ATM Access: Getting in is Too Easy
Yesterday, I tapped a few bankers for comments about ATM security. In particular, I was fishing for some reaction to last week's ATM hack at the Black Hat Technical Security Conference. Two Windows CE-based ATMs were breached during a staged attack by security expert Barnaby Jack.
The ATMs - a Triton RL2000 and a Tranax 1700 - are most often deployed by retailers, community banks and credit unions. As Lilia Rojo, the director of operations for the $476 million El Monte, Calif.-based SCE Federal Credit Union, points out, credit unions are often looking for less-expensive ATM alternatives, relative to those produced by NCR and Diebold. "But we still want to know that the machines are secure," she says.
With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
The Triton and Tranax ATMs are lower-volume machines, so they make sense for locations that aren't getting hit with, say, 2,000 cash withdrawals a month. But are they less secure? "It's certainly unsettling," Rojo tells me. "Not having the technical expertise, you rely on the manufacturer to help you with something like this - to stay one step ahead of these problems."
The problems Rojo refers to include the ease with which Jack showed how any hacker could access an ATM's operating system and ultimately take it over. In one case, Jack bypassed the ATM's remote management system. In another, he walked up and physically accessed the ATM's PC and infected it with malware saved to a thumb drive.
The former mode of attack is definitely disturbing - Jack bypassed the Tranax RMS. Triton, whose ATM was attacked by a thumb-drive-carried culprit, responded to the hacking of its authentication methodology with a patch.
How many institutions have downloaded and installed the patch? How many even know about the patch? That's definitely a concern. But more concerning is that the latter breach again exposes a security gap that has come up several times in recent weeks. With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
How can that be? Well, universal keys seem to be the rule, not the exception. When I asked Rojo and another institution, Los Angeles-based USC Credit Union, about the use of universal keys, both agreed that they are an industry standard.
Bob Douglas, the vice president of engineering for Mississippi-based Triton Systems, which manufactures the RL2000, confirmed that despite that all ATM manufacturers offer unique keys for the physical locks on ATM enclosures, few institutions or retailers order them. "Almost always, universal keys are used," he says.
For the past two weeks, I've criticized the retail industry for its use of universal access keys - suggesting that if retailers used unique keys, the installation of skimming devices at pay-at-the-pump terminals could be drastically reduced. So, I must now ask the same thing of financial institutions, which increasingly rely on Windows-based ATMs to serve their customers. It seems crazy to me. But I have to stop, step back and remember that not everyone is an ATM expert.
As Rojo rightly points out, "I don't have the technical expertise. I just need to rely on my ATM vendor who has the expertise, because that's their primary focus."
Some smaller institutions have outsourced ATM management to better deal with some of these technical and security issues. Maybe that's a good option. Maybe better lines of communication between vendors and institutions is the answer. But one thing I can say: Universal keys have to go. The financial industry did a good job a few years back when it did away with universal codes to access and change cash cassette settings. Now, it's time to do a better job of protecting the PC inside the ATM.