Report from the ENISA (European Network and Information Security Agency) showing attacks costing nearly half a billion euros in Europe.

http://www.enisa.europa.eu/doc/pdf/publications/ATM_crime.pdf

What I found interesting is this quote…

“ATMs communicate with the banking systems through a network connection. Some of these connections use private networks and proprietary network protocols but more often these connections now occur via the Internet and using standard network protocols.”

Wow… I didn’t think anyone actually connected their ATMs directly to the Internet or even gave them Internet access… Some best practices maybe? Most of these are probably common-sense, but after reading that statement, I wonder:

• What bank connects their ATMs directly to the Internet? Probably a bad idea period.
• All traffic should be forced through a VPN appliance of some sort that maintains a persistent VPN. This includes all administrative traffic to/from the device and any other associated devices (environment devices, network devices, etc…).
• The VPN client appliance should probably not be addressable on the Internet in any way. Total stealth is called for here.
• The subnets or address-space reserved for ATMs should not have ANY direct Internet access, and probably shouldn’t even have any indirect access through a corporate network, proxy, firewall, etc… either. Since most ATMs are Windows-based, having Internet-access for an ATM is just asking for trouble. And please… do not ask me “but how am I going to get it patched???”
• Any devices should brick when powered down with no recoverable information. If this is a Cisco, the command “no service password-recovery” would be useful here.
• The access-side of the VPN device should be restricted and controlled so that not just anything can be plugged into it. Something like IEEE 802.1X would be useful here.
• Client-side communication should be encrypted as well. Yes… I know, that’s double encryption… so what? A network skimmer or other inline device could be introduced into the connection on the access-side of the VPN which would render the VPN useless. Use SSL/TLS and SSH with properly deployed PKI and one-time passwords, for management.
• Don’t dual-use the Internet connection. If there’s an ATM here, keep it dedicated for that… don’t try to stick other things, unless they’re part of the system (like a camera and/or alarm), on the connection.
• Don’t use wireless on the client-side and don’t count on GSM to protect the confidentiality or integrity of the system! Use a real IPSec VPN

Again… pretty much common-sense stuff here. I still wonder. If it’s so ordinary and apparent, why the idea of connecting an ATM to the Internet is even remotely palpable.