Any number of possible problems

The lack of detail surrounding the intrusion that affected Citibank customers has led to considerable speculation as to how it might have been perpetrated. Some media reports have suggested that unencrypted card and PIN data were grabbed by some sort of malicious sniffer code as the data passed through the compromised server. Others have suggested that the data might have been stored on the compromised server and grabbed directly from there.

Whatever method was used, notes Jim Stickley, the incident highlights how vulnerable the ATM infrastructure is to targeted attacks. Stickley is chief technology officer for TraceSecurity, a company risk and compliance management vendor with several banking customers.

"People make this assumption that if it's an ATM it must be secure and that banks are doing everything they need" to protect customer data, Stickley said. But in reality, "the back-end servers are kind of a joke."

For instance, as part of the vulnerability testing that TraceSecurity does for banks, it has routinely discovered back-end ATM servers that were far behind on needed security patches, Stickley said. Many banks are concerned about software patches crashing their ATM systems and often prefer to wait before installing them; software vendors that issue patches sometimes instruct banks to wait as well for the same reason. The result is that sometimes ATM systems can fall months behind on needed patches, Stickley said. This is true not just of Windows-based machines but also of back-end systems running virtually any other operating system.

In addition, servers that process ATM transactions often are not put on a separate network segment, but on the same network backbone as other enterprise systems, he said. The result is that ATM card data is quite often accessible by anybody on the network who knows how to look for it: "If I am a teller I can go and start sniffing on the network and see traffic passing to the ATM server." These sort of "flat networks" give attackers a potential way to get at ATM card data simply by breaking into a vulnerable client system and using that as a beachhead to get to other parts of the network, he said. "The way it is supposed to be is [banks] should have ATM data off on its own segment where no one can see it," except for those who need to.

Increasingly hackers are taking advantage of such vulnerabilities to target back-end banking systems that process ATM transactions, according to Ben Feinstein, a security researcher at security vendor SecureWorks. There is a growing realization that breaking into such servers can yield several orders of magnitude more cardholder data than breaking into an individual ATM machine, he said.

"People assume that these things are highly secure and that there are standards in place for ensuring that PIN numbers are encrypted and that transaction data is not stored," Feinstein said. But based on the amount and kind of cardholder data that SecureWorks has found being traded in the underground, this is clearly not the case.

What's more, an entire industry has evolved to support such malicious activity. There are numerous suppliers available today who can provide blank credit cards, magnetic encoders, card readers and other material needed to manufacture fraudulent cards. Feinstein notes that "You can source these little holograms (that some banks emboss on cards) for a couple of pennies."

The move by many banks to link their ATM machines to IP-based networks has also raised their vulnerability profile over the past few years, commented John Abraham, president of Redspin, an auditing company. In the past, when ATM machines were connected to back-end servers mainly over propriety or private networks, it didn't matter much if ATM transaction data and PIN information were transmitted in unencrypted fashion. But the same information traversing an IP-based network is more vulnerable to man-in-the-middle, spoofing and other types of attack, Abraham argued in a whitepaper two years ago. The risks are especially severe for ATMs located outside of banks in places such as grocery stores, where the machines are simply plugged into a standard Ethernet cable outlet in the wall. Abraham says many of those issues remain unaddressed.

Completing the ugly litany of trouble, ATM terminals themselves are often not current on needed patches and run unnecessary services such as FTP and file sharing, which give malicious intruders more potential attack surfaces. Exacerbating that problem, Abraham noted, is the fact that sometimes there is confusion over who might actually be responsible for operating, maintaining and securing an ATM that is located at exterior locations such as grocery stores and bodegas.