6

Are there any international or US mandated standards and regulations that apply to communications between automatic teller machines and bank's central office? Are banks or ATM operators subjected to periodic audits that include ATM security controls? Who/what guarantees that the communications between the bank and ATM cannot be faked or tapped for malicious exploitation?

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Drew Lex
  • 2,013
  • 2
  • 19
  • 24

2 Answers2

4

MasterCard and VISA enforce very strict regulations on any system which operates in any way in the vicinity of their precious credit cards. If a bank or an ATM operator lets the communication be tapped, then the VISA thugs will skin them alive, trample their organs, then expose their dismembered bodies on the Wall Street Bull, as a warning for other banks. Their fierceness is much higher than what any public administration could ever hope to achieve; because this is about important stuff (money). This is private business, with contracts; the legislator did not meddle with this beyond asserting that customers are not ultimately responsible unless proven otherwise (thus forcing banks to take their responsibilities).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    Are you saying that banks have to be PCI compliant? – Drew Lex Jan 30 '13 at 13:42
  • 1
    The parts of banks dealing with card data are supposed to be PCI compliant, yes. They tend to get in a lot of trouble when they are found to be non-compliant. – Rory Alsop Feb 01 '13 at 10:16
  • This is one of my very favorite answers ever, on any SE site. I have wanted to answer questions on Money SE by referencing evisceration and that big bronze bull (to emphasize the gravitas of forcing banks to take their responsibilities seriously, as you said), but they are more strict on Money SE. Thank you for this. – Ellie Kesselman Mar 23 '13 at 02:37
3

The answer to your question would be: no. The reason behind it being that the only one losing a bit of money if all of your previous mentioned exploits were possible, would be the bank.

A bit of money you say? Yes a bit of money, the money you can loose with an ATM are rather low compared to, for instance, SWIFT transactions.

Now does that mean there aren't any protections in place? Sure there are, they are often on a separate LAN/VPN segment and their construction is made to withstand quite some physical abuse. BUT this is not enforced by any governing instance.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • I see ATMs in the most obscure places - convenience stores, bars, motel hallways, to name a few. I seriously doubt many have separate LAN segments or much in terms of secure infrastructure. Are merchants not required to establish minimum baselines for protection of communication? – Drew Lex Jan 30 '13 at 11:57
  • 1
    Well, PCI-DSS is not enforced by a government, but it is a set of regulations and they are enforced by the Payment Card Industry... – Rory Alsop Feb 01 '13 at 10:18