When the SQL Slammer worm shut down over 10,000 ATM's belonging to Bank of
America there was a big surprise in the security industry. Nobody would have
suspected that such important machines were being powered by Windows PC's connected to the Internet.
Now, once again, researchers have demonstrated the possibility of stealing
the sensitive information that card holders entered into ATM's by hacking them with a
Windows 0 day exploit. Martin Macmillan, business development director with ATM
security specialist Level Four Software,
said that Banks have preferred to use common operating systems, like Windows,
to give intelligence to ATM's thus exposing them to the same risks of a home PC.
Keeping them secure translates into regular software updates and patching.
But further security problems due to poor design implementations in which only the
PIN is encrypted while card numbers and expiration dates are sent in the clear. In the
end the number of ATM's, counting all of those small machines not under the direct
control of the Banks, makes it very difficult for any large scale solution to work and
work in a timely fashion, to prevent the 0 day attacks. – another tough one!