« Difficult Technology
BD for Data »

ATM Stupidity

Some times banks just don’t get it. The CNET posting Windows-based cash machines ‘easily hacked’ is an example.

Up to 90 percent of the ATMs in the U.K. could be at risk from these attacks as they rely on desktop PC technology–usually Intel hardware and Windows operating systems–linked to other machines, some connected to the Internet, in the bank’s network, according to experts.

Beware when you next step up to an ATM machine.

B4D8572C-F07B-4110-82D2-3820CFAAE27D.jpg

(Credit: TechCrunch)

Here are a few things that may be lurking behind the facade.

… only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers. The card numbers, card expiration dates, transaction amounts, and account balances were clearly readable in plain text to anybody intercepting the data as it traveled through the network.

I can see it now. Microsoft’s patch Tuesday becomes a bank holiday.

“An ATM becomes like a PC with attached devices–it has to be kept up-to-date with hot fixes and patches. It is a much more complex beast, and the security aspects of that need to be at the forefront of a bank’s mind.”

De-evolution in action.

… the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.

Welcome script kiddies to the world of sloppy banking.

… the shift among ATMs to modern PC infrastructure means it now requires only minimal programming knowledge to hack ATM machines successfully once access has been gained to its system.

“If you are a programmer and you have some programming experience, then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs,” …

Password, what password.

Researchers from IRM were even able to unlock and clear out the safes in two out of three U.K. cabinet ATMs, opening the safe using a default key code they obtained from a safe manual online. They also reset the cabinet ATMs’ software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.

What part of basic network security 101 don’t bank technocrats get?

… the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.

Well duh!

I don’t think ATM stupidity is unique to the U.K. So, beware when you next step up to an ATM machine, anywhere.

…John

This entry was posted on Wednesday, March 5th, 2008 at 9:47 am and is filed under Microsoft, Networking, OS, Security, Stupid, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

The Internet Traffic Report monitors the flow of data around the world. Internet Storm Center Infocon Status