The many security problems of ATMs
Posted on 11 October 2013.
As much as they are useful, ATMs are also very vulnerable to tampering and attacks from individuals looking for money.

eWeek reports that at the SecTor security conference held this week in Toronto, Canada, Trustwave senior consultant John Hoopes provided insight into the attacks that are frequently executed against Point of Sale (POS) systems and ATMs, and the things defenders can do to prevent them.

When it comes to ATMs, the problems are many, he says. If the power cord for the machine is reachable, an ATM can easily be unplugged and plugged in again in order to make it reboot and show which OS is running.

More often than not, it is Windows XP, and usually unpatched. In fact, Hoopes discovered that many ATMs are still vulnerable to years-old flaws that have been patched by Microsoft ages ago. Obviously, the technicians have installed the OS when the machine was put into use, and haven't touched them since.

A great number of ATMs is also running in administrator mode, making an attack even easier to execute. Also, when it comes to ATM software, the code is rarely, if ever, obfuscated, and potential attackers can find it trivial to reverse-engineer its code and search for exploitable flaws.

Allowing physical access to the power and network cords that feed ATMs to random individuals should be a big no-no. First because of the aforementioned possibility of rebooting it, and secondly because attackers can insert a device between the ATM and the network, and sniff out and manipulate the data traffic, which is often unencrypted, and occasionally not encrypted as well as it should be.

All of these problems can relatively easily be solved by ATM manufacturers and vendors if they make a concentrated effort. Hooper points out that they should also be thinking about good locks for the ATM cabinets, cable protection solutions, system monitoring and alarm systems that would detect when an ATM system has rebooted or has potentially been tampered with.


The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Mon, Jul 28th