In a press release today, Redspin, an independent auditing firm based in Carpinteria, CA, suggests that the recent mandated upgrades of ATMs to support triple DES encryption of PINs has introduced new vulnerabilities into the ATM network environment - because of other changes that were typically made concurrently with the triple DES upgrades.
Redspin, Inc. has released a white paper detailing the problem. Essentially, unencrypted ATM transaction data is floating around bank networks, and bank managers are completely unaware of it. The only data from an ATM transaction that is encrypted is the PIN number.
"We were in the middle of an audit, looking at network traffic, when there it was, plain as day. We were surprised. The bank manager was surprised. Pretty much everyone we talk to is surprised. The card number, the expiration date, the account balances and withdrawal amounts, they all go across the networks in cleartext, which is exactly what it sounds like -- text that anyone can read," explained Abraham.
Ironically, the problem came about because of a mandated security improvement in ATMs. The original standard for ATM data encryption (DES) was becoming too easy to crack, so the standard was upgraded to Triple DES. Like any home improvement project, many ATM upgrades have snowballed to include a variety of other enhancements, including the use of transmission control protocol/Internet protocol (TCP/IP) -- moving ATMs off their own dedicated lines, and on to the banks' networks.
More and more banks now run their ATMs through their own computer network before the information goes on to a centralized processor. While having the ATMs on the bank's network instead of a bunch of individual, dedicated lines is much more economical and much easier to manage, it greatly increases their security exposure.
The fact that ATM data isn't encrypted wasn't a problem when the information was going across dedicated lines, but now that it goes through the bank's Internet-connected system before going to a processor, it creates unexpected opportunities for crime and mischief. A hacker tapping into a bank's network would have complete access to every single ATM transaction going through the bank's ATMs.
"Our biggest concern is that not many bank managers know this," says Abraham. "They assume that everything is encrypted. It's not a terrible assumption, so it's no wonder that most bank managers we've talked to are unhappy to discover this after spending $60,000 to upgrade an ATM.
"Fortunately," continues Abraham, "prevention isn't that complicated, as long as bankers are aware that there is a potential problem. ATM machines need to be kept separate from the rest of the bank's computer network, to try to recreate that direct line to the processor. Also, Redspin is developing a tool to help bankers determine their level of vulnerability. This white paper is all about raising awareness."