Withdraw With Caution

Apr 1, 2008 12:00 PM, By Stephanie Silk

ATM security; your digital footprint; and more.

Walking up to an ATM gives off an aura of vulnerability. As they dart their eyes and clutch their belongings, customers may find their minds wandering into the tragic possibilities of how the scenario could end. Even in daylight with other people around, an ATM still presents an underlying security risk.

The potential damage of an ATM extends beyond the physical risks of using the machines. According to a white paper from managed security services firm Network Box Corp. Ltd., Hong Kong, ATMs are shifting from using proprietary hardware and software and being connected via a proprietary network to using over-the-counter (OTC) hardware and software and working via IP connectivity. A result is that security of consumers' personal details and their vulnerability to hackers are increasingly becoming a concern. The problem needs to be addressed before a major incident causes the public to lose confidence in this useful tool, according to Network Box.

The number of ATMs in use globally exceeds 1.5 million, with an estimated 192 new ATMs being installed each day. According to Network Box, the global ATM market is expected to reach 2 million by 2011, with more than 73,000 new units this year. Seventy percent of current systems are based on PC/Intel hardware. Running with PC operating systems and using standard IP means they are basically PCs that are housed by fancy peripherals and a vault-like exterior.

The migration of the financial industry in recent years to commodity hardware, operating systems and protocols gives the industry advantages of cost, performance, flexibility, standardization and enhanced functionality. However, the white paper cites threats through the facade of improvements.

Although a person's triple-DES encrypted PIN for the IP-ATM connected to a payment processor across a TCP/IP connection is secure, the problem, according to Network Box, is that while the PIN is protected, the messages being sent are not. The company performed an analysis of ATM network traffic in January, and discovered that only the PIN was encrypted and that a large portion of the traffic traveled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable.

Such an open field is free game to hackers and may entrap ATMs into a possible disaster scenario: An Internet worm spreads from the Internet onto private financial institution networks and infects ATM machines. Not only are those ATMs unable to operate, but they begin to spread the worm to other ATMs and workstation/server computers.

This disaster scenario can happen — and it did in 2003. But Network Box says it doesn't have to happen again even with today's growing rate of new ATMs.

ATM producers attempted to solve the problem by installing personal (software) firewalls on the devices. This solution may protect the operating system and applications inside the ATM from some threats, but it does not solve all the possible scenarios and has its own inherent problems.

“Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today, ATMs operate in a way that makes them far more susceptible to attack,” says Mark Webb-Johnson, CTO of Network Box. “The chances are that if banks don't use technology that can actually provide an effective level of protection — technology that is already on the market — then it is very likely that more high-profile attacks are to follow.”

Network Box's white paper suggests a solution: A multifunction device with hardware router/firewall/VPN/IDS/IPS capabilities. This would create a network separate from the rest of the bank's network, all while encrypting traffic coming out of the ATM. This would address the three primary threat vectors facing IP-ATMs. According to Network Box, they are:

• Internet Protocol worms and other malicious code penetrating the defenses of the ATM itself or the IP network it is connected to.

• Disruption of the IP network and denial of service.

• Passive collection of transaction data for malicious purposes, resulting in hackers being able to collect a consumer's card number, account balance and transaction history.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue