henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: R.I.P. Barnaby
http://henryschwarz.blogspot.com/2013/07/rip-barnaby.html
Today I was profoundly saddened to learn of the passing of Barnaby Jack. At the age of 35. A few years ago Barnaby attacked my ATM, and he did so with brilliance, integrity, charisma, and chutzpah. To quote from my earlier essay about Barnaby's attack. Barnaby and I started as adversaries and ended as friends". Indeed, that is where we ultimately ended. My heartfelt condolences to his family and loved ones.
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: OK everybody, we've finally made it from 1DES to 3DES, now let's keep on going to AES. Come on, let's go, who's with me?! Um, hello? Anyone?
http://henryschwarz.blogspot.com/2012/06/ok-everybody-weve-finally-made-it-from.html
OK everybody, we've finally made it from 1DES to 3DES, now let's keep on going to AES. Come on, let's go, who's with me? AES is the symmetric crypto algorithm du jour. But AES remains largely unused by retail banking terminals, which have only recently been dragged into the 1990s by migrating from 1DES to 3DES. The journey from 3DES to its successor AES would be fraught with peril, here be dragons. From the terminal's perspective, moving to AES would affect at least the following areas:. Aside from a new...
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Comparing a 112 bit apple with a 2048 bit orange
http://henryschwarz.blogspot.com/2012/06/comparing-112-bit-apple-with-2048-bit.html
Comparing a 112 bit apple with a 2048 bit orange. I am grateful to marketers who boast that their crypto products' key lengths are 2048 bit as opposed to a mere 112 bit, for it is too rare that one has an opportunity to use the word incommensurable. For different algorithms, the meaning of the key changes, and the key is used in entirely different ways. For RSA, the secret key is an exponent, as in x to the power of y in regular arithmetic. For DES, the key is rotated, substituted, and permuted, ...For a...
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Black Hat USA 2012 **versus** ATM and EFT-POS
http://henryschwarz.blogspot.com/2012/07/black-hat-usa-2012-versus-atm-and-eft.html
Black Hat USA 2012 * versus* ATM and EFT-POS. I've just returned from the Black Hat USA 2012 infosec conference. Here are some of the presentations. Which may apply to the ATM and EFT-POS industry. Nils, Rafael Dominguez Vega. This presentation demonstrated malware executing on three different pinpads. The malware can be loaded via the pinpads' public-facing interfaces (smart card reader or online comms) clandestinely while the pinpads are deployed live in the field. They did not disclose specific detail...
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Remote key loading and the false dichotomy of certificates versus signatures
http://henryschwarz.blogspot.com/2012/06/remote-key-loading-and-false-dichotomy.html
Remote key loading and the false dichotomy of certificates versus signatures. But first, some boring definitions of terms:. Bull; Remote key loading (RKL) is the secure delivery of master keys from a host to a terminal across a public network. Bull; Extensions for Financial Services (XFS) is a specification of an interface between application software and terminal hardware, providing platform independence. Both use certificates, both use signatures. Naturally one wonders why XFS included this atrocious "...
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Bob Woodward, Carl Bernstein, Henry Schwarz
http://henryschwarz.blogspot.com/2013/05/bob-woodward-carl-bernstein-henry.html
Bob Woodward, Carl Bernstein, Henry Schwarz. The Washington Post asked me for comment on a heist involving ATMs. The perpetrators hacked into two pre-paid debit card processors and added vast amounts to the perps' accounts. Then they withdrew the cash at ATMs. Here's a link to the Department of Justice press release about the indictment. Here's a link to the WaPo article. Containing my comment. Extract:. The reporter's main interest in me seemed to be whether the hackers could have obtained PINs, I guess...
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Dark Reading
http://henryschwarz.blogspot.com/2014/03/dark-reading.html
The cyber security news site Dark Reading interviewed me about malware on ATMs. Link.
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Hit the street
http://henryschwarz.blogspot.com/2013/08/hit-street.html
I was interviewed about hacking in a financial news website called The Street. Link.
henryschwarz.blogspot.com
Henry Schwarz's ATM & EFT-POS Security Blog: Published
http://henryschwarz.blogspot.com/2013/01/published.html
The ATM Industry Association recently published its End-To-End Encryption Best Practices Guide, of which I served as Technical Editor, and much of which I authored. The document describes the encryption of data being exchanged between an ATM and its host. Here's an article about it.
