The many security problems of ATMs
Posted on 11 October 2013.
Bookmark and Share
As much as they are useful, ATMs are also very vulnerable to tampering and attacks from individuals looking for money.


eWeek reports that at the SecTor security conference held this week in Toronto, Canada, Trustwave senior consultant John Hoopes provided insight into the attacks that are frequently executed against Point of Sale (POS) systems and ATMs, and the things defenders can do to prevent them.

When it comes to ATMs, the problems are many, he says. If the power cord for the machine is reachable, an ATM can easily be unplugged and plugged in again in order to make it reboot and show which OS is running.

More often than not, it is Windows XP, and usually unpatched. In fact, Hoopes discovered that many ATMs are still vulnerable to years-old flaws that have been patched by Microsoft ages ago. Obviously, the technicians have installed the OS when the machine was put into use, and haven't touched them since.

A great number of ATMs is also running in administrator mode, making an attack even easier to execute. Also, when it comes to ATM software, the code is rarely, if ever, obfuscated, and potential attackers can find it trivial to reverse-engineer its code and search for exploitable flaws.

Allowing physical access to the power and network cords that feed ATMs to random individuals should be a big no-no. First because of the aforementioned possibility of rebooting it, and secondly because attackers can insert a device between the ATM and the network, and sniff out and manipulate the data traffic, which is often unencrypted, and occasionally not encrypted as well as it should be.

All of these problems can relatively easily be solved by ATM manufacturers and vendors if they make a concentrated effort. Hooper points out that they should also be thinking about good locks for the ATM cabinets, cable protection solutions, system monitoring and alarm systems that would detect when an ATM system has rebooted or has potentially been tampered with.









Spotlight

OpenBSD team forks OpenSSL to create safer SSL/TLS library

Posted on 22 April 2014.  |  Members of the OpenBSD project have begun working on a free version of the SSL/TLS protocol. They are not starting from scratch, but have forked OpenSSL to create a new, more secure option which they have dubbed LibreSSL.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Apr 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //