It has been estimated that something in the region of 70 percent of the ATMs in current use are based not on the proprietary hardware, software and communication protocol platforms of old but instead on PC/Intel hardware and commodity operating systems, the most popular being Windows XP embedded. In fact, it is not too much of a stretch of the imagination to think of these ATMs as being simple PCs running simple PC operating systems and using the standard Internet Protocol that we are all used to. Of course, all this is housed in a very secure vault-like box along with some additional peripherals, which makes it all OK. Or does it? According to Network Box, a managed security services company which has just published a white paper on the subject of IP-ATM security, banks and financial institutions are failing to properly secure their ATMs, leaving consumers' personal details vulnerable to hackers. The report itself actually cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers' transaction data for malicious purposes. The latter could result in hackers being able to collect consumers' personal details, such as their card number, account balance and transaction history.
Network Box say that the migration towards commodity-embedded hardware platforms, commodity operating systems and standard IP networking across the last five years is to blame for the increase in exposure as far as the security risk is concerned. They know why the banks have done it, all the usual business reasons such as cost, performance, flexibility, standardisation and increased functionality come to the fore. But are these advantages worth the increased threat profile? For that matter, what is that increased profile? What are the threats that leave ATMs exposed to the hacker who would harvest your personal financial data?
You might think that using triple-DES encrypted PIN numbers for the IP-ATM connected to a payment processor across a TCP/IP connection would be secure enough, and indeed you would be correct. The problem, according to Network Box, is that while the PIN is protected the messages being sent are not. In January 2008 the company performed an analysis of ATM network traffic and discovered that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable.
It doesn't take a genius to work out that all a determined hacker, and for determined read backed by a highly professional criminal organisation, needs to do is access some part of that IP network between the ATM and payment processor to be privy to the personal detail contained within the unencrypted data stream.
The ATM manufacturers do integrate firewall software on the devices but these do nothing to prevent unencrypted traffic from leaving the machine, just make it harder for the less professional hacker to get into the ATM itself. As the Network Box report identifies, the clever money is chasing the financial information once it leaves the ATM. So what can be done? The most obvious and most effective solution would be to use a multifunction device with routing, firewall, IDS/IPS and VPN capabilities, positioned in front of, and protecting, the ATM network - a network separated from the rest of the bank's network. Not forgetting to encrypt all traffic coming out of the ATM machines of course.
Mark Webb-Johnson, CTO of Network Box, told us "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack. We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."