Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Banking ATM security white paper available.

Network Box : 22 February, 2008  (Technical Article)
Network Box white paper shows that banks could do much more to ensure the protection of their ATMs from IP worms, denial of service attacks and other threats.
Banks and financial institutions are failing to properly secure their ATMs, leaving consumers' personal details vulnerable to hackers, according to IP-ATM Security, a new white paper from managed security services company, Network Box.

The report cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers' transaction data for malicious purposes. The latter could result in hackers being able to collect consumers' personal details, such as their card number, account balance and transaction history.

The key findings of IP-ATM Security can be found below, while the actual the whitepaper can be downloaded from the Network Box web site.

Security risks around ATMs have increased because of the changing ways in which ATMs operate. Traditionally, ATMs were built on proprietary hardware platforms with proprietary software and communications protocols. However, the trend over the past few years has been a migration to commodity-embedded hardware platforms (essentially PC-based with Intel microprocessors), commodity operating systems (primarily Window and Linux), and standard IP networking.

It is estimated that some 70 per cent of current ATMs are now based on PC/Intel hardware and commodity operating systems (mostly Windows XP embedded) and this trend is expected to continue. Essentially, these new ATMs are PCs that are running PC operating systems, using the standard Internet Protocol (IP) with some additional peripherals housed in a secure vault-like box.

Why banks have switched to these new systems and protocols
There are a number of advantages for migrating to such commodity hardware, operating systems and protocols, such as: cost; performance; flexibility; standardisation and enhanced functionality. But with these advantages come the increased threats.

An IP-ATM is connected to the payment processor using a TCP/IP connection. However, while the PIN number is triple-DES encrypted, the messages themselves are not. In January 2008, an analysis of ATM network traffic by Network Box found that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable. Therefore, a hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to be privy to the aforementioned details.

Currently, the only response by ATM producers has been the installation of a personal (software) firewall on the ATM devices themselves. However, this does not counter the three main threats outlined in the report, and also presents its own inherent problems.

The issues of denial of service (DoS) attacks and disruption to the IP remain because personal firewalls are not designed to protect against these threats. Also, they cannot prevent the harvesting of consumers' personal details because the traffic still goes out unencrypted and is still vulnerable to eavesdropping.

Personal firewalls may partially address the issue of IP worms. However, because personal firewalls run on the same computer as that they are protecting, they are vulnerable to being infected, modified, or disabled by viruses, Trojans, or network worms which are present in other applications on that same computer.

The most effective way to solve the issues outlined above is to use a multifunction device with routing, firewall, IDS/IPS and VPN capabilities, positioned in front of, and protecting, the ATM network. Such a network should be separated from the rest of the bank's network, and be closely monitored and controlled. It would also be desirable to encrypt all traffic coming out of the ATM machines; there is no reason why only the PIN numbers should be encrypted.

It took 33 years for the ATM industry to reach the 1 million mark, and then only six years to reach 1.5 million. The global ATM market is expected to reach 2 million by 2011, with more than 73,000 new units this in 2008, and the percentage share of off-site deployments has reached 45%.

Mark Webb-Johnson, CTO of Network Box, comments: "Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack.

"We've already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions; and we've witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high-profile attacks are to follow."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo