would be a relatively simple matter if all PINs were encrypted under the same encryption method. If such were the case, PINs encrypted at remote terminals would remain encrypted until they arrived at the card issuer for verification. The card issuer could decrypt all PINs, regardless of which terminal they came from, because all remote terminals would use the same PIN-encrypting method.
However, this scenario is too simplistic to be effective. While providing a slightly higher level of security than if the PINs were not encrypted at all, there would be a huge security risk in that literally hundreds of thousands of PINs would be encrypted under the same method and each transaction acquirer and card issuer in the network would need to have knowledge of the method in order to perform their function in the transaction process. Such widespread knowledge of an encryption method would expose such a large number of PINs as to present an unacceptable level of network security risk. For this reason, the encryption method used today is necessarily more complex. In cases where the information or data is transmitted through one or more institutions, the information or data is typically decrypted at each institution and re-encrypted prior to transmission to the next institution.
While a variety of encryption methods are in use today, the most common encryption method is referred to as the "Data Encryption Standard (DES) algorithm." The DES algorithm has been recommended by the American National Standards Institute (ANSI) as the encryption standard for financial institutions.
The DES algorithm encrypts electronic data, such as a PIN entered at a remote terminal keypad or an account number taken from the magnetic strip on the back of a plastic debit card, by performing a complex series of processes which transform the original data into a completely unrecognizable string of characters.
What makes it possible to use only one encryption method industry-wide and still maintain data security is the fact that the DES algorithm incorporates encryption "keys" which enable users to customize or personalize the algorithm for their own application. Decrypting data which has undergone DES encryption under a specific key requires knowledge of both the algorithm and the key. Attempting to decrypt the data with a different key or with no key at all would produce unreadable gibberish. Therefore, even though the whole network possesses the encryption algorithm, only those parties which possess the specific encryption key are able to decrypt the data.
In a process which will be further discussed below, the customer's PIN is encrypted at the remote terminal under a key which is used encrypt pINs for transmission to the transaction acquirer. The encrypted PIN is then sent to the acquirer, where it is translated for delivery to the switch. PIN translation at the acquirer involves decrypting the PIN under the remote terminal key, then re-encrypting it under a key which is used exclusively to encrypt PINs for transmission to the switch.
From the transaction acquirer, the PIN is transmitted to the switch, where a similar process is used to translate the PIN for delivery to the card issuer. Finally, at the card issuer, the PIN is translated for verification. Therefore, for each of these translations, a reliable data encryption/decryption device must be employed to convert the PIN information into a form which can be understood by the next link in the system.
Another threat to message security comes in the form of message tampering, such as the alteration of existing messages or the substitution of counterfeit messages for authentic messages.
For example, in an EFT message, a sophisticated eavesdropping or wiretapping organization could replace various elements in the message to redirect funds or fraudulently authorize transactions.
Therefore, just as data encryption protects against PIN theft, so does message authentication protect against message tampering. With message authentication, selected segments of a message are passed through the DES algorithm under a special authentication key. Rather than encrypting the data though, the algorithm calculates a code value from the data and appends this value to the end of the message. The receiver of the message runs the message through the algorithm under the same key used by the sender and arrives at a code value. The receiver then compares the just-calculated value against the value that was appended to the message by the sender. If the message has been tampered with, the two values will not be the same. If, on the other hand, the code values are equal, the message is authentic.
This would effectively foil a message-tampering scheme because the ATM, upon arriving at a message authentication value for the return message, would automatically deny the transaction, in spite of the authorization code. This would happen because the substitution of the authorization segment to the denial segment would cause the authentication value to change. The ATM would sense the disparity between the two values and would refuse to dispense the cash. The perpetrator could not effectively alter the authentication value because he would not have the proper key used by the sender and the receiver to arrive at the value.
While the DES algorithm and the message authentication scheme described above provide a large measure of security, the security of the system is totally dependent upon the security of the DES keys under which data is encrypted or authenticated. If an adversary were to come into possession of the key used between two links in the network, that adversary would have free access to all the transaction data which passed between links. For example, if he knew the key used by an ATM to encrypt PINs, he would be able to decrypt the PIN of every customer who used the ATM. If he possessed the key used to authenticate messages between any two links in the network, he could freely substitute messages or parts of messages to fraudulently redirect funds.
Therefore, in this type of system, good key management practices are essential in maintaining the security of the system. One element of maintaining the security of key information is to perform all key operations, such as key entry, key storage, encryption, and translation, within a physically and logically secure module. Since, at various points in the encryption process, keys may exist in the clear, it would be possible for an adversary to penetrate the network link's software and extract encryption keys. Maintaining the circuity which processes this information in secrecy prevents system security breaches.
Present data encryption devices for use with secure networks are known to have many limitations. For example, in present encryption devices, key management is cumbersome. In one widely used encryption system, secure data is retained in a security module which cannot be modified or reprogrammed externally. In order to modify key data retained within the security module, the security module must be physically removed from the encryption device and reprogrammed with a dedicated programming unit. As a consequence, the encryption unit must be taken out of service while any key modification is performed. Since effective system security requires that key information is changed regularly, the above technique results in inefficient utilization of the system. Current data encryption devices do not provide an easy and efficient means of updating secure information without physically disturbing the data encryption device or removing the data encryption device from the system.
Furthermore, current systems rely on a dedicated encryption device for each data communication channel. In systems which require fault-tolerant operation, a plurality of discrete devices are required, each under the control of a remote processor. With this type of system, a host processor communicates with each encryption device individually. If fault-tolerant operation is required, duplicate encryption devices are coupled to parallel channels of the host processor. The host processor then monitors the operation of the primary encryption device, and if communications with that device are lost, the host processor initiates communication with the secondary encryption device. Systems which employ this configuration are subject to the loss of data in transit when one communication channel fails. Any data transmitted to a failed unit before the detection of a failure by a host must be retransmitted to a secondary device for reprocessing, thus degrading the performance of the system. No data encryption device is known which provides a fault-tolerant data encryption channel which requires only a single data communication channel and provides fault-tolerant operation without the need for monitoring by a host processor. Furthermore, no data encryption device is known which provides for automatic recovery from hardware failures.
In yet another aspect of present system configurations, the operating statistics of an encryption unit are unknown to the operator of a system. For example, a large number of denied transactions may be attributable to a failing encryption unit. If such statistics were of interest to a system operator, the main processing computer of the system would have to compile them, thus increasing the processing overhead and the overall cost of the system. Present data encryption devices are not provided with any means by which a user can visually monitor the operating status of the device, thereby allowing a user to detect a problem before a catastrophic failure occurs.
Finally, present systems are increasingly required to communicate with a variety of communication protocols and key verification techniques. Currently, dedicated encryption devices are required for implementing each type of encryption scheme. No device is known which supports data encryption using a variety of communications protocols.