All the latest UK technology news, reviews and analysis
|
|
|
22 Feb 2008
Banks and financial institutions are leaving customers' personal details vulnerable to hackers by failing properly to secure their ATMs, according to a new report.
Managed security firm Network Box cited three main threats to ATMs: IP worms, disruption of the IP network and denial of service, and the harvesting of transaction data for malicious purposes.
The company said that ATM security risks have increased because of the changing ways in which they operate.
Many ATMs were built on proprietary hardware, software and communications protocols.
But it is estimated that 70 per cent of current ATMs are based on PC/Intel hardware and commodity operating systems using standard IP networking with some additional peripherals housed in a secure vault-like box.
The report attributes the changes to advantages in cost, performance, flexibility, standardisation and functionality, but points out that these advantages bring increased threats.
In these newer systems the ATM is connected to the payment processor using a TCP/IP connection. However, while the Pin is triple-DES encrypted, the messages themselves are not.
This leaves card numbers, expiry dates, transaction amounts and account balances clearly readable.
A hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to gather the details.
"Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure," said Mark Webb-Johnson, chief technology officer at Network Box.
"We have already seen how the Nachi worm crossed over into 'secure' networks and infected ATMs for two financial institutions, and SQL Slammer indirectly shutdown 13,000 Bank of America ATMs.
"If banks do not use technology that can provide an effective level of protection it is very likely that more high-profile attacks will follow."
Network Box recommends that all traffic to and from ATM machines should be encrypted, and not just the Pin.
ATM networks should also be separated from the rest of the bank's network, thereby allowing it to be closely monitored and controlled.
Latest stories from Networks
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Are you a versatile software tester, who wants to work...
An excellent opportunity has arisen working for a prestigious...
Linux System Administrator - RedHat - Apache - Scripts...
MetaTrader 4 MT4 Technical Support Engineer required...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Challenges in Banking Security
The key challenges in the area of banking are not that technology does not exist to address these problems, but how are they cost effectively deployed in such a manner that the banks dont find it more effective to underwrite losses than implement security measures. Second, in the banking world, the analysis usually centers around the profitability of any solution implemented such as online banking and ATMS, which originally were deployed to reduce associated customer interface with humans as a cost reduction, and increase in customer service. So the objective has moved. If an implementation doesnt have clear ROI from a revenue perspective, it will not move unless it must: either from increased risk/cost, or customer demands to protect their information. The most cost effective solution for this is to utilize a cellular device as a proxy security interface, using the cellular network as an out of band mechanism to authenticate users for everything from online banking, ATM transactions, and information requests. Done in real time, not only for login, but used transactionally to approve all of the above, the banks have an opportunity to "deputize" the customer into the security team by giving them the ammunition they need to approve network access, logins, wire transfers, bill pay, etc.and interrupt any acitivity that is not accurate with an account lock out and fraud alert before the theft/damage occurs so the exhaustive remediation efforts dont need to be pursued and you dont have to work with Experian the rest of your life.
Posted by: Klint Borozan 25 Feb 2008