How Secure Are ATMs?

Security experts posit that lower-volume machines might be less secure.

August 18, 2010

LAS VEGAS - Are the ATMs most used by retailers, community banks and credit unions less secure? That??s the question posed by Tracy Kitten on Banking Information Security Blogs. During the Black Hat Technical Security Conference this summer, a security expert demonstrated how easy it was to hack into two Windows CE-based ATMs: a Triton RL2000 and a Tranax 1700.

Triton and Tranax ATM are lower-volume machines, so that??s why retailers and other firms like to use them. But no matter what machine is used, merchants and banks expect ATMs to be secure.

"Not having the technical expertise, you rely on the manufacturer to help you with something like this-- to stay one step ahead of these problems," said Lilia Rojo, director of operations for SCE Federal Credit Union.

The security expert detailed how easy a hacker could go into an ATM??s operating system and hijack it. One way to foil hackers is to have security patches routinely updated.

Then the security expert used a universal key he got via the Internet to open the ATM??s enclosure. With universal keys an industry standard, all ATM manufacturers make unique keys for the physical locks on ATM enclosures.

Retailers should order a unique key for their ATMs as an added layer of security. Bob Douglas, vice president of engineering for Triton Systems, maker of the RL2000, said that not many merchants or banks ask for a unique key. "Almost always, universal keys are used," said Douglas.

Kitten also pointed out that retailers could use unique keys instead of universal access keys for pay-at-the pump terminals, which would significantly reduce the number of skimming devices installed at gasoline pumps.

NACS recommends having regularly updating ATM software patches, installing a uniquely keyed locks and security tape seals for each ATM as the best way to prevent fraud.

Advertisement
Advertisement
Advertisement