Nick Heath
Security experts have hacked cashpoints to show how easy it is to steal money and bank account details from modern cash machines.
Cashpoints today face the Internet-born threat of worms and denial of service attacks, as well as being at risk from malware that can harvest customer data or hijack machines.
Up to 90 per cent of the cashpoints in the UK could be at risk from these attacks as they rely on desktop PC technology -- usually Intel hardware and Windows operating systems -- linked to other machines, some connected to the Internet, in the bank's network, according to experts.
Security vendor Network Box illustrated this threat by showing that only the PIN number was encrypted when information was sent from a US cashpoint to networked bank computers.
The card numbers, card expiry dates, transaction amounts and account balances were clearly readable in plain text to anybody intercepting the data as it travelled through the network.
'Cabinet' cashpoints, commonly found in shops, pubs and restaurants, potentially face an even greater danger -- with researchers from Information Risk Management (IRM) able to open their safes and take them over.
IRM used a key bought off the Internet to unlock the cabinets of three ATMs, allowing its analysts to install software that logged customer's bank details or dispensed money on command.
An early warning of this insecurity in modern cashpoints came in 2003 when the Nachi Internet worm infiltrated "secure" networks and infected cashpoints from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America cashpoints.
Martin Macmillan, business development director with cashpoint security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.
"It creates a lot of security issues because an ATM becomes like a PC with attached devices -- it has to be kept up to date with hot fixes and patches. It is a much more complex beast and the security aspects of that need to be at the forefront of a bank's mind."
He said it is important for banks to be able to monitor cashpoint systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.
Mark Webb-Johnson, CTO of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."
Gyan Chawdhary, senior security consultant with IRM, told silicon.com the shift among cashpoints to modern PC infrastructure means it now only requires minimal programming knowledge to hack ATM machines successfully once access had been gained to its system.
Chawdhary said: "If you are a programmer and you have some programming experience then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs."
Researchers from IRM were even able to unlock and clear out the safes in two out of the three UK cabinet cashpoints, opening the safe using a default key code they obtained from a safe manual online.
They also reset the cabinet cashpoints software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.
Macmillan added that the stability of the Windows-based cashpoints was worse than their OS2-based predecessors, saying some cashpoints suffered downtime of up to 30 per cent.
Link, the company that runs more than 61,000 cash machines in the UK, said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.
Graham Mott, a senior Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."
Network Box warns that the software firewalls used to protect cashpoints are not able to prevent DoS attacks or harvesting of consumer's personal data after the data travels through the bank's network.
It says the most effective way to protect from these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN capabilities, positioned in front of, and protecting, the ATM network.
It adds this device should be separated from the rest of the bank's network and that all traffic coming out of the cashpoint should be encrypted.
Visit reviews.cnet.co.uk for in-depth reviews of many more products
