|
|
|
A number of bad scenarios can come out of this situation, the biggest being mass card number theft, like what happened to Bank of America and Washington Mutual, says John Abraham, Redspin president. Also, the wrong person with the right knowledge could become a man-in-the-middle. They could spoof a processors response to an ATM, telling it over and over again that the daily $500 limit hasnt been reached. Back up the money truck. Redspin, Inc., a security audit company, has released a white paper detailing the problem. Essentially, unencrypted ATM transaction data is floating around bank networks, and bank managers are completely unaware of it. The only data from an ATM transaction that is encrypted is the PIN number. We were in the middle of a security audit, looking at network traffic, when there it was, plain as day. We were surprised. The bank manager was surprised. Pretty much everyone we talk to is surprised. The card number, the expiration date, the account balances and withdrawal amounts, they all go across the networks in cleartext, which is exactly what it sounds like - text that anyone can read, explained Abraham. Ironically, the problem came about because of a mandated security improvement in ATMs. Security audits showed that the original standard for ATM data encryption (DES) was becoming too easy to crack, so the standard was upgraded to Triple DES. Like any home improvement project, many ATM upgrades have snowballed to include a variety of other enhancements, including the use of transmission control protocol/Internet protocol (TCP/IP) - moving ATMs off their own dedicated lines, and on to the banks networks. More and more banks now run their ATMs through their own computer network before the information goes on to a centralized processor. While having the ATMs on the banks network instead of a bunch of individual, dedicated lines is much more economical and much easier to manage, it greatly increases their security exposure. A security audit will highlight this issue. The fact that ATM data isnt encrypted wasnt a problem when the information was going across dedicated lines, but now that it goes through the banks Internet-connected system before going to a processor, it creates unexpected opportunities for crime and mischief. A hacker tapping into a banks network would have complete access to every single ATM transaction going through the banks ATMs. Our biggest concern is that not many bank managers know this, says Abraham. They assume that everything is encrypted. Its not a terrible assumption, so its no wonder that most bank managers weve talked to are unhappy to discover this after spending $60,000 to upgrade an ATM. Fortunately, continues Abraham, prevention isnt that complicated, as long as bankers are aware that there is a potential problem, and perform regular security audits. ATM machines need to be kept separate from the rest of the banks computer network, to try to recreate that direct line to the processor. Also, Redspin is developing a tool to help bankers determine their level of vulnerability, that we can use during a security audit. This white paper is all about raising awareness. |
加入最爱