Cash machines at risk from hacker attacks

Cash machines are at risk from hackers because banks are failing to properly secure them, a new report has claimed.

A white paper by security services company Network Box has said ATM's are less secure because of changes to the way they operate. It said that 70 per cent of current ATMs are essentially PCs running PC operating systems like Windows XP. This makes them more susceptible than when ATMs were mainly built with proprietary software and communication protocols.

"Most people simply assume that because an ATM is invariably provided by a bank, the transactions and data must be secure," said Mark Webb-Johnson, chief technology officer of Network BOX. "This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack."

Banks switched to Windows XP-based hardware and operating systems because of benefits like better performance and cheaper costs. However, like PCs, these were susceptible to hacking attacks. The report cited an example in January 2008 when an analysis of ATM network traffic revealed that only the PIN number of a card was encrypted. A large portion of traffic travelled in plain text such as card numbers, card expiry dates, transactions amounts and account balances.

It was claimed that all a hacker needed to do was access a part of the IP network between the IP-ATM and payment processor to find out these details. The research claimed that current personal firewall protection was not sufficient as it didn't counter all the threats and had its own inherent problems.

"We've already seen in August 2003 how the Nachi Internet worm crossed over into 'secure' networks and infected ATMs for two financial institutions. And we've witnessed the SQL slammer (aka Sapphire) worm indirectly shut down 13,000 Bank of America ATMs," said Webb- Johnson.

"The chances are that if banks don't use technology that can actually provide an effective level of protection - technology that is already on the market - then it is very likely that more high- profile attacks are to follow," he added.

Although the research was primarily done in the US, Network Box internet analyst Mike Heron said that British banks and financial institutions needed to take notice as the software and hardware used in the US was similar to that used in the UK.

"If [the banks] have got Windows XP-based ATM's then this is obviously something which is a concern. We don't want our details sent in plain text. The current firewall protection is not sufficient and they need to look seriously in how to rectify this so there isn't a breach," said Heron.