CUPERTINO, Calif. – As though credit union ATM deployers don't already have enough to worry about with steadily more savvy ATM thieves, violent attacks outside ATMs and the cost of upgrading ATMs to match new security and government regulations. Now there is increasing evidence that ATMs may be particularly vulnerable to so called network worms and viruses. Network worms and viruses are those electronic infections that can move from machine to machine and network to network without ever having to have any human cooperation at all. Unlike other more familiar computer viruses that move through networks by relying on computer users to click on links or download something, network worms and viruses take over machines and send themselves through network connections independently of human contact or action, explained Todd Thiemann, Director, Device Security Marketing for Trend Micro. Trend Micro is a Japanese-owned firm which specializes in network security and virus protection and which is headquartered in Tokyo. The company's North American offices are headquartered in Cupertino, California. The risk of network worms and viruses to ATMs has been small but growing for some time, Thiemann explained, helped along by the steady migration to machines which use Microsoft Windows as an operating system. More than 70% of new ATMs being shipped today use Microsoft Windows, Thiemann reported. The increasing use of TCP/IP lines also opens ATMs to vulnerability, Thiemann explained. TCP/IP lines allow an ATM to stay "online" all the time, as opposed to ATMs which use a dial-up protocol to connect to their networks whenever they make a transaction. "TCP/IP lines are very good for their efficiency and their increased use reflects that," Thiemann pointed out. "Unfortunately the same structure that makes them more efficient also leaves them vulnerable to network worms and viruses." Part of the problem is that Windows has revealed a number of different vulnerabilities over the last four years, Thiemann added. Microsoft has addressed each of these with patches which it announced prior to widespread infection, but the length of time between when the Seattle-based computer giant has announced a patch and virus and worm writers have developed malicious code to exploit that vulnerability. According to Thiemann, there were 336 days in 2000 and 2001 between when Microsoft announced a patch and someone wrote the NIMDA virus that exploited that vulnerability. In 2004, only 18 days separated the announcement of a patch and the development of the SASSER virus that exploited the vulnerability. "This means the IT and network security officers for credit unions, if they have them, have a shrinking amount of time to act to protect their institutions' networks and machines from when vulnerability becomes public and when an attack might come," Thiemann said. Trend Micro's solution to this vulnerability is the Network Virus Wall 300, a device that actually sits inside an ATM or an ATM server and checks the packets of information coming to and from the ATM. Any that meets the criteria for being a virus or worm, Thiemann said, trigger the Virus Wall to shut down the ATM to isolate it and prevent any other machines from being infected. "The problem is that the infections can even come from a technician with an infected laptop," Thiemann said. "Or from another device on the network or within a network," he explained. Although little information about attacks on ATMs has been made public, he added, sometimes news of infections leaks out. In January of 2003, the Slammer worm took down 13,000 ATMs owned by the Bank of America. The Canadian Imperial Bank also suffered network damage from this worm. In August of the same year the Nachi worm hit two ATM networks but these were never named in the press, Thiemann explained. Thiemann said the pricing for the network protection would vary from client to client but said it would include both the hardware for each ATM and switch and then an ongoing subscription fee which would keep the Network Virus Wall devices updated as to the most recent virus attacks. "I think the question is not whether an attack is going to come, it's when," Thiemann said. "ATM deployers just have to be ready for it," he said. -

[email protected]