I was appalled to read a white paper on ATM security this week from Redspin (www.redspin.com), a Californian security auditing company.
The paper identified that the continuing trend by banks to take ATM machines off proprietary networks and put them on the banks' own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment.
The reason? Most ATM transaction data is not encrypted and can be more easily compromised when it is traversing an IP network compared to
dedicated lines, says the paper.
Amazingly, it is not the banks that are to blame (for once) with the move to an all-IP network, as banking regulatory authorities, as well
as international ATM networks, now require banks to move DES to triple DES encryption.
As a result, most banks are migrating their cash machines from proprietary networks to open TCP/IP.
Redspin says that, apart from the PIN data, all other ATM transaction details such as the card number, expiration date, account balances and
withdrawal amounts frequently remain unencrypted.
Bottom line? A hacker gaining access to a bank's network can see all the cardholder's card data flowing across the system. No PINs, of course, but enough to clone thousands of cards.
This really isn't good enough...