Banks failing on ATM security

Banks failing on ATM security

Unencrypted messages open to abuse, claims report

Banks and financial institutions are leaving customers' personal details vulnerable to hackers by failing properly to secure their ATMs, according to a new report.

Managed security firm Network Box cited three main threats to ATMs: IP worms, disruption of the IP network and denial of service, and the harvesting of transaction data for malicious purposes.

The company said that ATM security risks have increased because of the changing ways in which they operate.

Many ATMs were built on proprietary hardware, software and communications protocols.

But it is estimated that 70 per cent of current ATMs are based on PC/Intel hardware and commodity operating systems using standard IP networking with some additional peripherals housed in a secure vault-like box.

The report attributes the changes to advantages in cost, performance, flexibility, standardisation and functionality, but points out that these advantages bring increased threats.

In these newer systems the ATM is connected to the payment processor using a TCP/IP connection. However, while the Pin is triple-DES encrypted, the messages themselves are not.

This leaves card numbers, expiry dates, transaction amounts and account balances clearly readable.

A hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to gather the details.

"Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure," said Mark Webb-Johnson, chief technology officer at Network Box.

"We have already seen how the Nachi worm crossed over into 'secure' networks and infected ATMs for two financial institutions, and SQL Slammer indirectly shutdown 13,000 Bank of America ATMs.

"If banks do not use technology that can provide an effective level of protection it is very likely that more high-profile attacks will follow."

Network Box recommends that all traffic to and from ATM machines should be encrypted, and not just the Pin.

ATM networks should also be separated from the rest of the bank's network, thereby allowing it to be closely monitored and controlled.