ATM Security Flaws The Latest Threat To Worry About

from the oh-great dept

Fri, Dec 1st 2006 12:27am — Mike Masnick

If basic identity theft threats weren't worrying you already, MSNBC has a nice report on a potentially big security hole in the ATM system, basically pointing out that there are points on the network where PIN information is unencrypted and could be grabbed. It's not necessarily easy to do, but it is possible and highlights how previous claims about the security of ATM networks isn't actually true. The article quotes a bunch of financial service folks claiming that it's really no big deal, that they've known about this issue for a while, the hole will be closed soon and it's highly unlikely anyone would actually be able to use this. Except, of course, MSNBC notes that the Secret Service has already found plenty of discussions among Russian organized crime groups who have been working hard to break ATM security in order to create cloned ATM/debit cards in order to drain people's accounts. The end result, is that it sounds like this is a serious weakness, but one not easy to exploit. Russian organized crime groups are working on it, though, so it would seem that no matter how small the risk is, it certainly sounds like something financial institutions should pay attention to. The risk is always small until someone breaks in -- but by then it's often too late.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Spelling Police, 1 Dec 2006 @ 12:33am

A security WHOLE
lol .... don't rely too much on your spell checker !!!
[ link to this | view in chronology ]
- Mike (profile), 1 Dec 2006 @ 12:38am
  
  Re: A security WHOLE
  Whoops. Thanks for pointing it out. Fixed now.
  [ link to this | view in chronology ]
  - Mr. Fix-it, 1 Dec 2006 @ 4:09am
    
    Re: Re: A security WHOLE
    While you're at it, you could also fix "highlights how previous claims ... isn't actually true."
    [ link to this | view in chronology ]
security, 1 Dec 2006 @ 12:50am

According to the referenced MSNBC article, one way for a consumer to avoid the vuneralbility in question, would be to only do business with a bank that owns the switches that scramble and de-scramble the Pin Blocks as they are transported along the various networks.
[ link to this | view in chronology ]
misanthropic humanist, 1 Dec 2006 @ 1:19am

Fake ATM's coming to your town
The security is getting weaker in the UK because of the banks policies. They don't like ATMs. They don't like cash money and would abolish it in a stroke if they were able. They are far too "expensive" to run. I know this because I've spoken directly with people involved in making these policies. The current direction is to allow the ATM business to be privatised.

In England today you can find hundreds of thousands of privately owned and run ATMs. You get them in the poorest areas where they are installed in bookies (gambling houses), next to off licenses and on streets where the drug trade is known to be high. Don't take my word, come here and see it for yourself. Aside from the criminally complicit lack of morality demonstrated you will find they charge you a "fee" for having access to your own money, about $2 per withdrawal.

Now, all this would be easy enough to swallow if you were a cold hearted social-Darwinist, but nobody has stopped to think about the obvious security implications (or maybe they have and it's part of the plan to undermine confidence in cash money).

Basically anybody can run one of these things, any fligh-by-night crook can obtain one. Shops and bars that run them come and go. So if you are in a pub in a dodgy suburb of Manchester and you go to use a "cash machine" what makes you so sure it's run by a trustworthy business? You have no assurance whatsoever. Anyone could modify or contruct a plausible looking cash machine that skimmed the PIN and account info.

Of course the banks have never taken security seriously. There's two reasons for this. Firstly they have such obscene quantities of money they can afford to ignore even massive frauds and write it off as leakage. Secondly they are in a business that requires absolutely no accountability to their customers.
[ link to this | view in chronology ]
- Chris, 1 Dec 2006 @ 2:14am
  
  Re: Fake ATM's coming to your town
  shows how much you know, there was a Bank of America that got closed down in my neighborhood because there security was too lax. The government shut them down because the government insures them. It's funny how they do their job when it's their insurance money on the line
  [ link to this | view in chronology ]
  - Remeber..., 1 Dec 2006 @ 3:17am
    
    Re: Re: Fake ATM's coming to your town
    This guy isn't talking about America. He is talking about several places in Europe. The physical security in banks is pretty strong, however, the virtual security verys from bank to bank.
    [ link to this | view in chronology ]
BankMan, 1 Dec 2006 @ 4:09am

The Russian Mafia IS doing this!
I work at a bank and I can say that we've had an explosion of Russian people recently come in to open accounts. Perhaps this explains it?
[ link to this | view in chronology ]
Anonymous Coward, 1 Dec 2006 @ 7:34am

Fool me once, ...
The thing that bothers me about this is the revelation that past statements I remember from the banking industry were apparently false: The public claim that once the PIN was encrypted at the ATM it could only decrypted at the issuing bank (not by every Tom, Dick ,and Harry network switch middle man in between).

Also, does it bother anyone that the hardware security modules (HSM's) that process PIN's are made by companies like Hewlett Packard with a history of spying on people?
[ link to this | view in chronology ]
Anonymous Coward, 1 Dec 2006 @ 8:30am

its only a matter of time before people find ways to make convincing looking *fake* ATM machines, putting them in shady areas of town, that just keep your card when you insert it...
[ link to this | view in chronology ]
dustin, 1 Dec 2006 @ 8:45am

C'mon guys...
I cant tell you how many PIN's I've had access to in the past few years. Pay attention when your standing in line at Seven-Eleven or pumping gas. Almost everyone who uses the touchpad to input thier PIN's doesn't even think to hide thier number- I can easily see what thier typing. Don't beleive me? Go try it on your lunchbreak, you'll see.

Just because a 'possible' flaw is pointed out dosen't mean the word of banking is coming to an end. No system is ever going to be fool-proof- if someone wants something bad enough, they'll get it. The only difference between the normal guy and the victim is a little common-sense.
[ link to this | view in chronology ]
Paul, 1 Dec 2006 @ 8:49am

Better Yet
My first post. but just think of this. fake machine. one that reads all the data off your card, pulls your pinn. then it gives you a messages of technical difficutlies. then a couple of weeks down the road. someone takes off with your money. would you remember were that ATM was or even that you tried to use it?
[ link to this | view in chronology ]
- Anonymous Coward, 2 Dec 2006 @ 4:11pm
  
  Re: Better Yet
  fake machine. one that reads all the data off your card, pulls your pinn. then it gives you a messages of technical difficutlies.
  It's been done, many years ago. The best I remember, they actually put the machine in the middle of a shopping mall.
  [ link to this | view in chronology ]
Thomas, 6 Jun 2007 @ 3:05pm

ATM Security Products
Nice post. I work in the ATM industry and this is something we take very seriously. We've recently purchased a new ATM security system through Diebold and everything has been performing exactly as we wanted. I found this link on their website, if you want some more info: Security Monitoring
[ link to this | view in chronology ]
Ken Dunckel, 15 Feb 2009 @ 10:20am

Astonished at number of Lightweight ATMs Used
There are still an astonishing number of lightweight lobby model ATMs installed in awhat amount to unsuperviced outdoor locations.

Astonishing because of the speed with which they can be neatly and discreetly forced open without much more than a cordless drill motor.

Astonishing because of the cash levels they often contain.

Astonishing because so few thieves have yet to learn to drill them instead of trying to uproot them and drag them off.

My guess is that this sort of theft will increase nationwide in the next 12-24 months.
Ken Dunckel
Safecracker CA License #001985
[ link to this | view in chronology ]