he bogeyman of ATM security has a face-and it's Bill Gates, or more accurately, the legions of computer wonks that target Gates' Windows operating systems to test their hacking skills.

A recent revelation by Diebold that Windows-based ATMs operated by two unnamed financial institutions were affected by the W32/Nachi worm last August has heightened the concerns of bankers who are planning a switch from the OS/2 operating system to Windows.

"Security has always been absolutely the biggest issue for me," said Ted Josephson, Vice President of eBusiness and Operations for Bridgeport, Conn.-based People's Bank. "Now that this has happened, it's like 'oh no, it's a real deal.'"

With the large number of hackers and hacker wannabes who are well versed in Windows, "it's a surprise not that something happened but that things haven't happened more often," said Richard Bell, Research Manager for Retail Channels for consulting firm Financial Insights.

In contrast, OS/2, the IBM operating system that has powered most ATMs for the past three decades, never gained enough popularity to attract the attention of hackers.

"Theoretically OS/2 running on a bisync network is just as vulnerable, but how many hackers know how to do it?" said Stuart Spinner, Director of Enterprise Data Security for Concord EFS. "Outside the ATM world, there's been very little exposure to that technology. With Windows, any 16-year-old kid running a TCP/IP network in his basement can download hacking tools from the Internet."

The IP Factor

While the details of how the worm infected ATMs are shadowy, breaches apparently occurred on ATMs that were linked to networks-operated either by the bank or another company-via IP connections. While not all Windows-based machines are configured for IP, many FIs are moving in that direction to integrate their ATMs with other Windows-based channels.

"No bank is looking at Windows without looking at IP-enabling their software distribution as well. It would be too cost prohibitive to switch to Windows without looking at extending your enterprise functionality into the ATM channel," said Steve Osborne, NCR's General Manager of Enterprise Solutions for APTRA (its multi-vendor software).

"You've had IP-enabled ATMs since the late '90s, but most of them have been on OS/2 rather than Windows," he said. "There's still a threat of infection, but it's significantly reduced. Similarly, there is a threat with Windows in a non-IP environment, but it's not as great."

Others, including FleetBoston Financial, have maintained a dedicated, leased-line connection for standard ATM transactions, routing them to a Tandem mainframe via SNA (IBM's Systems Network Architecture). Newer, Web-based transactions, such as a bill payment application the bank is piloting at some 75 ATMs, are routed to Web servers via a VPN.

"We didn't want to re-invent the wheel," said Jim D'Aprile, Fleet's Vice President of ATM/Self-Service Banking, in a July interview with ATMmarketplace, noting that security concerns played a part in the bank's decision.

Such dual communications systems will likely remain popular for some time, said Bell of Financial Insights. However, he expects more FIs to switch to all-IP networks in the future to cut the costs of maintaining legacy systems, which will become increasingly costly to support as newer technologies supplant them.

"You've got to weigh the benefit of the convergence of channels versus the risk," Silva said. Including the ATM

Nachi worm notwithstanding, it's more difficult for worms and viruses to spread to ATMs because they lack e-mail capabilities, Microsoft Word programs and other common points of entry, said NCR's Osborne.

"Communication is limited to a very specific group of hosts and servers," he said. "The software should know which servers the machine is allowed to talk to, and through which IP ports."

Common-sense measures such as firewalls and virus scans dramatically reduce potential exposure to hacking, said Tom Sonby, Concord's Vice President of Technology Systems. "I'd say that 99.9% of the time, all it takes is the implementation of some very sensible procedures to minimize your exposure to attacks."

While such measures have been widely implemented elsewhere in the enterprise, few of them have made it to the ATM world because of the limited risk of exposure.

"Software security is not something that this generation of ATM executives has had to deal with much," Osborne said.

However, the ATM mindset is beginning to change, said Kevin Carroll, Director of ATM Services for Concord, which drives "several thousand" Windows-based machines and a similar number of ATMs on IP-some, though not all, of which overlap.

"For the first time, I'm seeing bank security departments get involved in discussions about ATM deployments," Carroll said. "When an ATM is Windows-based, you've got to consider it another desktop in your network. It's part of the enterprise, and you need to adopt the same security measures there that you have in place elsewhere. Don't assume that everything is OK, and that this has been done."

"This will require a whole new mindset for most IT folks," agreed Josephson of People's Bank. "If they don't stay on top of ATMs, they're going to become another potential point of compromise-unfortunately, one that's very visible to the customer."

While intrusion detection services and tools can be helpful, they tend to yield a high number of false positives, indicating breaches where they have not occurred, said Concord's Sonby. "You've got to train staff to distinguish the real from the fake."

Even with the vulnerabilities of Windows-based platforms, IP networks and the combination of the two, it would be nearly impossible for a hacker to manipulate ATM transactions to steal money, Silva said. "That would require far more resources and programming skills. It would probably have to be an internal job."

Much more likely are disruptions in service, such as the ones that occurred when ATMs were hit by the Nachi worm. In those cases, the machines' owners took them out of service to prevent further infection until security patches could be downloaded.

Plenty of Patches

Availability of patches could represent a weak link in security, Josephson said. "You just can't go out and slap patches on (ATMs). You've got to wait for the vendors to certify them."

Vendors must test patches because Microsoft does not test them with specific ATM devices and drivers, said Steve Grzymkowski, a Senior Product Marketing Manager for Diebold. However, Diebold typically makes a patch available to ATM deployers in less than 24 hours, he said.

NCR, which uses Windows XP Pro on its ATMs rather than the Windows XP Embedded (XPe) used by most of its competitors, contends that patches for XPe lag behind the release of patches for XP Pro-sometimes by several weeks.

"Microsoft has provided us information and patches very quickly for Windows XPe," Grzymkowski said. "The information and software they have provided have allowed us to turn around security patches so quickly that in at least one case, for the Blaster worm, we were able to make a patch available to our customers before it was even available for Windows XP Pro on Microsoft's Web site."

However, he added, "We make patches available to our customers. They make the decisions on when and how to implement them."

Later this month, in a partnership with Sygate Technologies, Diebold will begin shipping its Opteva and ix series of ATMs with Sygate's firewall software. Field upgrades for already-installed Windows-based ATMs will be available, and Diebold will resell Sygate's management servers.

Although most FIs already have firewalls installed elsewhere in their networks, a firewall at the ATM level "provides an additional layer of security," Grzymkowski said.

Installing firewalls at ATMs "might be a bit of a knee jerk reaction," said NCR's Osborne. "We believe it's a wiser use of resources to focus on the broader network beyond the ATM."

Sorting through all of the available security options may slow the progress of some deployers considering rollouts of Windows-based machines, said Josephson, who is trying to develop a migration plan for his bank's 230 ATMs.

"Instead of just slapping Windows in there, I think this is going to add a couple of months to the planning process," he said. "I want to be completely comfortable with patch management processes, with remote software updates and with everything else that's involved."

Link to original: http://www.atmmarketplace.com/news_story.htm?i=17641