KUALA LUMPUR: The spate of Automated Teller Machines (ATM) hacks last month were due to financial institutions' continued use of obsolete operating systems and lack of "penetration testing", opined an IT security consultant.

Jacco Van Tuijl, who conducts penetration testing (sanctioned hacking into systems to determine their vulnerability to attacks) for banks in the Netherlands, pointed out that many ATMs still use the now-obsolete, 13-year-old Windows XP operating system.

This leaves systems and ATMs vulnerable to hacking attacks as Microsoft has since stopped providing support and security updates to the operating system.

Van Tuijl said banks and financial institutions should update their operating software to a current, supported version to avoid being victims of hackers.

"It would be tough to protect against any kind of malware. Every day, new vulnerabilities are published," he told The Star Online at the Hack in The Box security conference recently.

"You can't have a machine and leave it without doing proper patching," he said, pointing out that Microsoft, for example, released security patches for its products every Tuesday.

Another IT security consultant, Dr Stefano Zanero, said that the recent ATM hacking cases showed the importance of physical security of the ATMs, as the incidents showed the how easily the machines were tampered with.

He said this sort of defect would have been detected if the banks had hired penetration testers to test out their systems.

"The ATM is basically a computer. We have conducted penetration tests and were able to access USB ports inside of ATMs by cutting through the metal.

"While network security is important, so is physical security," said Dr Zanero.

Last month, a gang exploited flaws in the authentication process to hack into at least 14 ATMs in Selangor, Johor and Malacca, and got away with almost RM3mil.

Police said the suspects hacked the machines by inserting a disc into the ATMs' CD-ROMs that would then infect the machines with a virus or malware.

The ATMs are believed to have been using the Windows XP system.

Van Tuijl said the gang would have had physical access to an ATM to test their malware.

"Software and malware development is about trial and error. It would have taken a lot of testing," he said.

He added that the gang would have been well-organised, comprising people with various skill sets.

Dr Zanero said that the attacks against ATMs was not specific to Malaysia and occurred in other parts of the world as well.

He said that similar cases were recorded in Russia and Middle East recently.