Vulnerable ATMs

Slot machines include several protection solutions, but there are weak points as well.

According to press reports released in the US, hackers managed to gain access to Citibank ATMs between October 2007 and March 2008. The thieves looted at least two million US dollars by spying on PINs before capturing them. Dr. Klaus Gheri, co-founder of Phion’s Strategic Product Management, comments on the dangers associated with slot machines.

"The ATM itself is a well-secured system in a physical sense. However, the network cable coming out of the machine is not. Therefore, for security reasons, it is essential that the communication between the ATM and the central server system is encrypted. An attack on the join probably wouldn't have been successful if this simple method had been used. To this end, banks — similarly to companies employing mobile workers — must create a virtual private network (VPN) that supports both encrypted and secure communications."

However, installing an additional software solution for encryption may violate service-level agreements already with vending machine manufacturers. Thus, the only possible measure is to encrypt communication within the system and provide protection against attacks from the network through the firewall / VPN devices, Phion believes. The challenge for banks is to install VPN boxes directly in ATM cabinets. Here, however, there are space constraints, and machines placed outdoors are subject to huge temperature fluctuations depending on the season. In addition, traditional VPN management solutions cannot cope with a large number of sites, and on-site service can be too costly.

"Attacks against ATMs require serious expertise and a huge effort. Consumers are much less likely to experience such an attack than credit card fraud.” — added the Phion specialist.

The case of Citibank has so far only been published as part of legal proceedings against the attackers, and their fraud methods are not yet known. All you know is that their attacks were carried out remotely without getting close to the ATMs. The ATMs concerned were operated by external companies on behalf of Citibank.