Editor’s note: ATM Network technicians are so experienced that they routinely uncover and solve problems that the manufacturers themselves missed. This is the story of one such incident.
Because ATM transactions involve money and personal financial information, they are heavily encrypted – the data encoded so that neither the ATM owner nor anyone who sees the data stream can read it.
Specifically, whenever a customer types information — like, say, their PIN number — into an ATM keypad, the keypad takes the number and runs it through a mathematical algorithm that encodes the PIN so that only the transaction-processing server can read it.
Because the algorithms are the key to reading the encrypted information, they’re treated with a level of security normally reserved for nuclear launch codes. The manufacturer keeps control of the algorithm, and distributes a randomly generated “master key” that can decode it. The key is broken into two halves. The manufacturer keeps one half; the other half is split in half again and the pieces sent to ATM Network. Each piece is entered by different people, and the ATM downloads the manufacturer’s half from a secure server. So no one has the whole key.
A few years ago, a major manufacturer’s machines began dropping their encryption. Rather than send unencrypted information, the machines took themselves out of service, displaying an error code saying the keypads had been tampered with.
Except the keypads hadn’t been tampered with. Plus it was happening a lot: some merchants were calling twice a week. And every time it happened, the only way to fix it was to install a new master key — which meant sending out two techs with the two halves of the code, or sending out a tech with one half and mailing the other half to the machine’s owner. Either way, it was a lot of expensive service calls.
Our troubleshooting team got involved. Since the error code mentioned keypads and the keypads were part of the encryption process, they began replacing keypads and sending the old keypads back to the manufacturer for examination. That sometimes solved the problem, but more often than not the replacement keypads would fail, too.
The manufacturer wasn’t being particularly helpful, so the team sat down to examine the keypads.
Each pad had a circuit board on the back that contained the encryption chips. The board drew power from the ATM, with a battery backup in case the power went out. The team tested the board, checking connections, looking for broken circuits and so on. Everything seemed fine.
Then a tech noticed that the backup battery appeared to be loose. Closer examination revealed that it wasn’t soldered to the board. A quick test confirmed that it was able to move just enough to disrupt the circuit bringing power to the encryption chips.
But so what? It was the battery backup, not the main power line. The problem would only affect the machine if it lost power.
Unfortunately, the machine was designed so that resetting any error code — including “out of paper” or “out of cash” messages — required turning off the power. Some quick checking confirmed that the problem only cropped up when the machine lost power or was turned off.
The solution? Resolder the battery to the board.
ATM Network alerted the manufacturer, which addressed the problem in a technical bulletin. But instead of fixing the problem by properly soldering the boards during production, the manufacturer just updated the machine’s software so error codes could be reset without turning the machine off.
Because of that, the problem still crops up from time to time. Every time it does, ATM Network technicians fix the problem permanently by resoldering the boards.
Neither the manufacturer nor any other company had managed to solve the mystery. Indeed, the manufacturer was spending a small fortune on replacement keypads. Only ATM Network had the expertise and dedication to find a solution.
Postscript: Issues like this are one reason ATM manufacturers are starting to build in remote key capabilities into their software: it allows master keys to be sent and managed electronically, increasing security while cutting down on the need for technician visits. Listen to this remote key webinar if you’re interested in learning more about them.
