« Security > 140 Conversation with Chuck Mortimore | Main | Cloud Security Class at Cloud Identity Summit »


Sid Sidner

I spent 11 years of my life thinking about ATM networks at ACI Worldwide, the last 5 as Director, Security Engineering. I also participated in the X9F6 working group, the U.S. standards body for payment card security.

I never knew Robert Morris cared about ATM security, or mused about it in the land of the midnight sun. However, I can relate: every time I use a card from my bank in Omaha, NE, USA, at some merchant in a place like Timsoara, Romania, and they cheerfully take it, I pause for a moment and marvel.

I have two observations to make about this, one commercial and one technical.

The reason this works commercially is a trust framework, just like the ones OIX promotes, run by the worldwide banking system. Just think about the complexities in international monetary settlement and fraud: consumer, merchant, network, or bank instigated.

The reason this works technically is some serious cryptography that mostly works, under sustained, well-funded attacks.

The ATM network used to use software cryptography. That is mostly gone, except from old gas pumps and backwater geos. In nearly all of the world, except for the U.S., this starts with hardware cryptography in the EMV cards used as consumer payment tokens and finishes with hardware security modules at the card issuance center and at the transaction authorization center.

Until we get to universal online identity tokens at least as good as EMV cards, we will never be able to do high value transaction on networks.

R.I.P., Robert Morris.

Gregory Butler

The irony is that the manufacturer of most US teller machines is (was) also the manufacturer of the notoriously-insecure and otherwise controversial voting machines: Diebold.

But I must imagine Mr. Morris knew that...

The comments to this entry are closed.