ATM Security Flaws The Latest Threat To Worry About

from the oh-great dept

If basic identity theft threats weren't worrying you already, MSNBC has a nice report on a potentially big security hole in the ATM system, basically pointing out that there are points on the network where PIN information is unencrypted and could be grabbed. It's not necessarily easy to do, but it is possible and highlights how previous claims about the security of ATM networks isn't actually true. The article quotes a bunch of financial service folks claiming that it's really no big deal, that they've known about this issue for a while, the hole will be closed soon and it's highly unlikely anyone would actually be able to use this. Except, of course, MSNBC notes that the Secret Service has already found plenty of discussions among Russian organized crime groups who have been working hard to break ATM security in order to create cloned ATM/debit cards in order to drain people's accounts. The end result, is that it sounds like this is a serious weakness, but one not easy to exploit. Russian organized crime groups are working on it, though, so it would seem that no matter how small the risk is, it certainly sounds like something financial institutions should pay attention to. The risk is always small until someone breaks in -- but by then it's often too late.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Spelling Police, Dec 1st, 2006 @ 12:33am

    A security WHOLE

    lol .... don't rely too much on your spell checker !!!

    reply to this | link to this | view in thread ]

  2. icon
    Mike (profile), Dec 1st, 2006 @ 12:38am

    Re: A security WHOLE

    Whoops. Thanks for pointing it out. Fixed now.

    reply to this | link to this | view in thread ]

  3. identicon
    security, Dec 1st, 2006 @ 12:50am

    According to the referenced MSNBC article, one way for a consumer to avoid the vuneralbility in question, would be to only do business with a bank that owns the switches that scramble and de-scramble the Pin Blocks as they are transported along the various networks.

    reply to this | link to this | view in thread ]

  4. identicon
    misanthropic humanist, Dec 1st, 2006 @ 1:19am

    Fake ATM's coming to your town

    The security is getting weaker in the UK because of the banks policies. They don't like ATMs. They don't like cash money and would abolish it in a stroke if they were able. They are far too "expensive" to run. I know this because I've spoken directly with people involved in making these policies. The current direction is to allow the ATM business to be privatised.

    In England today you can find hundreds of thousands of privately owned and run ATMs. You get them in the poorest areas where they are installed in bookies (gambling houses), next to off licenses and on streets where the drug trade is known to be high. Don't take my word, come here and see it for yourself. Aside from the criminally complicit lack of morality demonstrated you will find they charge you a "fee" for having access to your own money, about $2 per withdrawal.

    Now, all this would be easy enough to swallow if you were a cold hearted social-Darwinist, but nobody has stopped to think about the obvious security implications (or maybe they have and it's part of the plan to undermine confidence in cash money).

    Basically anybody can run one of these things, any fligh-by-night crook can obtain one. Shops and bars that run them come and go. So if you are in a pub in a dodgy suburb of Manchester and you go to use a "cash machine" what makes you so sure it's run by a trustworthy business? You have no assurance whatsoever. Anyone could modify or contruct a plausible looking cash machine that skimmed the PIN and account info.

    Of course the banks have never taken security seriously. There's two reasons for this. Firstly they have such obscene quantities of money they can afford to ignore even massive frauds and write it off as leakage. Secondly they are in a business that requires absolutely no accountability to their customers.

    reply to this | link to this | view in thread ]

  5. identicon
    Chris, Dec 1st, 2006 @ 2:14am

    Re: Fake ATM's coming to your town

    shows how much you know, there was a Bank of America that got closed down in my neighborhood because there security was too lax. The government shut them down because the government insures them. It's funny how they do their job when it's their insurance money on the line

    reply to this | link to this | view in thread ]

  6. identicon
    Remeber..., Dec 1st, 2006 @ 3:17am

    Re: Re: Fake ATM's coming to your town

    This guy isn't talking about America. He is talking about several places in Europe. The physical security in banks is pretty strong, however, the virtual security verys from bank to bank.

    reply to this | link to this | view in thread ]

  7. identicon
    BankMan, Dec 1st, 2006 @ 4:09am

    The Russian Mafia IS doing this!

    I work at a bank and I can say that we've had an explosion of Russian people recently come in to open accounts. Perhaps this explains it?

    reply to this | link to this | view in thread ]

  8. identicon
    Mr. Fix-it, Dec 1st, 2006 @ 4:09am

    Re: Re: A security WHOLE

    While you're at it, you could also fix "highlights how previous claims ... isn't actually true."

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, Dec 1st, 2006 @ 7:34am

    Fool me once, ...

    The thing that bothers me about this is the revelation that past statements I remember from the banking industry were apparently false: The public claim that once the PIN was encrypted at the ATM it could only decrypted at the issuing bank (not by every Tom, Dick ,and Harry network switch middle man in between).

    Also, does it bother anyone that the hardware security modules (HSM's) that process PIN's are made by companies like Hewlett Packard with a history of spying on people?

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, Dec 1st, 2006 @ 8:30am

    its only a matter of time before people find ways to make convincing looking *fake* ATM machines, putting them in shady areas of town, that just keep your card when you insert it...

    reply to this | link to this | view in thread ]

  11. identicon
    dustin, Dec 1st, 2006 @ 8:45am

    C'mon guys...

    I cant tell you how many PIN's I've had access to in the past few years. Pay attention when your standing in line at Seven-Eleven or pumping gas. Almost everyone who uses the touchpad to input thier PIN's doesn't even think to hide thier number- I can easily see what thier typing. Don't beleive me? Go try it on your lunchbreak, you'll see.

    Just because a 'possible' flaw is pointed out dosen't mean the word of banking is coming to an end. No system is ever going to be fool-proof- if someone wants something bad enough, they'll get it. The only difference between the normal guy and the victim is a little common-sense.

    reply to this | link to this | view in thread ]

  12. identicon
    Paul, Dec 1st, 2006 @ 8:49am

    Better Yet

    My first post. but just think of this. fake machine. one that reads all the data off your card, pulls your pinn. then it gives you a messages of technical difficutlies. then a couple of weeks down the road. someone takes off with your money. would you remember were that ATM was or even that you tried to use it?

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, Dec 2nd, 2006 @ 4:11pm

    Re: Better Yet

    fake machine. one that reads all the data off your card, pulls your pinn. then it gives you a messages of technical difficutlies.
    It's been done, many years ago. The best I remember, they actually put the machine in the middle of a shopping mall.

    reply to this | link to this | view in thread ]

  14. identicon
    Thomas, Jun 6th, 2007 @ 3:05pm

    ATM Security Products

    Nice post. I work in the ATM industry and this is something we take very seriously. We've recently purchased a new ATM security system through Diebold and everything has been performing exactly as we wanted. I found this link on their website, if you want some more info: Security Monitoring

    reply to this | link to this | view in thread ]

  15. identicon
    Ken Dunckel, Feb 15th, 2009 @ 10:20am

    Astonished at number of Lightweight ATMs Used

    There are still an astonishing number of lightweight lobby model ATMs installed in awhat amount to unsuperviced outdoor locations.

    Astonishing because of the speed with which they can be neatly and discreetly forced open without much more than a cordless drill motor.

    Astonishing because of the cash levels they often contain.

    Astonishing because so few thieves have yet to learn to drill them instead of trying to uproot them and drag them off.

    My guess is that this sort of theft will increase nationwide in the next 12-24 months.
    Ken Dunckel
    Safecracker CA License #001985

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Insider Shop - Show Your Support!

Hide this ad »
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Hide this ad »
Recent Stories
Advertisement - Amazon Prime Music
Hide this ad »


Email This

This feature is only available to registered users. Register or sign in to use it.