March 4, 2008 10:39 AM PST

Windows-based cash machines 'easily hacked'

By Nick Heath

Windows-based cash machines 'easily hacked'
Related Stories

The next generation of security threats

 December 5, 2007

Nachi variant sends a political message

 February 12, 2004

Damage control

 February 6, 2003
Related Blogs

Citibank limits ATM withdrawals in New York City

 Defense in Depth
January 7, 2008
Security experts have hacked ATMs to show how easy it is to steal money and bank account details from modern cash machines.

ATMs, or automated teller machines, today face the Internet-born threat of worms and denial-of-service attacks, as well as being at risk from malicious applications that can harvest customer data or hijack machines.

Up to 90 percent of the ATMs in the U.K. could be at risk from these attacks as they rely on desktop PC technology--usually Intel hardware and Windows operating systems--linked to other machines, some connected to the Internet, in the bank's network, according to experts.

Security vendor Network Box illustrated this threat by showing that only the personal identification number was encrypted when information was sent from a U.S. ATM to networked bank computers.

The card numbers, card expiration dates, transaction amounts, and account balances were clearly readable in plain text to anybody intercepting the data as it traveled through the network.

"Cabinet" ATMs, commonly found in shops, pubs, and restaurants, potentially face an even greater danger. Researchers from Information Risk Management (IRM) were able to open their safes and take them over.

An early warning of this insecurity in modern ATMs came in 2003 when the Nachi Internet worm infiltrated "secure" networks and infected ATMs from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America ATMs.

Martin Macmillan, business development director with ATM security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.

"An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches."
--Martin Macmillan, business development director, Level Four Software

That creates a lot of security issues, Macmillan said: "An ATM becomes like a PC with attached devices--it has to be kept up-to-date with hot fixes and patches. It is a much more complex beast, and the security aspects of that need to be at the forefront of a bank's mind."

It is important, he said, for banks to be able to monitor ATM systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.

Macmillan added that the stability of Windows-based ATMs was worse than that of their OS/2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.

Mark Webb-Johnson, chief technology officer of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to (the) Internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."

Gyan Chawdhary, senior security consultant with IRM, told CNET News.com sister site Silicon.com that the shift among ATMs to modern PC infrastructure means it now requires only minimal programming knowledge to hack ATM machines successfully once access has been gained to its system.

"If you are a programmer and you have some programming experience, then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs," Chawdhary said.

Researchers from IRM were even able to unlock and clear out the safes in two out of three U.K. cabinet ATMs, opening the safe using a default key code they obtained from a safe manual online. They also reset the cabinet ATMs' software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.

Link, the company that runs more than 61,000 cash machines in the U.K., said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.

Graham Mott, a Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."

Network Box warns that the software firewalls used to protect ATMs are not able to prevent denial-of-service attacks or harvesting of a consumer's personal data after the data travels through the bank's network.

It says the most effective way to protect against these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN (virtual private network) capabilities, positioned in front of, and protecting, the ATM network.

Such a device, the company said, should be separated from the rest of the bank's network, and all traffic coming out of the ATM should be encrypted.

Nick Heath of Silicon.com reported from London.

See more CNET content tagged:
ATM, bank, safe, business development, denial of service

Add a Comment (Log in or register) 36 comments (Showing first 20 comments)
Finally a legit story for OS/2
by sanenazok March 4, 2008 11:41 AM PST
and where's Spock? C'mon it's OS/2 goodness!
Reply to this comment View all 2 replies
Who could have predicted this?
by Clouseau2 March 4, 2008 11:54 AM PST
Gosh, who could have guessed if you switch ATMs to using the least secure OS there is, this could happen? It's inconceivable!
Reply to this comment
They're also highly annoying...
by Galaxy5 March 4, 2008 11:59 AM PST
Why, oh why can't banks even get something like a default
language right for ATMs? Why do I have to pick English or Spanish
every time I bank? And these Windows-based ATMs are
consistently slower than older text-based machines.
Reply to this comment
a bit confused
by tgrenier March 4, 2008 12:01 PM PST
They stole transactional details minus the pin number via packet sniffing data that was sent by the ATM. Perhaps encryption is an easy answer. Why anyone in their right mind would have an ATM network connected to the internet is beyond me. One more thing, I hate the security by obscurity argument.
Reply to this comment
Perfect timing
by rcrusoe March 4, 2008 12:24 PM PST
Several of the ATMs in my area were unusable or BSOD this
weekend.

Oh for the days of OS/2 when you could go years without a reboot.
(my company had one OS/2 server run continuously for 63 months
before we had to shut it down to replace some hardware)
Reply to this comment View reply
Because...
by amandachuck March 4, 2008 12:46 PM PST
That way if someone who doesn't speak English steals your card,
it's easier for them to hack it... ;)

Seriously, all ATMs should print "please enter pin" in each
language, then once you verify, only go to the language you have
preselected with the bank. There should be no choice. "I want to
speak in French today, Spanish tomorrow" is not something any
customer is asking for.
Reply to this comment View reply
OS/2 has the same issue
by Vegaman_Dan March 4, 2008 1:02 PM PST
It's not the OS that is the problem here, but the fact that the system is broadcasting without encryption. That's something that can easily be fixed as it's a network design issue. OS/2, Windows, OSX- all of it won't matter a bit if you send the data in the clear.

I wonder why the UK banking industry does this but other countries including the US encrypts all that data traffic?
Reply to this comment View reply
Lack of security?!?!?!
by tsi26 March 4, 2008 1:20 PM PST
The bank I work for...yes doing IT...encrypts the traffic over a VPN. While I suppose it still would possible to attack it using DDOS the only thing that would occur is the ATM would not have access to current balances. Which would only cause a problem with customers that are below a certain amount in their accounts. Meaning the ATM is still operational without a network connection. BTW, the ATM's are still running OS/2 and they are only a couple of years old.
Reply to this comment
Still missed where they hacked windows....
by MMC Racing March 4, 2008 2:06 PM PST
They exploited lax hardware security that would be there with any OS..
Reply to this comment
What an imflamatory piece of garbage this is
by NewsReader_ March 4, 2008 2:16 PM PST
I am amazed CNET actually published this story with the implication that this was about software.

I read a bunch of reports of people breaking into the ATM safe using a physical means that has nothing to do with the OS it is running. Is this what was meant by 'easily hacked'?

I also read about an internet worm that was killed five years ago.

Plus they talk about capturing traffic between the ATM and the bank on a public network in clear text. Give me a break. If there is a bank doing this then then thier customers have a lot more to worry about than a stupid ATM machine.

A better title for this story:
"Some ATMs need better safes. Written by an anti-Windows journalist"
Reply to this comment View all 2 replies
Solution
by No invasion of privacy March 4, 2008 2:50 PM PST
Quote: "It says the most effective way to protect against these
new threats is to use a multifunction device with routing,
firewall, intrusion detection system/intrusion prevention
system and VPN (virtual private network) capabilities,
positioned in front of, and protecting, the ATM network."
The most effective way to protect against these new threats is
to - all the above - and use ATMs **that don't run Windows**.

Just thought I would add the logical conclusion to that
statement.
Reply to this comment
ATM - Windows-IP - The Next Telephone Booth
by Robert.CIO March 4, 2008 4:02 PM PST
With the advent of debit cards, online purchases, and online bill payment the ATM is going the way of the Telephone Booth. As a result, the ATM vendors have thrown one last hail merrry. The plan is to open up that ATMs to to delivery more services. To do so, they have replaced OS/2 with a single server connection to a Windows and IP communications. Now the ATM has multiple IP connections to multiple servers on the back-end. The very nature of this architecture opens up potential risk. Now you have a server for processing financial transactions, a server for managing the physical ATM, a server for managing software distribution/fixs (e.g. SMS), a server for managing customer preferences, a server for managing check deposits images, special hardening of the Windows client, ATM network isolation, server to pull local ATM transactions, server to manage the ATM screen images, server to manage ATM Windows/Application alerts, etc. Now you have a "Windows Desktop" running a large stack of of applicatinos that does not have an employee to tell you when things go wrong. Then you add the extra hardening that is needed for an unmanned Windows Desktop. Yes... it is a LOT different and open to additional points of failure. However, when it comes to encryption it is possible to encrypt the entire message, it is possible to have a VPN or private network. Those last two issues can be resolve by any bank that has a clue about what they are doing.
Bottom line... it is very different, much tougher to manage, and customer service availablity will diminish. After all this work... the ATM is headed for a dead-end. The real question is why would anyone invest in these new "full function windows based" ATMs.
Reply to this comment
What banks need to "KNOW" and "DO"!
by Commander_Spock March 4, 2008 8:10 PM PST
A. What is/was the cost of developing a new Operating System/VISTA.

B. What will be the cost of paying "top notch" developers to work with IBM to enhance OS/2 and port certain applications like Lotus Notes... to the OS/2 Warp Operating System. Isn't the state of the sub-prime market ridiculous enough to be now concerned about security with ATMs. Compare the cost of enhancements to an Operating System such as OS/2 as against what banks caught up in the sub-prime fiasco stand to loose. Do these dudes running the banking industry really know what they are about?

Here is what customers the world over will/should get (think in terms of the considerations when they choose their doctors... confidence of care et cetera et cetera) therefore, in the cases of the banking and other industries around the world - confidence of security.

Where in the world is IBM!
Reply to this comment View all 2 replies
Change control catching on
by solidcore March 4, 2008 9:26 PM PST
Locking down the ATM platform with change control seems to be
catching on. Take NCR, which is now shipping all of its ATMs with
something Solidcore's change control software embedded on the
systems. http://www.solidcore.com/embedded
Reply to this comment
Wrong Title!
by CervezaPorFavor March 4, 2008 11:07 PM PST
As highlighted by others in the comments, this has to do with very poor network design & security implementation rather than the OS.

There is NO single "GUI-based OS" at the moment that does not require regular security patches.

Some common sense would have mitigated the problems mentioned in the article.

And yeah, it seems that this article is biased against Windows unnecessarily.
Reply to this comment View all 2 replies
Calling All Shills!
by Mister C March 6, 2008 7:11 PM PST
Come on boys, time to break out the noise
and protect your master! This is what M$
is paying you for!
Reply to this comment
by rosevictoria123 June 18, 2008 7:35 PM PDT
Nice news!!! woohoo

Yesterday, I deleted an import system file incautiously. How angery I am!!!. Minutes later, I found http://www.recovery-soft.com has data recovery software, I downloaded and install, did as it tells me to do, then everything goes back!!! If not, I can't get this news.

what amazing!!!

data recovery, file recovery, data lost, file lost, find data back, repair computer, repair data
Reply to this comment
 See all 36 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right

  • Nanotech: The Circuits Blog

    Timing rumors surface for AMD plant spin-off

    Rumors persist that Advanced Micro Devices is planning to spin off all or part of its manufacturing operations.

  • Gallery

    Photos: Ron Paul's RNC alternative

    As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.

  • Digital Noise: Music and Tech

    Was 1980s music that bad?

    NPR asks listeners which year featured the best music, and the 1980s emerge as a bleak era. Personally, the '80s figure prominently in my collection, but well behind the 1970s.

  • Beyond Binary

    Microsoft begins big ad push

    Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Digital Media

    Michael Moore plans Net-only film premiere

    Filmmaker plans to premiere his latest documentary exclusively on the Internet for free, forgoing the traditional theatrical release.

  • Video

    Political party playlists

    We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.

  • News - Politics and Law

    What you can-- and can't-- find about Palin on the Internet

    John McCain's choice of Sarah Palin as a running mate has inspired a wealth of creativity on the Internet.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Photos: The brains behind Google Chrome

    Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.

  • Webware

    10 things we'd like to see in Chrome

    Google's Chrome is pretty good, but it could be a whole lot better. We've rounded up 10 fairly extensive ways to tweak it to make it an all-around better browser.

  • Green Tech

    Clean-tech group forms to support Obama

    "Clean Tech and Green Business for Obama" aims to raise $1 million for the Democratic presidential nominee while elevating issues of climate change and alternative energy.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET