Get Smart about Business Spending
- Related Stories
-
The next generation of security threats
December 5, 2007 -
Nachi variant sends a political message
February 12, 2004 -
Damage control
February 6, 2003 - Related Blogs
-
Citibank limits ATM withdrawals in New York City
January 7, 2008
ATMs, or automated teller machines, today face the Internet-born threat of worms and denial-of-service attacks, as well as being at risk from malicious applications that can harvest customer data or hijack machines.
Up to 90 percent of the ATMs in the U.K. could be at risk from these attacks as they rely on desktop PC technology--usually Intel hardware and Windows operating systems--linked to other machines, some connected to the Internet, in the bank's network, according to experts.
Security vendor Network Box illustrated this threat by showing that only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers.
The card numbers, card expiration dates, transaction amounts, and account balances were clearly readable in plain text to anybody intercepting the data as it traveled through the network.
"Cabinet" ATMs, commonly found in shops, pubs, and restaurants, potentially face an even greater danger. Researchers from Information Risk Management (IRM) were able to open their safes and take them over.
An early warning of this insecurity in modern ATMs came in 2003 when the Nachi Internet worm infiltrated "secure" networks and infected ATMs from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America ATMs.
Martin Macmillan, business development director with ATM security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.
That creates a lot of security issues, Macmillan said: "An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches. It is a much more complex beast, and the security aspects of that need to be at the forefront of a bank's mind."
It is important, he said, for banks to be able to monitor ATM systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.
Macmillan added that the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.
Mark Webb-Johnson, chief technology officer of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to (the) Internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."
Gyan Chawdhary, senior security consultant with IRM, told CNET News.com sister site Silicon.com that the shift among ATMs to modern PC infrastructure means it now requires only minimal programming knowledge to hack ATM machines successfully once access has been gained to its system.
"If you are a programmer and you have some programming experience, then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs," Chawdhary said.
Researchers from IRM were even able to unlock and clear out the safes in two out of three U.K. cabinet ATMs, opening the safe using a default key code they obtained from a safe manual online. They also reset the cabinet ATMs' software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.
Link, the company that runs more than 61,000 cash machines in the U.K., said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.
Graham Mott, a Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."
Network Box warns that the software firewalls used to protect ATMs are not able to prevent denial-of-service attacks or harvesting of a consumer's personal data after the data travels through the bank's network.
It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.
Such a device, the company said, should be separated from the rest of the bank's network, and all traffic coming out of the ATM should be encrypted.
Nick Heath of Silicon.com reported from London.
See more CNET content tagged:
ATM, bank, business development, safe, risk
Well, at least this time it was not Commander_Spock and Crew talking... but, according to this CNET NEWS article which states inter alia the "Macmillan added that the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent...."
What can we say when Bill Gates knew and said it it best (That OS/2 Was A Better "Windows" Than "Windows")!
Guess the Crew needs some R and R at times and may soon transfer certain roles....
Good to see you on the ball "sanenazok" ;-) !
language right for ATMs? Why do I have to pick English or Spanish
every time I bank? And these Windows-based ATMs are
consistently slower than older text-based machines.
weekend.
Oh for the days of OS/2 when you could go years without a reboot.
(my company had one OS/2 server run continuously for 63 months
before we had to shut it down to replace some hardware)
it's easier for them to hack it... ;)
Seriously, all ATMs should print "please enter pin" in each
language, then once you verify, only go to the language you have
preselected with the bank. There should be no choice. "I want to
speak in French today, Spanish tomorrow" is not something any
customer is asking for.
It reminds me of a time that I got a call from a friend had to install a copy of Windows 2000 in Japanese. It required a bit more time, but it was allot of fun!
I wonder why the UK banking industry does this but other countries including the US encrypts all that data traffic?
I read a bunch of reports of people breaking into the ATM safe using a physical means that has nothing to do with the OS it is running. Is this what was meant by 'easily hacked'?
I also read about an internet worm that was killed five years ago.
Plus they talk about capturing traffic between the ATM and the bank on a public network in clear text. Give me a break. If there is a bank doing this then then thier customers have a lot more to worry about than a stupid ATM machine.
A better title for this story:
"Some ATMs need better safes. Written by an anti-Windows journalist"
new threats is to use a multifunction device with routing,
firewall, intrusion detection system/intrusion prevention
system and VPN (virtual private network) capabilities,
positioned in front of, and protecting, the ATM network."
The most effective way to protect against these new threats is
to - all the above - and use ATMs **that don't run Windows**.
Just thought I would add the logical conclusion to that
statement.
Bottom line... it is very different, much tougher to manage, and customer service availablity will diminish. After all this work... the ATM is headed for a dead-end. The real question is why would anyone invest in these new "full function windows based" ATMs.
B. What will be the cost of paying "top notch" developers to work with IBM to enhance OS/2 and port certain applications like Lotus Notes... to the OS/2 Warp Operating System. Isn't the state of the sub-prime market ridiculous enough to be now concerned about security with ATMs. Compare the cost of enhancements to an Operating System such as OS/2 as against what banks caught up in the sub-prime fiasco stand to loose. Do these dudes running the banking industry really know what they are about?
Here is what customers the world over will/should get (think in terms of the considerations when they choose their doctors... confidence of care et cetera et cetera) therefore, in the cases of the banking and other industries around the world - confidence of security.
Where in the world is IBM!
It runs ATMs.
Wow. It's gonna take over the world and kick Windows and Linux to death.
Yeah right!
catching on. Take NCR, which is now shipping all of its ATMs with
something Solidcore's change control software embedded on the
systems. http://www.solidcore.com/embedded
There is NO single "GUI-based OS" at the moment that does not require regular security patches.
Some common sense would have mitigated the problems mentioned in the article.
And yeah, it seems that this article is biased against Windows unnecessarily.
not require regular security patches."[/i]
To be technically correct, there is only one widespread
commercial GUI-based OS out there... Windows.
(OSX can run just fine w/o one as evidenced by XServe, and
Linux runs perfectly fine w/o Xwindows/Xorg.)
/P
The 2k limit does not include the image file for the bank logo.
and protect your master! This is what M$
is paying you for!
- by archaic0 October 1, 2008 3:26 PM PDT
- OK, I realize that this article mentions the UK, and that may give it some credit (maybe they are really insecure over there). I don't know about the UK as a whole, but in general, the article is pure shock and scare tactic. It is quite far from the reality of how ATMs are set up and work. Plus, a chunk of the article explains physical attacks like picking locks and breaking doors... what OS the ATM is running doesn't change that picture, yet it is all presented in a way that seems to attribute all ATM security problems to the OS. It's just sloppy.
- Reply to this comment
-
(37 Comments)The article's point seems to be that because ATMs are using a modern desktop OS, namely Windows, that they are therfore by default in the same category as your standard user at home and are insecure because of it.
There are a couple holes in that premise. Windows is insecure, yes, but saying that all ATMs running Windows are therefore insecure is a leap. Here are my points...
1. (this may be a US only thing, but that would surprise me since VISA is the one who made it happen a couple years ago and I doubt they'd leave out their worldwide networks) But ALL data leaving an ATM these days is 3DES encrypted. The physical construction of the keypad itself where you type your PIN is where the encryption takes place and that piece is sealed with a self-destruct circuit even. So there is no possibility of tapping the information before it gets encrypted and there is no possibility of ease dropping on plain text communication once it leaves that board, much less the ATM. Not one bit of the data is in clear text (except for the phone number or target IP address). The 3DES mandatory upgrade was forced on all ATM owners and all ATM networks refuse any traffic not 3DES encrypted now.
2. ATMs don't run web servers, mail servers, or have users surfing at their desktops to the internet. So even suggesting that they are just as likely to be infected as a user's home PC or Windows server is absurd. These machines don't surf the internet, and don't have any web services running with ports listening to be flooded through (unless the ATM owner has installed them, and they would install those on any OS). There doesn't exist a malware or virus executable that can infect a machine (regardless of the OS) without some user interaction or without a server service listening and allowing traffic in. All infections come in via two methods. Either through a broken web service like a web server or mail server, or a broken user program like a browser or mail client. Neither of which exists on an ATM.
3. Regardless of the OS or the machine, their premise that "once you're in it's easy" is also absurd. If someone gets in, it's because a dumb tech left the keys under the mat. And by that I mean that either someone left default passwords on something, left a remote management port open, or something along those lines and they do it on all devices and OS's they touch. Something I've seen in the real world is a tech installing VNC on every server he had, using default ports, and leaving the password blank or simple like (letmein). This tech will allow an attacker to compromise an ATM regardles of OS. OSX, Linux, proprietary, it does not matter. If you leave the door open, then someone can come in.
I submit that the problem described in the article of the Operating System the ATM is running being a problem is not the problem. The problem that exists is poor, no, actually, just plain stupid security practices by my fellow tech people across ALL operating systems and ALL categories of devices.
Leaving default passwords in place is a security problem with a Linksys router AND a Cisco router. Running a Windows machine with a blank or standard admin password is stupid. Running your Linux web server with a blank or simple root password is just as stupid. In MOST cases the reason for successful attacks falls on the person in control of the device that was compromised and the fact that said person did something that any of us would find unacceptable.
Windows has an insecure track record, but HUMANS have a worse track record and we've allowed all types of devices to be compromised by leaving them unlocked. IF, and I haven't actually seen a case of it really happening yet, but if an ATM in the real world was actually compromised via software, then it would be by way of a reason that is operating system independant. For example, guessing a password.