Banks brace for cashpoint attack

Fri Nov 12 10:16:43 PST 2004

<http://www.theregister.co.uk/2004/11/11/banks_prepare_for_atm_cyber_crime/print.html>

The Register

 Biting the hand that feeds IT

The Register ; Security ; Network Security ;

 Original URL:
http://www.theregister.co.uk/2004/11/11/banks_prepare_for_atm_cyber_crime/

Banks brace for cashpoint attack
By Kevin Poulsen, SecurityFocus (klp at securityfocus.com)
Published Thursday 11th November 2004 10:42 GMT

An international group of law enforcement and financial industry
associations hopes to prevent a new type of bank robbery before it gets off
the ground: cyber attacks against automated teller machines.

This fall the Global ATM Security Alliance (GASA) published what it says
are the first international cyber security guidelines specifically tailored
to cash machines. Experts see new dangers as legacy ATMs running OS/2 give
way to modern terminals built on Microsoft Windows.

"The recommendations presented in this manual are essentially designed to
provide a common sense approach to ... the rapidly changing threat model
that the introduction to the ATM channel of the Windows XP and other common
use operating systems, as well as the TCP/IP network protocol suite, has
created," said the manual's author, Ian Simpson, in a statement.

The move comes one year after the Nachi worm compromised
(http://www.securityfocus.com/news/7517) Windows-based automated teller
machines at two financial institutions, in the only acknowledged case of
malicious code penetrating ATMs. The cash machines, made by Diebold, were
built on Windows XP Embedded, which suffered from the RPC DCOM security
hole Nachi exploited.

In response to the incident, Diebold began shipping new Windows-based ATMs
preinstalled with host-based firewall software, and offered to add the
program for existing customers.

Though ATMs typically sit on private networks or VPNs, supposedly-isolated
networks often have undocumented connections to the Internet, or can fall
to a piece of malicious code inadvertently carried beyond the firewall on a
laptop computer. Last year's Slammer worm indirectly shut down some 13,000
Bank of America ATMs by infecting database servers on the same network, and
spewing so much traffic that the cash machines couldn't processes customer
transactions.

The goal of the ATM cyber security best practices document, which has not
been made public, and a related white paper developed by GASA, is "to be
proactive in fighting what might be the next wave of ATM crime - namely
cyber attacks," said Mike Lee, founding coordinator of the group, in a
statement.

GASA's members include fraud prevention agencies, financial industry
associations, the US Secret Service, Visa and MasterCard, and some ATM
networks and manufacturers, including Diebold and NCR.

Related stories

ATMs in peril from computer worms?
(http://www.theregister.co.uk/2004/10/20/atm_viral_peril/)
The ATM keypad as security portcullis
(http://www.theregister.co.uk/2004/07/21/atm_keypad_security/)
Ukrainian teen fights the Rise of the Machines
(http://www.theregister.co.uk/2004/10/13/girl_terminates_atm/)

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'