The Network Box report cites three main threats to ATMs: Internet Protocol (IP) worms, disruption of the IP network and Denial of Service (DoS) attacks and the harvesting of consumers’ transaction data for malicious purposes. The latter could result in hackers being able to collate consumers’ personal details, such as their card number, account balance and recent transaction history.
Why have ATMs become less secure?
Security risks around ATMs have increased because of the changing ways in which the machines operate. Traditionally, ATMs were built on proprietary hardware platforms with proprietary software and communications protocols. However, the trend over the past few years has seen a migration towards commodity-embedded hardware platforms (essentially PC-based with Intel microprocessors), commodity operating systems (principally Windows and Linux) and standard IP networking.
It’s estimated that approximately 70% of current ATMs are now based on PC/Intel hardware and commodity operating systems (mostly Windows XP-embedded), and that trend is expected to continue. Essentially, these new ATMs are PCs running PC operating systems, using the standard IP with additional peripherals housed in a secure, vault-like box.
Why have banks switched to these new systems and protocols?
There are a number of advantages for migrating to such commodity hardware, operating systems and protocols, such as cost, performance, flexibility, standardisation and enhanced functionality. However, with those advantages come increased threats.
How might hackers harvest consumers’ personal details?
An IP-ATM is connected to the payment processor using a TCP/IP connection. However, while the PIN number is triple-DES encrypted, the messages themselves are not. In January, a detailed analysis of ATM network traffic conducted by Network Box found that only the PIN was encrypted, and that a large proportion of the traffic travelled in plain text, thereby leaving card numbers, expiry dates, transaction amounts and account balances clearly readable. Therefore, a hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to be privy to the aforementioned details.
Why is the personal (software) firewall solution favoured by ATM producers so inneffective?
Currently, the only response by ATM producers has been the installation of a personal (software) firewall on the ATM devices themselves. However, this doesn’t counter the three main threats outlined in the Network Box report, and also presents its own inherent problems.
The issues of DoS attacks and disruption to the IP remain because personal firewalls aren’t designed to protect against these threats. Also, they cannot prevent the harvesting of consumers’ personal details because the traffic still goes out unencrypted, and is still vulnerable to eavesdropping.
Personal firewalls may partially address the issue of IP worms. However, because personal firewalls run on the same computer as that which they’re protecting, they are vulnerable to being infected, modified or disabled by viruses, Trojans or network worms which are present in other applications on the same computer.
How can ATM producers solve the three primary threats?
The most effective way to solve the issues outlined above is to use a multifunction device with routing, firewall, IDS/IPS and Virtual Private Network capabilities positioned in front of – and protecting – the ATM network. Such a network should be separated from the rest of the bank’s network, at the same time being closely monitored and controlled. It would also be desirable to encrypt all traffic emanating from the ATM machines. There’s no good reason why only the PIN numbers ought to be encrypted.
The growth of the ATM market
It took 33 years for the ATM industry to reach the one million terminals mark, and then only six years to reach 1.5 million. The global ATM market is expected to reach two million units by 2011, with more than 73,000 new units installed this year alone. The percentage share of so-called ‘off-site’ deployments has now reached 45%.
Commenting on these statistics, Mark Webb-Johnson (the CTO of Network Box) told info4security: “Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. That assumption may well have been true in the past, but today ATMs operate in a way that makes them far more acceptable to attack.”
Webb-Johnson added: “In August 2003, we saw how the Nachi (aka Welchia) Internet worm crossed over into ‘secure’ networks and infected ATMs for two major financial institutions. We’ve also witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 ATMs owned and operated by Bank of America. The chances are that if the banks don’t use technology that can actually provide an effective level of protection, then it’s very likely that more high profile attacks will follow.”
Copies of the White Paper entitled ‘IP-ATM Security’ may be downloaded free of charge from www.network-box.co.uk/whitepapers
EBOOK: Lessons from IFSEC 2023 – Big Tech, Martyn’s Law and Drone Threats
Read IFSEC Insider’s exclusive IFSEC eBook and explore the key takeaways from the 2023 show!
Navigate the impact of Big Tech on access control, gain insights from Omdia’s analysts on video surveillance trends, and explore sessions covering topics like futureproofing CCTV networks, addressing the rising drone threat, and the crucial role of user proficiency in security technology.
There's also an exclusive interview with Figen Murray, the driver behind Martyn's Law legislation.