Windows-based cash machines 'easily hacked'

Security experts have hacked ATMs to show how easy it is to steal money and bank account details from modern cash machines.

ATMs, or automated teller machines, today face the Internet-born threat of worms and denial-of-service attacks, as well as being at risk from malicious applications that can harvest customer data or hijack machines.

Up to 90 percent of the ATMs in the U.K. could be at risk from these attacks as they rely on desktop PC technology--usually Intel hardware and Windows operating systems--linked to other machines, some connected to the Internet, in the bank's network, according to experts.

Security vendor Network Box illustrated this threat by showing that only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers.

The card numbers, card expiration dates, transaction amounts, and account balances were clearly readable in plain text to anybody intercepting the data as it traveled through the network.

"Cabinet" ATMs, commonly found in shops, pubs, and restaurants, potentially face an even greater danger. Researchers from Information Risk Management (IRM) were able to open their safes and take them over.

An early warning of this insecurity in modern ATMs came in 2003 when the Nachi Internet worm infiltrated "secure" networks and infected ATMs from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America ATMs.

Martin Macmillan, business development director with ATM security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.

"An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches."

--Martin Macmillan, business development director, Level Four Software

That creates a lot of security issues, Macmillan said: "An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches. It is a much more complex beast, and the security aspects of that need to be at the forefront of a bank's mind."

It is important, he said, for banks to be able to monitor ATM systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.

Macmillan added that the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.

Mark Webb-Johnson, chief technology officer of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to (the) Internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."

Gyan Chawdhary, senior security consultant with IRM, told CNET News.com sister site Silicon.com that the shift among ATMs to modern PC infrastructure means it now requires only minimal programming knowledge to hack ATM machines successfully once access has been gained to its system.

"If you are a programmer and you have some programming experience, then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs," Chawdhary said.

Researchers from IRM were even able to unlock and clear out the safes in two out of three U.K. cabinet ATMs, opening the safe using a default key code they obtained from a safe manual online. They also reset the cabinet ATMs' software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.

Link, the company that runs more than 61,000 cash machines in the U.K., said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.

Graham Mott, a Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."

Network Box warns that the software firewalls used to protect ATMs are not able to prevent denial-of-service attacks or harvesting of a consumer's personal data after the data travels through the bank's network.

It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.

Such a device, the company said, should be separated from the rest of the bank's network, and all traffic coming out of the ATM should be encrypted.

Nick Heath of Silicon.com reported from London.

[sanenazok]

Finally a legit story for OS/2

and where's Spock? C'mon it's OS/2 goodness!

[tsi26]

yup

LOL...I thought the same thing!!!

[Commander_Spock]

Aye, Aye there "sanenazok"....

This is Spock... and reading you loud and clear. ;-) :-$ ....

Well, at least this time it was not Commander_Spock and Crew talking... but, according to this CNET NEWS article which states inter alia the "Macmillan added that the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent...."

What can we say when Bill Gates knew and said it it best (That OS/2 Was A Better "Windows" Than "Windows")!

Guess the Crew needs some R and R at times and may soon transfer certain roles....

Good to see you on the ball "sanenazok" ;-) !

[Clouseau2]

Who could have predicted this?

Gosh, who could have guessed if you switch ATMs to using the least secure OS there is, this could happen? It's inconceivable!

[Galaxy5]

They're also highly annoying...

Why, oh why can't banks even get something like a default
language right for ATMs? Why do I have to pick English or Spanish
every time I bank? And these Windows-based ATMs are
consistently slower than older text-based machines.

[tgrenier]

a bit confused

They stole transactional details minus the pin number via packet sniffing data that was sent by the ATM. Perhaps encryption is an easy answer. Why anyone in their right mind would have an ATM network connected to the internet is beyond me. One more thing, I hate the security by obscurity argument.

[rcrusoe]

Perfect timing

Several of the ATMs in my area were unusable or BSOD this
weekend.

Oh for the days of OS/2 when you could go years without a reboot.
(my company had one OS/2 server run continuously for 63 months
before we had to shut it down to replace some hardware)

[c|net Reader]

Why OS/2?

Why not run *nix? It is more secure and provides plenty of functionality to produce the simple GUIs used by ATMs.

[darthkumquat]

This comment cracked me up. I am an ATM administrator for a bank holding company and we run 150 NCR OS/2 machines. On these machines, TCP/IP was a protocol added on later, and it has a bug in it with a stack overflow on a timer that doesn't roll over like it's supposed to. The net result is that for the last few years NCR OS/2 machines that use TCP/IP have had to be rebooted once every 45 1/2 days (the length of the timer) or they lose communications with their host. To be fair, NCR did release a patch that fixed this last year, but still after dealing with it for so long I thought the "never have to reboot OS/2 ATMs" thing was pretty funny.

[amandachuck]

Because...

That way if someone who doesn't speak English steals your card,
it's easier for them to hack it... ;)

Seriously, all ATMs should print "please enter pin" in each
language, then once you verify, only go to the language you have
preselected with the bank. There should be no choice. "I want to
speak in French today, Spanish tomorrow" is not something any
customer is asking for.

[ralfthedog]

Sounds like fun!

Everyone should learn as many new languages as they can. Perhaps the ATM should just pick a random language each time you put in your card (I think most people would be able to figure out the menus and it would be a cool learning tool.).

It reminds me of a time that I got a call from a friend had to install a copy of Windows 2000 in Japanese. It required a bit more time, but it was allot of fun!

[Vegaman_Dan]

OS/2 has the same issue

It's not the OS that is the problem here, but the fact that the system is broadcasting without encryption. That's something that can easily be fixed as it's a network design issue. OS/2, Windows, OSX- all of it won't matter a bit if you send the data in the clear.

I wonder why the UK banking industry does this but other countries including the US encrypts all that data traffic?

[c|net Reader]

Partly

You're right that network security is a necessary first step, but basing an ATM on a system known for its vulnerability to attach is silly at best.

[tsi26]

Lack of security?!?!?!

The bank I work for...yes doing IT...encrypts the traffic over a VPN. While I suppose it still would possible to attack it using DDOS the only thing that would occur is the ATM would not have access to current balances. Which would only cause a problem with customers that are below a certain amount in their accounts. Meaning the ATM is still operational without a network connection. BTW, the ATM's are still running OS/2 and they are only a couple of years old.

[MMC Racing]

Still missed where they hacked windows....

They exploited lax hardware security that would be there with any OS..

[NewsReader_]

What an imflamatory piece of garbage this is

I am amazed CNET actually published this story with the implication that this was about software.

I read a bunch of reports of people breaking into the ATM safe using a physical means that has nothing to do with the OS it is running. Is this what was meant by 'easily hacked'?

I also read about an internet worm that was killed five years ago.

Plus they talk about capturing traffic between the ATM and the bank on a public network in clear text. Give me a break. If there is a bank doing this then then thier customers have a lot more to worry about than a stupid ATM machine.

A better title for this story:
"Some ATMs need better safes. Written by an anti-Windows journalist"

[t8]

Microsoft hacked and virus are the same

Um Microsoft, hacked, and virus are synonyms.

[ralfthedog]

They cracked the safe by cracking Windows.

The safe had a software key. Break Windows, then send the command to unlock the safe.

[No invasion of privacy]

Solution

Quote: "It says the most effective way to protect against these
new threats is to use a multifunction device with routing,
firewall, intrusion detection system/intrusion prevention
system and VPN (virtual private network) capabilities,
positioned in front of, and protecting, the ATM network."
The most effective way to protect against these new threats is
to - all the above - and use ATMs **that don't run Windows**.

Just thought I would add the logical conclusion to that
statement.

[Robert.CIO]

ATM - Windows-IP - The Next Telephone Booth

With the advent of debit cards, online purchases, and online bill payment the ATM is going the way of the Telephone Booth. As a result, the ATM vendors have thrown one last hail merrry. The plan is to open up that ATMs to to delivery more services. To do so, they have replaced OS/2 with a single server connection to a Windows and IP communications. Now the ATM has multiple IP connections to multiple servers on the back-end. The very nature of this architecture opens up potential risk. Now you have a server for processing financial transactions, a server for managing the physical ATM, a server for managing software distribution/fixs (e.g. SMS), a server for managing customer preferences, a server for managing check deposits images, special hardening of the Windows client, ATM network isolation, server to pull local ATM transactions, server to manage the ATM screen images, server to manage ATM Windows/Application alerts, etc. Now you have a "Windows Desktop" running a large stack of of applicatinos that does not have an employee to tell you when things go wrong. Then you add the extra hardening that is needed for an unmanned Windows Desktop. Yes... it is a LOT different and open to additional points of failure. However, when it comes to encryption it is possible to encrypt the entire message, it is possible to have a VPN or private network. Those last two issues can be resolve by any bank that has a clue about what they are doing.
Bottom line... it is very different, much tougher to manage, and customer service availablity will diminish. After all this work... the ATM is headed for a dead-end. The real question is why would anyone invest in these new "full function windows based" ATMs.

[Commander_Spock]

What banks need to "KNOW" and "DO"!

A. What is/was the cost of developing a new Operating System/VISTA.

B. What will be the cost of paying "top notch" developers to work with IBM to enhance OS/2 and port certain applications like Lotus Notes... to the OS/2 Warp Operating System. Isn't the state of the sub-prime market ridiculous enough to be now concerned about security with ATMs. Compare the cost of enhancements to an Operating System such as OS/2 as against what banks caught up in the sub-prime fiasco stand to loose. Do these dudes running the banking industry really know what they are about?

Here is what customers the world over will/should get (think in terms of the considerations when they choose their doctors... confidence of care et cetera et cetera) therefore, in the cases of the banking and other industries around the world - confidence of security.

Where in the world is IBM!

[t8]

Ha ha

OS/2 Wart.

It runs ATMs.

Wow. It's gonna take over the world and kick Windows and Linux to death.

Yeah right!

[ralfthedog]

"Where in the world is IBM!"

My guess is stuck back in the early 1980s. :)

[solidcore]

Change control catching on

Locking down the ATM platform with change control seems to be
catching on. Take NCR, which is now shipping all of its ATMs with
something Solidcore's change control software embedded on the
systems. http://www.solidcore.com/embedded

[CervezaPorFavor]

Wrong Title!

As highlighted by others in the comments, this has to do with very poor network design & security implementation rather than the OS.

There is NO single "GUI-based OS" at the moment that does not require regular security patches.

Some common sense would have mitigated the problems mentioned in the article.

And yeah, it seems that this article is biased against Windows unnecessarily.

[Penguinisto]

Not really...

[i]"There is NO single "GUI-based OS" at the moment that does
not require regular security patches."[/i]

To be technically correct, there is only one widespread
commercial GUI-based OS out there... Windows.

(OSX can run just fine w/o one as evidenced by XServe, and
Linux runs perfectly fine w/o Xwindows/Xorg.)

/P

[ralfthedog]

Why run a desktop OS for a non desktop application?

This is a job for an ultra stripped down embedded OS that has all executable code in ROM. All code for the ATM (OS and application) should fit inside of 1k. If you want to go ultra fat, fit it in 2k. Anything beyond this is a big sign on the back of the ATM, "Hack me!".

The 2k limit does not include the image file for the bank logo.

[Mister C]

Calling All Shills!

Come on boys, time to break out the noise
and protect your master! This is what M$
is paying you for!

[archaic0]

OK, I realize that this article mentions the UK, and that may give it some credit (maybe they are really insecure over there). I don't know about the UK as a whole, but in general, the article is pure shock and scare tactic. It is quite far from the reality of how ATMs are set up and work. Plus, a chunk of the article explains physical attacks like picking locks and breaking doors... what OS the ATM is running doesn't change that picture, yet it is all presented in a way that seems to attribute all ATM security problems to the OS. It's just sloppy.

The article's point seems to be that because ATMs are using a modern desktop OS, namely Windows, that they are therfore by default in the same category as your standard user at home and are insecure because of it.

There are a couple holes in that premise. Windows is insecure, yes, but saying that all ATMs running Windows are therefore insecure is a leap. Here are my points...

1. (this may be a US only thing, but that would surprise me since VISA is the one who made it happen a couple years ago and I doubt they'd leave out their worldwide networks) But ALL data leaving an ATM these days is 3DES encrypted. The physical construction of the keypad itself where you type your PIN is where the encryption takes place and that piece is sealed with a self-destruct circuit even. So there is no possibility of tapping the information before it gets encrypted and there is no possibility of ease dropping on plain text communication once it leaves that board, much less the ATM. Not one bit of the data is in clear text (except for the phone number or target IP address). The 3DES mandatory upgrade was forced on all ATM owners and all ATM networks refuse any traffic not 3DES encrypted now.

2. ATMs don't run web servers, mail servers, or have users surfing at their desktops to the internet. So even suggesting that they are just as likely to be infected as a user's home PC or Windows server is absurd. These machines don't surf the internet, and don't have any web services running with ports listening to be flooded through (unless the ATM owner has installed them, and they would install those on any OS). There doesn't exist a malware or virus executable that can infect a machine (regardless of the OS) without some user interaction or without a server service listening and allowing traffic in. All infections come in via two methods. Either through a broken web service like a web server or mail server, or a broken user program like a browser or mail client. Neither of which exists on an ATM.

3. Regardless of the OS or the machine, their premise that "once you're in it's easy" is also absurd. If someone gets in, it's because a dumb tech left the keys under the mat. And by that I mean that either someone left default passwords on something, left a remote management port open, or something along those lines and they do it on all devices and OS's they touch. Something I've seen in the real world is a tech installing VNC on every server he had, using default ports, and leaving the password blank or simple like (letmein). This tech will allow an attacker to compromise an ATM regardles of OS. OSX, Linux, proprietary, it does not matter. If you leave the door open, then someone can come in.

I submit that the problem described in the article of the Operating System the ATM is running being a problem is not the problem. The problem that exists is poor, no, actually, just plain stupid security practices by my fellow tech people across ALL operating systems and ALL categories of devices.

Leaving default passwords in place is a security problem with a Linksys router AND a Cisco router. Running a Windows machine with a blank or standard admin password is stupid. Running your Linux web server with a blank or simple root password is just as stupid. In MOST cases the reason for successful attacks falls on the person in control of the device that was compromised and the fact that said person did something that any of us would find unacceptable.

Windows has an insecure track record, but HUMANS have a worse track record and we've allowed all types of devices to be compromised by leaving them unlocked. IF, and I haven't actually seen a case of it really happening yet, but if an ATM in the real world was actually compromised via software, then it would be by way of a reason that is operating system independant. For example, guessing a password.