Skip to main content
No. of Recommendations: 2
maracle,

In response to Patzer you replied, Sure, it's feasible. At roughly 20x-25x the cost. Your local gas station and mini mart would never have an ATM if they needed more than a simple connection. As as you even point out, it takes nothing more than a VPN tunnel to secure an internet connection, a private data line is very close to useless.

This is probably picking nits; but I would argue that a conventional VPN tunnel might not be good enough for any communications channel tunneled over a public communications system that is relied on for a large number of banking transactions or can be used to gain physical access to a vault containing sizable quantities of currency.

A VPN connection obtains a cryptographically secure temporal key using the well-known Diffie-Hellman key exchange methodology. The method allows two parties to agree on a random cryptographic key without exposing the random numbers they used to reach that agreement, nor the agreed-upon number itself. Therefore an external observer cannot guess the temporal key from simple observation.

However, Diffie-Hellman does not address the man-in-the-middle problem. From a security standpoint, we assume the constants used to compute the temporal key are well-known, therefore, any hacker can stand between you and the end-device/server and participate in the key exchange process. This allows him to obtain a temporal key between you and his device and another between his device and the device you're trying to talk to. Once in the middle, his device can record all of the traffic.

All security protocols require something more than a Diffie-Hellman exchange to validate the connection in an attempt to thwart man-in-the-middle attacks. Usually it's some form of pre-shared key (PSK). The password you set up at your bank's website is an example. This key is not subsequently disclosed when you log in - it is only used to create a validation hash code. The hash-code is generally not computationally reversible, at least not in real-time. However, if the hacker has unrestricted access to the target device, PSKs present a serious problem - they usually lack enough entropy to circumvent a dictionary or other brute force attack. This is the real reason why websites and VPN systems usually lock out a user after a few failed log in attempts.

To try to increase the entropy in PSK systems, many add things like rotating passwords. I have an RSA token for my work's VPN. That token simply displays a 6-digit key that changes once/minute. However, the key is actually guessable. The token is simply rotating through a pre-determined sequence of codes. Should a hacker determine this sequence and at any point determine where you are in the sequence, he effectively has your password for all time.

The only truly secure methods for authenticating a connection require out-of-band authentication. That's where a token or some other method outside the regular communication channel is used to pass or validate a cryptographically secure (unguessable) master key between two devices. This key is then used in subsequent attempts to authenticate the temporal key. There are several ways to do this type of out-of-band authentication; but I'm not aware of any VPN systems that use any out-of-band authentication methods.

Most banks (and ATM manufacturers) would probably opt for a simple, out-of-the-box VPN; but I think that represents some risk for the ATM-owner. They make think the risk is acceptable; but I imagine the people making the decision probably aren't even aware of the issues...

BTW, All of this still assumes both devices themselves are not physically compromised... Once that happens, all bets are off.

- Joel
Print the post  

Announcements

UGC Disclosure Notice Regarding Credit Card Posts
Community board discussions about credit cards are not provided or commissioned by banks who may have advertising relationships with The Motley Fool. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
TMF Credit Center
The Motley Fool Credit Center arms you with real tools and simple messages, that will help you in every credit situation.
What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and Glassdoor #1 Company to Work For 2015! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.