Sunday, February 24, 2008

Banks Failing on ATM Security

Via Vnunet.com -

Banks and financial institutions are leaving customers' personal details vulnerable to hackers by failing properly to secure their ATMs, according to a new report.

Managed security firm Network Box cited three main threats to ATMs: IP worms, disruption of the IP network and denial of service, and the harvesting of transaction data for malicious purposes.

The company said that ATM security risks have increased because of the changing ways in which they operate.

Many ATMs were built on proprietary hardware, software and communications protocols.

But it is estimated that 70 per cent of current ATMs are based on PC/Intel hardware and commodity operating systems using standard IP networking with some additional peripherals housed in a secure vault-like box.

The report attributes the changes to advantages in cost, performance, flexibility, standardisation and functionality, but points out that these advantages bring increased threats.

In these newer systems the ATM is connected to the payment processor using a TCP/IP connection. However, while the Pin is triple-DES encrypted, the messages themselves are not.

This leaves card numbers, expiry dates, transaction amounts and account balances clearly readable.

A hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to gather the details.

No comments:

Post a Comment