CONTINUED:
Windows-based cashpoints at risk of hijack

Mark Webb-Johnson, CTO of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."

Gyan Chawdhary, senior security consultant with IRM, told silicon.com the shift among cashpoints to modern PC infrastructure means it now only requires minimal programming knowledge to hack ATM machines successfully once access had been gained to its system.

Chawdhary said: "If you are a programmer and you have some programming experience then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs."

Researchers from IRM were even able to unlock and clear out the safes in two out of the three UK cabinet cashpoints, opening the safe using a default key code they obtained from a safe manual online.

They also reset the cabinet cashpoints software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.

Macmillan added that the stability of the Windows-based cashpoints was worse than their OS2-based predecessors, saying some cashpoints suffered downtime of up to 30 per cent.

Link, the company that runs more than 61,000 cash machines in the UK, said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.

Graham Mott, a senior Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."

Network Box warns that the software firewalls used to protect cashpoints are not able to prevent DoS attacks or harvesting of consumer's personal data after the data travels through the bank's network.

It says the most effective way to protect from these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN capabilities, positioned in front of, and protecting, the ATM network.

It adds this device should be separated from the rest of the bank's network and that all traffic coming out of the cashpoint should be encrypted.