The most recent research of all has been conducted by UK security consultants Information Risk Management plc (IRM). They have assessed a range of ways to penetrate and infiltrate software into ATMs in the laboratory on behalf of undisclosed clients. A representative of IRM described the research as highly sensitive, and the detailed findings are still are still under wraps. However heise online was told by a spokesman for the research team that theoretically feasible network attacks are unlikely to represent a serious threat as the network security policies of connection providers such as Link and their enforcement have both been substantially improved in the last few years. Instead, according to IRM, the largest current threat is from insiders. High on the list of potential attackers are those with legitimate access such as service engineers.
IRM found a variety of attack vectors available to those with general access to the internals of an ATM and/or with specialist knowledge. In general, the aim was to install transaction monitoring devices or software, and the researchers had considerable success within small time windows in the order of minutes, albeit in a laboratory environment. Default configuration was a significant enabler, as was the availability of technical information, and indeed cabinet access keys, on the web. One of the most surprising attacks was the ability to reset an ATM into an "engineering" mode that allows reconfiguration of the system, merely by operating an internal switch with a paper clip pushed through the receipt delivery slot. IRM confirmed that this was due to chance placement of the switch. It was not intended to be operable through the slot even by engineers. This poor design has features in common with the PIN terminal vulnerabilities discovered recently by Cambridge University – the trusty paper clip strikes again.
The IRM research spokesman suggested that the need to get to the guts of the system meant the most likely targets would be small retailers with ATMs in store, rather than banks. He pointed out that this was not field research, so the social component of attacks was not considered formally. He summed up by saying that although the findings were significant, their overall contribution to the card transaction threat space was probably limited, and would likely decrease in the future as vendors are moving away from COTS implementations back to custom embedded systems.
Professor Anderson of Cambridge University Computer Laboratory was not surprised by the new research findings. He commented "These systems can fail at just about any point in the chain: Trojan shop terminal, bad ATM, bogus ATM, skimmer on ATM, bad man in bank, … and under the circumstances I think the European Central Bank and the EU consumer authorities should be enacting better consumer protection laws. In the USA, regulation E prevents banks dismissing customer complaints by just saying 'our systems are secure'. They must either give the customer his money back, or provide direct proof that the customer is lying (e.g. ATM camera photograph)".
Bruce Schneier concurs. He told heise online: "Windows computers are notoriously insecure, so using them for secure banking seems like a mistake. … moving from a special-purpose computer to a general-purpose Windows computer means that you assume all the risks of running a Windows machine. Was that a surprise to anyone?"
So although these research findings are interesting and indicate problems that should be addressed, solving them or even their successors will never be a panacea. Indeed, for some years card not present and ID fraud have dominated the picture. It is easy to execute and difficult to trace back to the perpetrator, whereas many more sophisticated attacks are less so. So attempting to fix the problem from a purely technical perspective is a never ending story. Effective provision must also be made for mitigating the social effects of an assumed irreducible minimum level of fraud.