Skip navigation

22 February 2008 - Banks and financial institutions are failing to properly secure their ATMs, leaving consumers’ personal details vulnerable to hackers, according to IP-ATM Security, a new white paper from managed security services company, Network Box.

The report cites three main threats to ATMs: internet protocol (IP) worms; disruption of the IP network and denial of service; and the harvesting of consumers’ transaction data for malicious purposes. The latter could result in hackers being able to collect consumers’ personal details, such as their card number, account balance and transaction history.

The key findings of IP-ATM Security can be found below, while the actual the whitepaper can be downloaded from

Why ATMs have become less secure

Security risks around ATMs have increased because of the changing ways in which ATMs operate. Traditionally, ATMs were built on proprietary hardware platforms with proprietary software and communications protocols. However, the trend over the past few years has been a migration to commodity-embedded hardware platforms (essentially PC-based with Intel microprocessors), commodity operating systems (primarily Window and Linux), and standard IP networking.

It is estimated that some 70 per cent of current ATMs are now based on PC/Intel hardware and commodity operating systems (mostly Windows XP embedded) and this trend is expected to continue. Essentially, these new ATMs are PCs that are running PC operating systems, using the standard Internet Protocol (IP) with some additional peripherals housed in a secure vault-like box.

Why banks have switched to these new systems and protocols
There are a number of advantages for migrating to such commodity hardware, operating systems and protocols, such as: cost; performance; flexibility; standardisation and enhanced functionality. But with these advantages come the increased threats.

How hackers are able to harvest consumers’ personal details

An IP-ATM is connected to the payment processor using a TCP/IP connection. However, while the PIN number is triple-DES encrypted, the messages themselves are not. In January 2008, an analysis of ATM network traffic by Network Box found that only the PIN number was encrypted and that a large portion of the traffic travelled in plain text, leaving card numbers, card expiry dates, transaction amounts and account balances clearly readable. Therefore, a hacker needs only to access some part of the IP network between the IP-ATM and the payment processor to be privy to the aforementioned details.

Why the personal (software) firewall solution favoured by ATM producers is ineffective

Currently, the only response by ATM producers has been the installation of a personal (software) firewall on the ATM devices themselves. However, this does not counter the three main threats outlined in the report, and also presents its own inherent problems.

The issues of denial of service (DoS) attacks and disruption to the IP remain because personal firewalls are not designed to protect against these threats. Also, they cannot prevent the harvesting of consumers’ personal details because the traffic still goes out unencrypted and is still vulnerable to eavesdropping.

Personal firewalls may partially address the issue of IP worms. However, because personal firewalls run on the same computer as that they are protecting, they are vulnerable to being infected, modified, or disabled by viruses, Trojans, or network worms which are present in other applications on that same computer.

How ATM producers can solve these three primary threats

The most effective way to solve the issues outlined above is to use a multifunction device with routing, firewall, IDS/IPS and VPN capabilities, positioned in front of, and protecting, the ATM network. Such a network should be separated from the rest of the bank’s network, and be closely monitored and controlled. It would also be desirable to encrypt all traffic coming out of the ATM machines; there is no reason why only the PIN numbers should be encrypted.

The growth of the ATM market

It took 33 years for the ATM industry to reach the 1 million mark, and then only six years to reach 1.5 million. The global ATM market is expected to reach 2 million by 2011, with more than 73,000 new units this in 2008, and the percentage share of off-site deployments has reached 45%.

Mark Webb-Johnson, CTO of Network Box, comments: “Most people simply assume that because an ATM is invariably provided by a bank, the transactions and the data being transmitted must be secure. This assumption may have been true in the past, but today ATMs operate in a way that makes them far more susceptible to attack.

“We’ve already seen in August 2003 how the Nachi (aka Welchia) Internet worm crossed over into ‘secure’ networks and infected ATMs for two financial institutions; and we’ve witnessed the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. The chances are that if banks don’t use technology that can actually provide an effective level of protection – technology that is already on the market – then it is very likely that more high-profile attacks are to follow.”

- ends -

About Network Box

Network Box Limited (NBL) is an international managed security services company, specialising in unified threat management (UTM). It continuously defends the networks of its customers using PUSH technology to instantaneously update protection, from 12 Security Operations Centres spread around the globe. NBL’s customers in Asia, Australia, North America and Europe include companies such as BMW, Nintendo and Toyota, as well as banks, utilities, and government organisations.

For more information, see /

Further press information:

Kate Hartley / Malini Majithia
Carrot Communciations
Tel: 020 7386 4860

This press release was distributed by ResponseSource Press Release Wire on behalf of Carrot Communications in the following categories: Computing & Telecoms, for more information visit