By Tracy Kitten
Security is an interesting topic. We're all concerned about it, but we often overlook the most fundamental things.
Yesterday, I tapped a few bankers for comments about ATM security. In particular, I was fishing for some reaction to last week's ATM hack at the Black Hat Technical Security Conference. Two Windows CE-based ATMs were breached during a staged attack by security expert Barnaby Jack.
With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
The ATMs - a Triton RL2000 and a Tranax 1700 - are most often deployed by retailers, community banks and credit unions. As Lilia Rojo, the director of operations for the $476 million El Monte, Calif.-based SCE Federal Credit Union, points out, credit unions are often looking for less-expensive ATM alternatives, relative to those produced by NCR and Diebold. "But we still want to know that the machines are secure," she says.
The Triton and Tranax ATMs are lower-volume machines, so they make sense for locations that aren't getting hit with, say, 2,000 cash withdrawals a month. But are they less secure? "It's certainly unsettling," Rojo tells me. "Not having the technical expertise, you rely on the manufacturer to help you with something like this - to stay one step ahead of these problems."
The problems Rojo refers to include the ease with which Jack showed how any hacker could access an ATM's operating system and ultimately take it over. In one case, Jack bypassed the ATM's remote management system. In another, he walked up and physically accessed the ATM's PC and infected it with malware saved to a thumb drive.
The former mode of attack is definitely disturbing - Jack bypassed the Tranax RMS. Triton, whose ATM was attacked by a thumb-drive-carried culprit, responded to the hacking of its authentication methodology with a patch.
How many institutions have downloaded and installed the patch? How many even know about the patch? That's definitely a concern. But more concerning is that the latter breach again exposes a security gap that has come up several times in recent weeks. With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
To read the entire article, click here - http://blogs.bankinfosecurity.com/posts.php?postID=651&rf=2010-08-13-eb
Saturday, August 14, 2010
Subscribe to:
Post Comments (Atom)
Do Do You Keep Your Career Options Open?
Call The POWER Group Organization Team at (502) 209-TEAM {8326}!
No comments:
Post a Comment