ATM fraud - it's not just on the cards
Changes in the technology used in cash machines has increased their theoretical vulnerability to attack. However, research shows that fraud by other means is still more likely.
Over the years, cash machines (ATMs) have migrated to increasingly insecure platforms, and recent research has thrown up some unexpected potential avenues of attack. However, it is important to consider how significant these are in the card transaction threat landscape as a whole.
When introduced in the early sixties, ATMs ran on proprietary systems and communicated over dedicated leased lines directly with transaction processors such as VISA. However, from the late eighties ATM vendors progressively migrated to commercial off the shelf (COTS) systems: first IBM's OS/2, and then primarily Windows. OS/2 implementations retained the use of private lines and the OS has always been considered much more resistant to malware than Windows. The migration to Windows was also accompanied by replacement of the expensive dedicated point to point connections between ATMs and transaction processors with a new internet-based architecture interposing card issuers – the banks – between the ATMs and the transaction processors. These changes substantially increased the theoretical attack surface. Nevertheless the move was greeted enthusiastically by the industry. As recently as 2003, a representative of NCR stated "You get a consistent look and feel, expanded transactions across all channels and new solutions. Those are well worth the inconvenience you might get from a PC virus."
There has been only one reported instance of malware directly infecting ATMs. In August 2003 the Nachi worm was found on two Diebold ATMs running Windows XP embedded, and the problem was recognised by network intrusion detectors and contained before any damage ensued. But earlier that year the Slammer worm locked out 13,000 ATMs when it infected SQL Server at the Bank of America, which were on the same network as the ATMs and must have been accessible from the internet for the servers in order to get infected.
Since then, considerable research has gone into analysing possible attack vectors on ATMs. A 2006 report by Redspin Inc. analyses the communication protocol between the ATM and the transaction processor in detail. It emerges that the only data element intrinsically encrypted is the cardholder's PIN. All the other transaction data is in plain text, relying entirely for confidentiality and integrity on the encryption provided by the VPN tunnel over which the connection is made. The authors point out that the protocol itself is very transparent, and it would be possible to tamper with transactions if the raw data stream could be tapped. They very pertinently suggest that the easiest place to do this would be on the card issuer's local network, which may well have connections to the internet. It wouldn't therefore be strictly necessary to have direct access to the ATM itself. Although it is possible that ATMs hosted by small retailers might communicate over insecure local networks, Link, one of the major ATM connectivity providers, did not respond to heise online's query about how small retailer ATMs connect to the Link secure infrastructure.
A recent paper by Network Box, IP-ATM Security, highlights the threats specific to ATMs connected to IP networks and suggests that some of the solutions proposed so far fall short of the mark. The researchers established that the data passed in plain text were enough to create cloned cards for offline or "card not present" use. They also suggest the feasibility of denial of service attacks has been demonstrated by the Slammer incident, and that complete protection would require total dissociation of the ATM system from the internet. The Diebold/Nachi incident apparently prompted the vendor to install a personal firewall on all subsequently delivered ATMs. However the Network Box researchers consider that solution inadequate. They point out that personal firewalls are vulnerable to bypass by virtue of residing on the platform they protect, and that they are designed for completely different traffic patterns and system use from those found on an ATM. Network Box do not comment on the effective denial of service that also resulted from Nachi infecting the Diebold ATMs: the network intrusion system closed them down when the worm was detected.