“Cash point machines themselves are safe, but the cables are not”

7 July 2008

It has emerged that hackers in the US gained access to ATMs operated for Citibank between October 2007 and March 2008. The thieves stole at least two $2 million before being caught. Dr. Klaus Gheri, Chief Technology Officer at phion, one of the leading European suppliers for corporate communication protection solutions with numerous clients in the banking sector, comments on the dangers associated with cash point dispensers.

“The ATM itself is a well-secured system in physical terms. But the network cable leading out of the machine is not. So for security reasons it is imperative that communications are encrypted between the cash dispenser and centralised server systems. An attack on the connection would probably not have been successful if this simple method had been implemented. For this purpose banks – just like companies with mobile employees - must set up a Virtual Private Network (VPN), which facilitates both encrypted and secured communications.

“However, installing an additional software solution for this encryption can infringe existing Service Level Agreements with the cash point machine manufacturers. So the sole remaining measure is to encrypt the systems’ communication and to provide protection against attacks from the network using a Firewall/VPN-Box. The challenge facing the banks is to install such VPN-Boxes directly in the ATM casing. But there are space restrictions here and machines located outside are subject to enormous temperature fluctuations depending on the season. In addition to this conventional VPN management approaches cannot cope with the high number of locations – and providing onsite service is just too costly, for example, Link alone has over 61,000 cash point machines in the UK. This means that external and foyer-based cash point machines are a known security risk. One of the largest German private consumer banks had the foresight to implement such a solution with phion and is now protected against attacks of this nature.”

Consumers should not panic as a result of this theft. A cyber attack of this nature requires expert knowledge and an enormous effort. For private consumers the likelihood of being affected by such an attack is much lower than that of a credit card fraud.

The case has only been publicised as part of the legal proceedings against the three attackers and their fraudulent methods are still unknown. All that is known is that they conducted their attacks remotely, without coming close to the cashpoint machines. The ATMs in question were operated by external companies on behalf of Citibank.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development