Tuesday, June 23, 2009

Because they're idiots, that's why

Why would a bank put WiFi in their ATM machines?

BT Openzone is set to expand further with a deal to put hotspots in cashpoints, forgetting for a moment that it's not a mobile phone network, and making maximum use of the unlicensed spectrum available to Wi-Fi.

The latest deal is with cashpoint specialist Cashbox - suppliers of those stand-alone machines found lurking in the back of late-night shops and increasingly in the corners of pubs. These cashpoints, which are connected via the Link network, already have a broadband connection; so slipping a Wi-Fi access point into the box is not a great technical challenge.

You might think they did it because it was easy, but you'd be forgetting the title of this post.

Sure, technology exists to separate the banking network from the guest WiFi traffic. The problem is that this is software configurable. So how do ATMs get reconfigured to mix this traffic? The same way they get malware:
Both Svajcer and Zacheroff stressed the trojan could only be installed by someone who had physical access to an ATM, since the devices, obviously, don't have floppy drives and typically run only on private isolated networks. That means the malware could most likely be installed only with help of an insider or in the event passwords weren't managed properly.
OK, so maybe Cashbox makes so much money with these things that they can afford the inevitable breach. What does it mean to you?

1. If the ATM gets compromised, you can't tell if its safe to use your card there. If you can't tell if it's been compromised, you shouldn't use your card there. Hint: you can't tell.

2. If the ATM gets compromised, you can't trust the WiFi. Something could easily read all the traffic you send, or receive. It could redirect you to sites of its choice. Unless you are using a VPN to encrypt everything, it's not safe.

Other than that, it's perfectly safe.

Filed under "pwned" because while it hasn't happened yet, it's a lock. About the only lock on this sad, sad story.

No comments: