Security holes at the hole in the wall

26 Feb 2004

Bank ATMs have taken a hammering lately as news has emerged of real and virtual security breaches. Several thousand euro has been taken from ATM machines in Ireland as users had their card details stolen without their knowledge; meanwhile it transpired that some cash machines in the US fell foul of a computer virus.

In the physical world, criminals have been using small devices to grab card and code information without having to steal the cards themselves. The practice, known as ‘skimming’, involves installing a small scanner and a camera at a bank ATM site, which allow criminals to read information contained on ATM cards and see the PIN number that goes with each one. The scanners fit over the existing card slot on bank ATMs and can store details of thousands of cards. A tiny camera attached to the ATM then captures the user’s PIN. The information they gain is then used to manufacture replica cards that can be used with the correct PIN to withdraw money from ATMs.

According to a recent report, five such devices were seized by Gardaí. The problem is not confined to one area: the scanning machines were found in Dublin, Cork, Wexford and Waterford. Vigilance pays off, however according to a Garda spokesperson, the card readers, though small, are easily spotted. ATM users have nonetheless been advised to use caution and to report any suspicious activity or odd-looking devices.

Meanwhile, news emerged that automatic teller machines in the US had been infected by the Nachi worm. In January 2003, the Slammer worm indirectly shut down 13,000 Bank of America ATMs temporarily by infecting database servers on the same network. Although the ATMs themselves weren’t attacked in this case, traffic volumes on the network increased, preventing the cash machines from handling customer transactions.

A large part of the problem is because lurking behind that ATM screen is a PC. And increasingly, that computer is more likely to be running the Windows operating system (OS). While this means that the bank can offer an improved ATM service with better graphics, it also means that the system is at greater risk than ever from security-related problems, experts say.

Colm Murphy, a leading security consultant and technical director with Espion, has criticised this trend of using Windows on critical systems such as ATMs, saying that general-purpose OS should not be used for machines with specific tasks, ie dispensing money.

Any virus or hack essentially makes a computer do something unusual, whether it involves sending a file to an email application, sending by file transfer protocol or binding ports. This would not constitute normal behaviour for a machine whose sole purpose is to provide cash. The problem with a general-purpose operating system, Murphy suggests, is that it is designed to do a job whenever the user asks. “I think if they run general-purpose OS, they’re asking for trouble,” he says.

As Andy Harbison, manager of computer forensics at Ernst & Young, sees it, there are two sides to the trend of running Windows on ATMs. The graphical interface offers the advantage of better usability for the man in the street. Measured against that is the disadvantage of having many critical systems in a bank all running the same OS. “There is an issue of monoculture, but the banks understand this.”

A greater risk, according to Harbison, is a denial-of-service attack that floods the network, leaving machines inaccessible. This kind of incident gets a bad name more for its nuisance value, but it’s not specific to ATMs: if this kind of attack strikes, then all computers at a bank are likely to be affected.

Thankfully, Ireland has not been affected to date; the machines laid low by the virus in the US were manufactured by Diebold, which has no ATMs in Ireland. Cash machines in Ireland are supplied by either NCR or Wincor Nixdorf. In a statement, NCR confirmed that Nachi had not affected its machines, adding that it had taken additional security measures to ensure it doesn’t.

Joe Doyle, ATM strategy manager with Bank of Ireland, states categorically that there have been no breaches of Bank of Ireland ATMs. “We try to minimise access to local ATMs; all data is encrypted and there is a complete lockdown on local machines,” he tells

Security measures are such that some of the bank’s own operatives even have a hard time troubleshooting the devices when they need occasional maintenance. “In terms of security we would have a robust set of procedures and particularly in devices that would be off premises. With all the banks, the security element is taken extremely seriously,” Doyle adds.

We can take some comfort from the fact that the IT security procedures used by Irish banks are considered to be above international standards and are recognised as such, according to Harbison.

It remains to be seen if these security threats will affect our fondness for the ‘drinklink’, as recent European Central Bank figures have shown Irish ATM use to be the highest in Europe. The question is whether the latest developments will prompt no more than a shrug among consumers as they queue for cash, or if they will move us all closer to the long-promised cash-less society.

By Gordon Smith