Financial fraud studies often show that the most common type of cybercrime hitting banks is not sophisticated malware or hacking efforts, but old-fashioned ATM fraud. At the same time, the expectations of ATM performance grow ever higher. Who has the patience to wait more than a few seconds for an ATM transaction to go through?
The ATM service provider Cash Depot, which serves banks and merchants out of Green Bay, Wis., recently addressed security and performance issues with the deployment of new application delivery networking technology. It reduced transaction time from 12 seconds to two and strengthened the encryption used to protect data entered on its ATMs. The application delivery controller came from Milpitas, Calif.-based Array Networks.
One driver for the upgrade: ATM security requirements were tightened a couple of years ago, when the National Institute of Standards and Technology began recommending a higher-test version of the secure sockets layer protocol for secure transactions, one with a 2048-bit key length. (In encryption, the longer the key length, the harder the code is to break.) The tougher standard is mandated for all SSL certificates that expire at the end of this year, and all new ones issued after Jan. 1.
"It's a more secure standard, but at the same time, to provide that level of encryption is four to eight times more computationally intense," says Paul Andersen, director of marketing at Array Networks.
Cash Depot's ATMs used to have dial-up connections to the company's main servers. "At one time we were doing 3.5 million transactions a month in dial-up mode," recalls Derald Groth, technology architect at the ATM company. "We realized the cost for the telephone call was high, plus it's really slow. If you've ever been at an ATM with dial-in, sitting there as a user is not any fun. You've got other things to do."
The machines initially used 56-bit secure sockets layer encryption, which is prone to man-in-the-middle attacks. In an interim move, Cash Depot brought in SSL offloaders, small network appliances that run on a RISC processor. Although the RISC processor worked well at first, over time the company noticed a slight increase in processor and memory utilization.
In September, Cash Depot switched from 128-bit SSL to 256-bit.
"That brought our boxes down hard; they couldn't process all the transactions and it was a mess," Groth says.
He set about finding the right technology and, equally important, support for higher encryption and faster performance, knowing that the company planned to triple its transaction volume over the next five months. The network currently has 7,000 ATMs. In five months it will more than triple that number.
"Our IT department wears many hats. Not one of us is a programmer for this kind of equipment," Groth says. "It's a unique skill set and we're not sitting here all day doing that stuff." The department has seven people in it, and the company prefers to lean on technology partners for certain things.
The company rejected a few options that were either too expensive or insufficient for its needs. In October it installed Array's application delivery controllers in front of servers running a secure transaction processing switch, providing security for connections between the ATMs and the network as well as providing load balancing and availability. Cash Depot purchased four units and deployed two in the primary data center and two in Cash Depot's disaster recovery data center.
On November 1, with the new Array device in place, Cash Depot processed a peak volume 400,000 transactions without any delays or hiccups. The first of the month is always a high-traffic day for Cash Depot's ATM transactions because the government issues employee and retirement benefits.
Most security issues at Cash Depot are caused by DOS attacks, which are usually thwarted by the company's firewall and intrusion protection system. Known sources of malicious traffic are blocked. In another security effort, the company only buys ATMs directly from manufacturers such as Hyosung, to avoid unconsciously setting ATMs with preinstalled skimmers.
Groth expects to get a return on the investment in the application delivery technology within six months. The holiday season will be a another peak period, as will tax season, when H&R Block gives out debit cards loaded with refunds.