Windows-based cash machines 'easily hacked'

ATMs that rely on desktop PC technology--and that's a lot of them--are at risk from worms, key loggers, and denial-of-service attacks.

Nick Heath
Nick Heath Chief reporter

Nick Heath is a computer science student and was formerly a journalist at TechRepublic and ZDNet.

4 min read
Security experts have hacked ATMs to show how easy it is to steal money and bank account details from modern cash machines.

ATMs, or automated teller machines, today face the Internet-born threat of worms and denial-of-service attacks, as well as being at risk from malicious applications that can harvest customer data or hijack machines.

Up to 90 percent of the ATMs in the U.K. could be at risk from these attacks as they rely on desktop PC technology--usually Intel hardware and Windows operating systems--linked to other machines, some connected to the Internet, in the bank's network, according to experts.

Security vendor Network Box illustrated this threat by showing that only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers.

The card numbers, card expiration dates, transaction amounts, and account balances were clearly readable in plain text to anybody intercepting the data as it traveled through the network.

"Cabinet" ATMs, commonly found in shops, pubs, and restaurants, potentially face an even greater danger. Researchers from Information Risk Management (IRM) were able to open their safes and take them over.

An early warning of this insecurity in modern ATMs came in 2003 when the Nachi Internet worm infiltrated "secure" networks and infected ATMs from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America ATMs.

Martin Macmillan, business development director with ATM security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.

"An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches."
--Martin Macmillan, business development director, Level Four Software

That creates a lot of security issues, Macmillan said: "An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches. It is a much more complex beast, and the security aspects of that need to be at the forefront of a bank's mind."

It is important, he said, for banks to be able to monitor ATM systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.

Macmillan added that the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.

Mark Webb-Johnson, chief technology officer of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to (the) Internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."

Gyan Chawdhary, senior security consultant with IRM, told CNET News.com sister site Silicon.com that the shift among ATMs to modern PC infrastructure means it now requires only minimal programming knowledge to hack ATM machines successfully once access has been gained to its system.

"If you are a programmer and you have some programming experience, then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs," Chawdhary said.

Researchers from IRM were even able to unlock and clear out the safes in two out of three U.K. cabinet ATMs, opening the safe using a default key code they obtained from a safe manual online. They also reset the cabinet ATMs' software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.

Link, the company that runs more than 61,000 cash machines in the U.K., said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.

Graham Mott, a Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."

Network Box warns that the software firewalls used to protect ATMs are not able to prevent denial-of-service attacks or harvesting of a consumer's personal data after the data travels through the bank's network.

It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.

Such a device, the company said, should be separated from the rest of the bank's network, and all traffic coming out of the ATM should be encrypted.

Nick Heath of Silicon.com reported from London.