Please support our Tech Talk advertiser:
Featured Entry 
Feb 18th, 2008, 7:41 pm
It has been estimated that something in the region of 70 percent of the ATMs in current use are based not on the proprietary hardware, software and communication protocol platforms of old but instead on PC/Intel hardware and commodity operating systems, the most popular being Windows XP embedded. In fact, it is not too much of a stretch of the imagination to think of these ATMs as being simple PCs running simple PC operating systems and using the standard Internet Protocol that we are all used to. Of course, all this is housed in a very secure vault-like box along with some additional peripherals, which makes it all OK. Or does it? According to Network Box, a managed security services company which has just published a white paper on the subject of IP-ATM security, banks and financial institutions are failing to properly secure their ATMs, leaving consumers' personal details vulnerable to hackers. The report itself actually cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers' transaction data for malicious purposes. The latter could result in hackers being able to collect consumers' personal details, such as their card number, account balance and transaction history.
Network Box say that the migration towards commodity-embedded hardware platforms, commodity operating systems and standard IP networking across the last five years is to blame for the increase in exposure as far as the security risk is concerned. They know why the banks have done it, all the usual business reasons such as cost, performance, flexibility, standardisation and increased functionality come to the fore. But are these advantages worth the increased threat profile? For that matter, what is that increased profile? What are the threats that leave ATMs exposed to the hacker who would harvest your personal financial data?
You might think that using triple-DES encrypted PIN numbers for the IP-ATM connected to a payment processor across a TCP/IP connection would be secure enough, and indeed you would be correct. The problem, according to Network Box, is that while the PIN is protected the messages being sent are not. In January 2008 the company performed an analysis of ATM network traffic and discovered that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable.
It doesn't take a genius to work out that all a determined hacker, and for determined read backed by a highly professional criminal organisation, needs to do is access some part of that IP network between the ATM and payment processor to be privy to the personal detail contained within the unencrypted data stream.
The ATM manufacturers do integrate firewall software on the devices but these do nothing to prevent unencrypted traffic from leaving the machine, just make it harder for the less professional hacker to get into the ATM itself. As the Network Box report identifies, the clever money is chasing the financial information once it leaves the ATM. So what can be done? The most obvious and most effective solution would be to use a multifunction device with routing, firewall, IDS/IPS and VPN capabilities, positioned in front of, and protecting, the ATM network - a network separated from the rest of the bank's network. Not forgetting to encrypt all traffic coming out of the ATM machines of course.
Mark Webb-Johnson, CTO of Network Box, told us "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack. We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."
Network Box say that the migration towards commodity-embedded hardware platforms, commodity operating systems and standard IP networking across the last five years is to blame for the increase in exposure as far as the security risk is concerned. They know why the banks have done it, all the usual business reasons such as cost, performance, flexibility, standardisation and increased functionality come to the fore. But are these advantages worth the increased threat profile? For that matter, what is that increased profile? What are the threats that leave ATMs exposed to the hacker who would harvest your personal financial data?
You might think that using triple-DES encrypted PIN numbers for the IP-ATM connected to a payment processor across a TCP/IP connection would be secure enough, and indeed you would be correct. The problem, according to Network Box, is that while the PIN is protected the messages being sent are not. In January 2008 the company performed an analysis of ATM network traffic and discovered that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable.
It doesn't take a genius to work out that all a determined hacker, and for determined read backed by a highly professional criminal organisation, needs to do is access some part of that IP network between the ATM and payment processor to be privy to the personal detail contained within the unencrypted data stream.
The ATM manufacturers do integrate firewall software on the devices but these do nothing to prevent unencrypted traffic from leaving the machine, just make it harder for the less professional hacker to get into the ATM itself. As the Network Box report identifies, the clever money is chasing the financial information once it leaves the ATM. So what can be done? The most obvious and most effective solution would be to use a multifunction device with routing, firewall, IDS/IPS and VPN capabilities, positioned in front of, and protecting, the ATM network - a network separated from the rest of the bank's network. Not forgetting to encrypt all traffic coming out of the ATM machines of course.
Mark Webb-Johnson, CTO of Network Box, told us "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack. We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 1,746 views, 3 comments, and 28 linkbacks. 1 voter has rated this entry 5 out of 5 stars. It was promoted to featured status Feb 18th, 2008.
•
•
•
•
advertising apple botnet browser business crime data development email environment europe facebook firefox forensic gaming google hacking hardware help ibm internet iphone ipod itunes law legal linux malware microsoft mobile mozilla news phishing privacy research search security social networking software spam survey technology trends trojan virus vista web windows yahoo youtube
All Recent Tags Comments (Newest First)
sanzilla | Newbie Poster | Feb 22nd, 2008
•
•
•
•
beacuse of the embedded windows is more small than the desktop windows operating system , the security risks are assume lower . The desktop windows is 40 million lines of code and I think and hope that embedded windows is less line of code than this . Today any operating system is open for a uknown 0day security risk . This risk is a technological failure among any operating system .Beacuse of the compleity is very high , it's easy to use
find a place where you can by pass the security . This increases with the Lines of code . Anyway the problem that you are mentioning is can be the problem that using the old hardware , not software . For eample the new 64-bit computing introducing the new features to provide the defence for stack based overflows .
This problem is come s when you web browsing with a senseative web browser . Use a non-senseative web browser always when you are doing the MONEY TRANSACTIONS OVER internet . A good non-senseative web browser is MOZILLA .But the internet eplore is a senseative web browser . For a eample if you visited a java script cross scriptiung vulnualablity vulnuable form and then you done your transactions . THe attacker can take the advantage .
find a place where you can by pass the security . This increases with the Lines of code . Anyway the problem that you are mentioning is can be the problem that using the old hardware , not software . For eample the new 64-bit computing introducing the new features to provide the defence for stack based overflows .
For an embedded device that should pose no threat. They're not visiting websites, and aren't running web and mailservers.
This problem is come s when you web browsing with a senseative web browser . Use a non-senseative web browser always when you are doing the MONEY TRANSACTIONS OVER internet . A good non-senseative web browser is MOZILLA .But the internet eplore is a senseative web browser . For a eample if you visited a java script cross scriptiung vulnualablity vulnuable form and then you done your transactions . THe attacker can take the advantage .
jwenting | duckman | Feb 19th, 2008
•
•
•
•
And it's in reality no problem at all as they're all using private connections to central computers and are not as the alarmist report wants you to think connected to the internet without any firewalls or virusscanners.
In reality even people without those who run Windows are at minimal risk unless they actively engage in insecure activities like visiting shady websites or using p2p clients to download pirated content.
In 10 years online the ONLY times my virus scanners and firewalls have ever detected a serious intrusion attempt were when visiting websites, the only attempts that could have done damage that came in unsolicited (so were not the result of code embedded in some html page) were assaults on my web and mail servers.
For an embedded device that should pose no threat. They're not visiting websites, and aren't running web and mailservers.
Combine that with not being on an open network at all and there's no problem (unless that private network were compromised, in which case the criminals would have access to the central banking computers already and not need to look at incoming traffic from ATMs).
In reality even people without those who run Windows are at minimal risk unless they actively engage in insecure activities like visiting shady websites or using p2p clients to download pirated content.
In 10 years online the ONLY times my virus scanners and firewalls have ever detected a serious intrusion attempt were when visiting websites, the only attempts that could have done damage that came in unsolicited (so were not the result of code embedded in some html page) were assaults on my web and mail servers.
For an embedded device that should pose no threat. They're not visiting websites, and aren't running web and mailservers.
Combine that with not being on an open network at all and there's no problem (unless that private network were compromised, in which case the criminals would have access to the central banking computers already and not need to look at incoming traffic from ATMs).
jbennet | Microsoft Fanboy | Feb 19th, 2008
•
•
•
•
Most ATMs in my country run XP embedded, OS/2, NT4 or Windows CE
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- Viacom defends itself over YouTube data log disclosure (23 Hours Ago)
- Apple slow to patch iPhone security holes (1 Day Ago)
- Microsoft 'Equipt' to Battle Free Software (1 Day Ago)
- 12,000 laptops lost in US airports EVERY WEEK (2 Days Ago)
- Ballmer Again Chomping At The Bit for Yahoo (3 Days Ago)
- Apple iPhone 3G creates shortage of flash memory chips (3 Days Ago)
- Seeing double, twice, with Matrox M-Series QuadHead GPU (4 Days Ago)
- Good-bye Windows XP, Hello Open Source? (4 Days Ago)
- Tux, Please Pass The Packets. (5 Days Ago)
- Googlebot gets to grip with Flash (5 Days Ago)
