Windows-based cashpoints at risk of hijack

Security experts have hacked cashpoints to show how easy it is to steal money and bank account details from modern cash machines.

Cashpoints today face the Internet-born threat of worms and denial of service attacks, as well as being at risk from malware that can harvest customer data or hijack machines.

Up to 90 per cent of the cashpoints in the UK could be at risk from these attacks as they rely on desktop PC technology -- usually Intel hardware and Windows operating systems -- linked to other machines, some connected to the Internet, in the bank's network, according to experts.

Security vendor Network Box illustrated this threat by showing that only the PIN number was encrypted when information was sent from a US cashpoint to networked bank computers.

The card numbers, card expiry dates, transaction amounts and account balances were clearly readable in plain text to anybody intercepting the data as it travelled through the network.

'Cabinet' cashpoints, commonly found in shops, pubs and restaurants, potentially face an even greater danger -- with researchers from Information Risk Management (IRM) able to open their safes and take them over.

IRM used a key bought off the Internet to unlock the cabinets of three ATMs, allowing its analysts to install software that logged customer's bank details or dispensed money on command.

An early warning of this insecurity in modern cashpoints came in 2003 when the Nachi Internet worm infiltrated "secure" networks and infected cashpoints from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America cashpoints.

Martin Macmillan, business development director with cashpoint security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.

"It creates a lot of security issues because an ATM becomes like a PC with attached devices -- it has to be kept up to date with hot fixes and patches. It is a much more complex beast and the security aspects of that need to be at the forefront of a bank's mind."

He said it is important for banks to be able to monitor cashpoint systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.