ATM Security Risk

In August 2003, two US banks experienced the first case of a Windows-based virus to ever infect an ATM. Although a single ATM vendor took the brunt of negative press, any Windows-based ATM on the affected networks may have been impacted, or at least were susceptible to the same infection. New research from TowerGroup looks at the growth of this new threat, and explores how the clean room environment used by the semiconductor industry to eliminate contaminants may hold valuable lessons for the financial service industry. Highlights of the research include: - Viruses, worms, exploits and other malicious software have grown beyond the threat to home users and corporate e-mail systems. They now threaten the very networks that process our financial information and transactions, like ATMs. - While the Windows platform is not inherently less secure than competitive products, it is open to a larger number of users and - most significantly - more open to users that mean to inflict damage through the creation of viruses and other types of attacks. - Banks have spent millions of dollars implementing network firewalls to prevent unauthorized access from hackers dialing in from home. Yet they place ATMs on street corners and bypass firewalls by connecting those machines directly to the network. ATMs have always been viewed as trusted resources, so most ATM networks are exempt from security policies - a dangerous mindset that must change with the times. - Like the semiconductor industry, financial institutions may have to resort to creating software clean room environments to protect the purity of the systems they operate - not just for ATMs, but for every business system that could be affected by a virus or other contamination. The software equivalent of a clean room would offer increasing levels of security that ring the development and deployment of critical systems. This would be a major shift from todays security protocols, which tend to deal solely with generic threats with little or no differentiation in policy and process between the corporate network and the networks that operate the banks business.