ATM Security Flaws The Latest Threat To Worry About
from the oh-great dept
If basic identity theft threats weren't worrying you already, MSNBC has a nice report on a potentially big security hole in the ATM system, basically pointing out that there are points on the network where PIN information is unencrypted and could be grabbed. It's not necessarily easy to do, but it is possible and highlights how previous claims about the security of ATM networks isn't actually true. The article quotes a bunch of financial service folks claiming that it's really no big deal, that they've known about this issue for a while, the hole will be closed soon and it's highly unlikely anyone would actually be able to use this. Except, of course, MSNBC notes that the Secret Service has already found plenty of discussions among Russian organized crime groups who have been working hard to break ATM security in order to create cloned ATM/debit cards in order to drain people's accounts. The end result, is that it sounds like this is a serious weakness, but one not easy to exploit. Russian organized crime groups are working on it, though, so it would seem that no matter how small the risk is, it certainly sounds like something financial institutions should pay attention to. The risk is always small until someone breaks in -- but by then it's often too late.
Reader Comments (rss)
(Flattened / Threaded)
A security WHOLE
lol .... don't rely too much on your spell checker !!!
(reply to this comment) (link to this comment)
Re: A security WHOLE
Whoops. Thanks for pointing it out. Fixed now.
(reply to this comment) (link to this comment)
According to the referenced MSNBC article, one way for a consumer to avoid the vuneralbility in question, would be to only do business with a bank that owns the switches that scramble and de-scramble the Pin Blocks as they are transported along the various networks.
(reply to this comment) (link to this comment)
Fake ATM's coming to your town
The security is getting weaker in the UK because of the banks policies. They don't like ATMs. They don't like cash money and would abolish it in a stroke if they were able. They are far too "expensive" to run. I know this because I've spoken directly with people involved in making these policies. The current direction is to allow the ATM business to be privatised.
In England today you can find hundreds of thousands of privately owned and run ATMs. You get them in the poorest areas where they are installed in bookies (gambling houses), next to off licenses and on streets where the drug trade is known to be high. Don't take my word, come here and see it for yourself. Aside from the criminally complicit lack of morality demonstrated you will find they charge you a "fee" for having access to your own money, about $2 per withdrawal.
Now, all this would be easy enough to swallow if you were a cold hearted social-Darwinist, but nobody has stopped to think about the obvious security implications (or maybe they have and it's part of the plan to undermine confidence in cash money).
Basically anybody can run one of these things, any fligh-by-night crook can obtain one. Shops and bars that run them come and go. So if you are in a pub in a dodgy suburb of Manchester and you go to use a "cash machine" what makes you so sure it's run by a trustworthy business? You have no assurance whatsoever. Anyone could modify or contruct a plausible looking cash machine that skimmed the PIN and account info.
Of course the banks have never taken security seriously. There's two reasons for this. Firstly they have such obscene quantities of money they can afford to ignore even massive frauds and write it off as leakage. Secondly they are in a business that requires absolutely no accountability to their customers.
(reply to this comment) (link to this comment)
Re: Fake ATM's coming to your town
shows how much you know, there was a Bank of America that got closed down in my neighborhood because there security was too lax. The government shut them down because the government insures them. It's funny how they do their job when it's their insurance money on the line
(reply to this comment) (link to this comment)
Re: Re: Fake ATM's coming to your town
This guy isn't talking about America. He is talking about several places in Europe. The physical security in banks is pretty strong, however, the virtual security verys from bank to bank.
(reply to this comment) (link to this comment)
The Russian Mafia IS doing this!
I work at a bank and I can say that we've had an explosion of Russian people recently come in to open accounts. Perhaps this explains it?
(reply to this comment) (link to this comment)
Re: Re: A security WHOLE
While you're at it, you could also fix "highlights how previous claims ... isn't actually true."
(reply to this comment) (link to this comment)
Fool me once, ...
The thing that bothers me about this is the revelation that past statements I remember from the banking industry were apparently false: The public claim that once the PIN was encrypted at the ATM it could only decrypted at the issuing bank (not by every Tom, Dick ,and Harry network switch middle man in between).
Also, does it bother anyone that the hardware security modules (HSM's) that process PIN's are made by companies like Hewlett Packard with a history of spying on people?
(reply to this comment) (link to this comment)
its only a matter of time before people find ways to make convincing looking *fake* ATM machines, putting them in shady areas of town, that just keep your card when you insert it...
(reply to this comment) (link to this comment)
C'mon guys...
I cant tell you how many PIN's I've had access to in the past few years. Pay attention when your standing in line at Seven-Eleven or pumping gas. Almost everyone who uses the touchpad to input thier PIN's doesn't even think to hide thier number- I can easily see what thier typing. Don't beleive me? Go try it on your lunchbreak, you'll see.
Just because a 'possible' flaw is pointed out dosen't mean the word of banking is coming to an end. No system is ever going to be fool-proof- if someone wants something bad enough, they'll get it. The only difference between the normal guy and the victim is a little common-sense.
(reply to this comment) (link to this comment)
Better Yet
My first post. but just think of this. fake machine. one that reads all the data off your card, pulls your pinn. then it gives you a messages of technical difficutlies. then a couple of weeks down the road. someone takes off with your money. would you remember were that ATM was or even that you tried to use it?
(reply to this comment) (link to this comment)
Re: Better Yet
(reply to this comment) (link to this comment)
ATM Security Products
Nice post. I work in the ATM industry and this is something we take very seriously. We've recently purchased a new ATM security system through Diebold and everything has been performing exactly as we wanted. I found this link on their website, if you want some more info: Security Monitoring
(reply to this comment) (link to this comment)
Add Your Comment