Today an article revealed that hackers are stealing money directly from ATM machines and, better yet, nobody can stop these attacks as they spread across the world. For those following these types of events, this is just another failing of the SWIFT system that is plagued by hackers.
Do you think the hackers are charged withdrawal fees like the rest of us?
The Same Problem
While an ATM machine might appear to be completely disconnected from topics of our prior blogs, the reality is that these machines are simply connected devices. As such, the same exact problems exist – namely incomplete security protection. For SWIFT, this typically translates into a lack of device identity, no concept of a full stack of security and equating security to simple encryption techniques.
Without identity, as I have stated before, connected devices are akin to dementia patients as they do not know who they are. These devices, just like many people with advanced dementia, are compelled to communicate and will, therefore, talk with any, and every, body they can find. Giving such a device, or patient, special codes to protect what they are communicating does not work as the devices, like the patients, will desperately toss aside this protection in order to talk.
A full stack of security not only includes self-identification, it also requires authenticating everybody else. This might seem to be common sense in that “do not talk to strangers” way but this simple step is very rarely enforced. Once everybody knows one another – and heavy Internet connections are not required to accomplish this goal – then communications can be locked down. This appears to be so simple – know yourself, know people around you and only talk with those people you are allowed.
That level of security alone would stop malware from spreading, end the constant stream of data to hackers and stop almost every type of intrusion today.
The last part of this equation is encryption which, in the way these ATM machines communicate, just does not work today. The dirty secret in the encryption world is that most protection is meant for short duration conversations. This makes sense as the modern encryption techniques were developed to protect humans browsing on the Internet and those communications can be measured in minutes and hours.
ATM machines, and most connected devices, have long-running conversations that can last days, weeks and years. ATM machines often employ one encryption algorithm and key and then hope that everything will be fine despite the evidence to the contrary. What is required is an independent protection scheme that rotates algorithms and keys constantly without interfering with the data being sent between endpoints.
To be clear, hackers are not constantly cracking encryption – the ATM hacks are victims of malware being spread across the SWIFT network.
There is no need to break encryption when everything else is completely open and inviting