What Encryption Is Used on an ATM Machine?by David Dunning
An Automatic Teller Machine provides a simple, yet secure, service, whereby authorized cardholders can withdraw cash and perform other banking transactions without visiting a bank branch. Each ATM transaction is authorized by a bank via a secure communications network, which relies on encoding data so that it can only be read by the sender and the intended recipient, otherwise known as encryption.
One common ATM security vulnerability involves so-called phantom withdrawals, in which cash is taken from a cardholder's account, but neither the customer nor the bank admits liability. Phantom withdrawals are sometimes the result of fraud on the part of the customer, but ATMs can also be tricked into accepting bogus, skimmed or cloned cards. ATMs generate a coded message, known as an Authorization Request Cryptogram, which card issuers use to authenticate the card and card data.
ATMs originally used a mathematical formula, or algorithm, known as the Data Encryption Standard, to encrypt personal identification numbers. DES encrypts data in 64-bit blocks using a 56-bit encryption key and was, at one time, an official Federal Information Processing Standard in the United States. However, increases in computing power for personal computers have rendered DES insecure for ATM applications; ATMs using DES have been breached within 24 hours.
Triple DES uses two encryption keys and applies the DES encryption algorithm three times, effectively increasing the length of the encryption key to 168-bits. Triple DES is significantly more secure than DES, because it isn't realistic to search the individual bits of the encryption key to crack the code. According to the National Credit Union Administration, all new ATM installations since 2002 were required to employ triple DES encryption.
In 2001, the National Institute of Standards and Technology announced the adoption of a new encryption standard, known as the Advanced Encryption Standard, intended to replace DES. AES uses a variable length encryption key, with a length of 128, 192 or 256 bits, and encrypts data in 128-bit blocks. The only way for an unauthorized person to decrypt data encrypted with AES is by a so-called brute force attack, which involves testing all possible permutations of the encryption key, so AES is significantly more secure than DES or triples DES. AES was approved by the U.S. government as the commercial standard for encrypting sensitive digital information, including the financial data used by ATMs, in 2003.