Secure Socket Layer (SSL)

Keep Your ATM Secure

Like MACing, SSL/TLS also provides a method for the ATM to authenticate the host and additionally provides encryption and integrity between the Host and the ATM connected via TCP/IP (either hard wired, or with a wireless communication box). You will need Triton software version 2.4.0 software or later for the ATM to be SSL capable. The Host/Processor will provide you with configuration information to allow you to set up your ATM to communicate SSL with their network. Additional certificate updates may need to be loaded on the ATM because of Triton’s validation of certificate authority and dates (confirm with your host processor).

 If the ATM does not verify that the certificate was issued by a trusted authority, then the ATM does not authenticate the host, and an attacker can insert themselves between the ATM and the host as a man-in-the-middle, or the attacker can stand-in as a fake host. Unbeknownst to the card-holder, the attacker can eavesdrop on all communications, for example capturing the card’s track-2 data. And if no other authentication technique is employed (such as MACing), the attacker can also modify the communications, such as changing the transaction’s dollar amount or converting a declined result to approved. It can be argued that there is no risk of an attacker inserting themselves, that’s why SSL is being used in the first place — the very use of SSL is an admission of the risk of a malicious interloper.

 Anyone can generate their own certificate, containing any arbitrary data. It takes just a few seconds using the free software OpenSSL. If an ATM does not verify that the certificate is current and was issued by a trusted authority, then the ATM cannot differentiate an attacker’s bogus certificate from a host’s legitimate certificate.

Triton has been told by our customers that this feature makes a Triton more difficult to operate in the field. Security is not always convenient. When making decisions between convenience and security, Triton will always err on the side of security. We hope that our customers understand this as we work to keep your portfolio safe.