ATMs linked to IP networks vulnerable to threats, security firm says

Computerworld - A continuing trend by banks to take automated teller machines off proprietary networks and put them on the banks’ own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment.

The reason? Most ATM transaction data is not encrypted and can be more easily compromised when it is traversing an IP network compared with dedicated lines, according to a white paper (download PDF) from Redspin Inc., a security auditing company in Carpinteria, Calif.

“A number of bad scenarios can come out of this situation, the biggest being mass card theft,” said John Abraham, president of Redspin, which released the white paper last month.

But ATM industry representatives said the issues raised by Redspin have been well understood for some time and that several measures can be taken to mitigate the risks posed by the migration to IP networks.

According to Abraham, the situation is the result of a move by banks over the past few years to comply with regulations requiring them to convert electronic funds networks to the secure triple Data Encryption Standard (DES) from the older DES standard. The rules are mandated by MasterCard International Inc., Visa U.S.A. Inc. and associated network providers (see "Encryption mandate puts strain on financial IT").

Many banks have used the opportunity to migrate ATMs from proprietary networks to open TCP/IP infrastructures, he said. For banks, such networks have proved to be easier to manage and less expensive than having a bunch of individual, dedicated point-to-point connections between an ATM and a processor, he said.

But it is also less secure, Abraham claimed. That’s because, apart from the personal identification number (PIN) data, all other ATM transaction details such as the card number, expiration date, account balances and withdrawal amounts frequently remain unencrypted. This was not as much of a problem when the data was traveling over dedicated lines, but it does pose a security risk on an IP network, he said.

Unless protective measures are taken, a hacker tapping into a bank’s network would have access to every ATM transaction flowing over its network, he said. The situation also is open for other possibilities, including so-called man-in-the-middle attacks, that could, for instance, spoof a processor’s response to an ATM and instruct it to keep on dispensing cash, he said. The risks are especially severe in the cases of ATMs located outside of banks in places such as grocery stores, where the machines are simply plugged into a standard Ethernet cable outlet in the wall, he said.

But many banks appear to be unaware of the issue and are not taking the fairly simple measures needed to mitigate the risk, such as implementing firewalls, installing antivirus software and putting ATM traffic on a separate network segment, Abraham claimed.