As Banks Move to New Systems ATM's are Vulnerable to Attack

When Atm's first came into existance, banks ran these machines on their own propriatary operating systems. Since different banks had different systems, it was nearly impossible for hackers to find their way into these systems.

There are about 1.5 million ATM's in use all over the world. Each day sees an average of 192 new ATM's being installed. The thing that has made this possible is the adoption of a common operating system by the financial industry. Yes your ATM is most likely running on an embedded Windows XP system or some version of Windows. In recent years this practice has been adopted by the financial industry as proprietary systems have disappeared.

Think about all the anti-virus software that is out there to protect your PC from viruses. What does your PC run on? Well most likely it is some version of Windows. With the adoption of Windows as the operating system of choice for ATM's, these same systems are now vulnerable to the viruses your PC is vulnerable to picking up.

Here's where the problem is. Traffic over the banks ATM network travels over the same TCP/IP connection that internet traffic travels over. Your ATM PIN number is encrypted and safe, but what about the rest of the information? Card numbers, expiration dates, transaction amounts and account balances are there in plain text, and clearly visible to network hackers.

A disaster scenario would be an internet worm spreading on the ATM network, that eventually shuts down all the ATM machines. The makers of ATM machines thought they had this problem licked when they installed firewalls on the ATM networks. This protects the ATM's inside the network but it does not address all the possible scenarios. A possible solution would be to have a device that separates the ATM network from the rest of the banks network. All the traffic that comes in and out of this ATM network should be encrypted, not just the PIN numbers.

Unless banks install this type of technology, ATM networks are vulnerable to denial of service attacks and can be brought down. The technology is there, it needs to be implemented.