Hacking ATMs
ATMs are surprisingly easy to hack according to CNET. From a report on ATMs, up to 90 percent of the ATMs in the U.K. could be at risk for worms, denial-of-service attacks, getting customer data intercepted, and having money stolen from their safes.Many ATMs rely on desktop PC technology such as Intel hardware and Windows operating systems. Often they are linked to other machines in the bank’s network or connected to the Internet. This means that ATMs have to stay updated with all the current hotfixes and patches. This has been a large shift in the technology of ATMs over the last few years. Because ATM’s are based on desktop technology, hacking a ATM is simpler than it once was once access has been obtained. An example of this is the SQL Slammer worm which indirectly shut down 13,000 Bank of America ATMs.
In this article, researchers showed how easily ATMs could be unlocked and have their safes cleared out. They used a default key code they obtained from a safe manual online. They also reset the cabinet ATMs’ software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine. Another threat is that personal information can be intercepted. Network Box showed that only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers. That leaves card numbers, card expiration dates, transaction amounts, and account balances in clear text for anyone to read over the network.
We are all so careful to ensure that we use secure websites with valid certificates and encryption, meanwhile ATMs, which should be almost as secure as the bank itself, have so many security problems.
Comment by Justin McOmie
March 9, 2008 @ 10:31 pm
It’s surprising that ATMs are so vulnerable to attacks and plain-text interception over the network. I would’ve imagined that ATM network security would’ve been very high priority for the banks to get right from the outset. I know that ATMs are also relatively easy to break into with standard safe cracking techniques, but I think what keeps ATMs secure from local intrusions like that is that they are highly public and have a camera staring would-be attackers in the face.
What it probably comes down to for most banks is the cost of it all. It might be more cost effective for them to deal with the relatively (hitherto) uncommon network attacks on an ad hoc basis than it would be to revamp their entire network infrastructure all at once. This is probably the reason most banks don’t staff their physical locations with armed guards – the cost of getting robbed every now and then is less than paying an additional full time salary at each bank location.
Comment by robertm2
March 10, 2008 @ 6:42 pm
Just an interesting snippet from the CNET article for those that didn’t read the entire article: “It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.”
For me, reading this report was disturbing as I learned how vulnerable these machines are. One thing though is that the report was conducted for the UK so it makes me wonder if the ATM’s in the US are as this vulnerable. It appears that the company Link supplies most of the ATM’s in the UK, and checking on their website, it appears a lot of the big US banks aren’t listed as clients (http://www.link.co.uk/atm/mn_member_websites.html). I wonder if (and hope that) more of the US banks have chosen to implement more secure ATM’s.