It has been estimated that something in the region of 70 percent of the ATMs in current use are based not on the proprietary hardware, software and communication protocol platforms of old but instead on PC/Intel hardware and commodity operating systems, the most popular being Windows XP embedded. In fact, it is not too much of a stretch of the imagination to think of these ATMs as being simple PCs running simple PC operating systems and using the standard Internet Protocol that we are all used to. Of course, all this is housed in a very secure vault-like box along with some additional peripherals, which makes it all OK. Or does it? According to Network Box, a managed security services company which has just published a white paper on the subject of IP-ATM security, banks and financial institutions are failing to properly secure their ATMs, leaving consumers' personal details vulnerable to hackers. The report itself actually cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers' transaction data for malicious purposes. The latter could result in hackers being able to collect consumers' personal details, such as their card number, account balance and transaction history.

Network Box say that the migration towards commodity-embedded hardware platforms, commodity operating systems and standard IP networking across the last five years is to blame for the increase in exposure as far as the security risk is concerned. They know why the banks have done it, all the usual business reasons such as cost, performance, flexibility, standardisation and increased functionality come to the fore. But are these advantages worth the increased threat profile? For that matter, what is that increased profile? What are the threats that leave ATMs exposed to the hacker who would harvest your personal financial data?

You might think that using triple-DES encrypted PIN numbers for the IP-ATM connected to a payment processor across a TCP/IP connection would be secure enough, and indeed you would be correct. The problem, according to Network Box, is that while the PIN is protected the messages being sent are not. In January 2008 the company performed an analysis of ATM network traffic and discovered that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable.

It doesn't take a genius to work out that all a determined hacker, and for determined read backed by a highly professional criminal organisation, needs to do is access some part of that IP network between the ATM and payment processor to be privy to the personal detail contained within the unencrypted data stream.

The ATM manufacturers do integrate firewall software on the devices but these do nothing to prevent unencrypted traffic from leaving the machine, just make it harder for the less professional hacker to get into the ATM itself. As the Network Box report identifies, the clever money is chasing the financial information once it leaves the ATM. So what can be done? The most obvious and most effective solution would be to use a multifunction device with routing, firewall, IDS/IPS and VPN capabilities, positioned in front of, and protecting, the ATM network - a network separated from the rest of the bank's network. Not forgetting to encrypt all traffic coming out of the ATM machines of course.

Mark Webb-Johnson, CTO of Network Box, told us "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack. We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

9 Years
Discussion Span
Last Post by ShaneW

And it's in reality no problem at all as they're all using private connections to central computers and are not as the alarmist report wants you to think connected to the internet without any firewalls or virusscanners.

In reality even people without those who run Windows are at minimal risk unless they actively engage in insecure activities like visiting shady websites or using p2p clients to download pirated content.

In 10 years online the ONLY times my virus scanners and firewalls have ever detected a serious intrusion attempt were when visiting websites, the only attempts that could have done damage that came in unsolicited (so were not the result of code embedded in some html page) were assaults on my web and mail servers.
For an embedded device that should pose no threat. They're not visiting websites, and aren't running web and mailservers.
Combine that with not being on an open network at all and there's no problem (unless that private network were compromised, in which case the criminals would have access to the central banking computers already and not need to look at incoming traffic from ATMs).


beacuse of the embedded windows is more small than the desktop windows operating system , the security risks are assume lower . The desktop windows is 40 million lines of code and I think and hope that embedded windows is less line of code than this . Today any operating system is open for a uknown 0day security risk . This risk is a technological failure among any operating system .Beacuse of the compleity is very high , it's easy to use
find a place where you can by pass the security . This increases with the Lines of code . Anyway the problem that you are mentioning is can be the problem that using the old hardware , not software . For eample the new 64-bit computing introducing the new features to provide the defence for stack based overflows . For an embedded device that should pose no threat. They're not visiting websites, and aren't running web and mailservers. This problem is come s when you web browsing with a senseative web browser . Use a non-senseative web browser always when you are doing the MONEY TRANSACTIONS OVER internet . A good non-senseative web browser is MOZILLA .But the internet eplore is a senseative web browser . For a eample if you visited a java script cross scriptiung vulnualablity vulnuable form and then you done your transactions . THe attacker can take the advantage .


Most ATMs in my country run XP embedded, OS/2, NT4 or Windows CE

nicely said , very good . Now a hacker have that information , can you pls say what is your country ? That's the only information that you really not mention . but that can be find very easily using your username .


Most offices, either public or private, use ATM for the respective salary of the employees. Good that even you are far from the office, you can claim your salary just in a minute. On the other hand, since the ATM outlets are located in public places using it vulnerable to the hackers.Bank of America doesn't seem to live up to its name. A real Bank of AMERICA wouldn't treat its current and potential customers like they didn't matter, because unless you're some kind of investor, high roller type, they don't care about you. At least that's the impression they give a lot people as they've been cutting anyone's attempt at getting a cash advance if they need one, and charging outrageous fees at out of network ATM machines. They also are known for charging fees for cashing paychecks, if a person isn't a customer there, in spite of the fact that it's a Bank of America cashier's check! An imperious air, taking advantage of the common man, that sounds more like the Bank of the Soviet Union than the <a rev="vote for" href="http://personalmoneystore.com/moneyblog/2009/03/16/jobless-hit-bank-fees-benefits/">Bank of America</a>

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.