Today I was profoundly saddened to learn of the passing of Barnaby Jack at the age of 35. A few years ago Barnaby attacked my ATM, and he did so with brilliance, integrity, charisma, and chutzpah. To quote from my earlier essay about Barnaby's attack, "Barnaby and I started as adversaries and ended as friends". Indeed, that is where we ultimately ended. My heartfelt condolences to his family and loved ones.
Public Service Announcement: A magnetic stripe card is manufactured by adhering a strip of magnetic tape, and a card-holder may swipe it through a card reader, but please do not get confused and call it a magnetic strip card nor a magnetic swipe card. Thank you for your attention.
Sunbathing on an idyllic tropical vacation, I was absently skimming over NIST's 3DES encryption specification, when suddenly I was harshly jolted out of my summer daze, coughing my piña colada out of my nose. One of the weak keys was wrong!
OK everybody, we've finally made it from 1DES to 3DES, now let's keep on going to AES. Come on, let's go, who's with me?! Um, hello? Anyone?
AES is the symmetric crypto algorithm du jour, but AES remains largely unused by retail banking terminals, which have only recently been dragged into the 1990s by migrating from 1DES to 3DES. The journey from 3DES to its successor AES would be fraught with peril, here be dragons.
At the Black Hat conference in 2010, an ATM designed and built by my employer was setup on stage, and a security researcher demonstrated an exploit which emptied out all its cash. For many months prior, I had been my employer's designated point-man in responding to this attack...
For RKL, the XFS standard defines a "scheme using certificates" and a "scheme using signatures", and the industry has taken-up this jargon. Please allow me to dispel this misnomer. The differences between the so-called certificate and signature schemes are just formatting and organisation, and they're fundamentally the same. Both methods follow the same sequence of events, both use certificates, both use signatures, and I would discourage any further use of this inaccurate terminology.
I have observed some hosts using "self-signed" certificates when using SSL to protect their communications with banking terminals. This is tantamount to asking a guest to tell you a password and then verifying that the guest knows this password.