Securing ATM and PoS: A case for use of stronger encryption

By Sanjay Pandey Just a few days back, Indian computer emergency response team (CERT-IN) issued an advisory regarding possible skimming or malware attacks on Point of Sale (PoS) machines currently in use in the country. For citizens, many of whom are first times users of cards, possibility of losing their money through hacked machines, in current times is heart-rending. While skimming can be avoided by use of tamper proof hardware, malware needs technical solutions. Tackling this in present scenario, however, doesn’t appear to be easy. Reasons for this helplessness, though, are fairly simple. One of the obvious reasons is the absence of National Encryption Policy in India. Section 84(a) of the amended Information Technology Act, states that central government may prescribe modes and methods of encryption for purposes of ecommerce and e- governance. A National Encryption Policy draft was issued in late 2015. This was, however, withdrawn due to serious flaws. Since then, there has been no other announcement towards use of acceptable encryption in India. What exists is a 1999 guideline issued to Internet Service providers (ISP). This policy mandated use of 40-bit encryption by the ISPs. 40-bit encryption, in current times, is too easy to be broken by hackers. This use of weak encryption exposes the data which travels on the Internet in India. Alongside weak encryption mandated for the ISPs, Indian banks also do not use very strong encryption. RBI has issued guidelines to banks to use 128-bit encryption. 128-bit encryption too, is easy for present day hackers to break. Besides this, Data Encryption Standard (DES) algorithm which is in use in India has been internationally obsolete for more than a decade. DES was used by USA in 1980s. USA replaced DES with Advanced Encryption Standard (AES) in 2000. In fact, one of the reasons why USA replaced DES was it being easily breakable. Use of obsolete encryption algorithm with low grade encryption keys (128-bit) doesn’t help in challenging committed hackers. Another hurdle in handling these possible attacks is the fact that India is not part of Wassenaar arrangement. As per this arrangement restrictions are imposed on export of conventional Arms and Dual-Use Goods and Technologies. Encryption is categorised as an item in the munitions list which is controlled through this arrangement. Wassenaar arrangement has 41 countries as members. Countries included in the list are USA, Canada, UK, Australia etc. Not being a member, India cannot get best encryption products from countries who are members of this arrangement. With this handicap, best efforts by Indian industry to safeguard the data through conventional PoS machines and ATMs using low grade encryption may not be enough. Aiding the hackers is also slow progress in conversion of magnetic strip bearing cards to chip based EMV (Europay, Master and Visa) chip cards using PIN. RBI guidelines state that all new debit and credit cards issued after September 1, 2015 should be chip based EMV cards with PIN. While the newer cards will surely be better in protecting the customers credential, older cards still exist. Non EMV cards are prone to skimming attacks, where data from magnetic strip on the cards is easily read through a tampered Automated Teller Machine (ATM) or PoS machine. As more and more people start using the cards on ATMs and PoS machines, these inherent weaknesses need to be addressed. A possible solution could be issuance of National Encryption Policy mandating use of strong encryption and acceptance of India in the Wassenaar arrangement enabling India to use best available encryption technology. This will not only prevent skimming and malware attacks but also provide better security and safety to citizens in their day to day ATM and PoS usage. The author is CISSP, B Tech Computer Science, IIT Kanpur (CISSP is Certified Information System Security Professional- Universally recognized certification in Information Security www.isc2.org)