May 4, 2006 (Computerworld) A continuing trend by banks to take automated teller machines off proprietary networks and put them on the banks’ own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment.
The reason? Most ATM transaction data is not encrypted and can be more easily compromised when it is traversing an IP network compared with dedicated lines, according to a white paper (download PDF) from Redspin Inc., a security auditing company in Carpinteria, Calif.
“A number of bad scenarios can come out of this situation, the biggest being mass card theft,” said John Abraham, president of Redspin, which released the white paper last month.
But ATM industry representatives said the issues raised by Redspin have been well understood for some time and that several measures can be taken to mitigate the risks posed by the migration to IP networks.
According to Abraham, the situation is the result of a move by banks over the past few years to comply with regulations requiring them to convert electronic funds networks to the secure triple Data Encryption Standard (DES) from the older DES standard. The rules are mandated by MasterCard International Inc., Visa U.S.A. Inc. and associated network providers (see "Encryption mandate puts strain on financial IT").
Many banks have used the opportunity to migrate ATMs from proprietary networks to open TCP/IP infrastructures, he said. For banks, such networks have proved to be easier to manage and less expensive than having a bunch of individual, dedicated point-to-point connections between an ATM and a processor, he said.
But it is also less secure, Abraham claimed. That’s because, apart from the personal identification number (PIN) data, all other ATM transaction details such as the card number, expiration date, account balances and withdrawal amounts frequently remain unencrypted. This was not as much of a problem when the data was traveling over dedicated lines, but it does pose a security risk on an IP network, he said.
Unless protective measures are taken, a hacker tapping into a bank’s network would have access to every ATM transaction flowing over its network, he said. The situation also is open for other possibilities, including so-called man-in-the-middle attacks, that could, for instance, spoof a processor’s response to an ATM and instruct it to keep on dispensing cash, he said. The risks are especially severe in the cases of ATMs located outside of banks in places such as grocery stores, where the machines are simply plugged into a standard Ethernet cable outlet in the wall, he said.
But many banks appear to be unaware of the issue and are not taking the fairly simple measures needed to mitigate the risk, such as implementing firewalls, installing antivirus software and putting ATM traffic on a separate network segment, Abraham claimed.
Ironically, the move to triple DES encryption has only masked the threat because most banks simply assume that all transaction data is safer, when in fact it is most often only the PIN data that is being encrypted using the stronger standard, he said. For instance, Redspin learned of the problem only when it was conducting an audit for a banking client and noticed ATM transaction data flowing over its networks in clear text, Abraham said.
“Bank managers are surprised when we tell them this. They think that everything is encrypted,” especially after upgrading to triple DES, he said.
Mike Lee, CEO of the ATM Industry Association based in Brookings, S.D., acknowledged that the move to mainstream technologies such as Windows XP operating systems and IP networks over the past few years “is altering the vulnerability landscape associated with this traditionally proprietary system.”
“The use of proprietary technologies afforded ATMs a degree of defense against malware, hacking tool kits and utilities, denial-of-service attacks and other threats that have been used to exploit vulnerabilities in more prevalent operating systems and networks,” he said. Most modern ATMs are running on operating systems and network communication protocols “known by and familiar to the majority of computer users,” Lee said.
At the same time, Redspin’s white paper ignores the fact that ATM manufacturers support firewall integration, antivirus integration and vulnerability patching to mitigate some of these risks, he said.
“The paper also confuses private, nonrouteable IP addresses -- which most IP networks use -- with publicly addressable IP addresses,” Lee said. “Triple DES is a very comprehensive global end-to-end encryption standard, but of course there are degrees and stages of implementation. In reality, there will always be cases of noncompliance and failures to implement best practices in any industry."
More banks than Redspin assumes also appear to know about the security vulnerabilities involved and have taken steps to mitigate them, said a spokesman at a major payments-processing network who requested anonymity. Earlier industry research into this issue has shown many “financial institutions securely configuring ATMs by implementing firewalls, diligently applying security patches and utilizing virtual private networks as opposed to ones with public IP addresses,” he said.