But it is also less secure, Abraham claimed. That's because, apart from the PIN data, all other ATM transaction details such as the card number, expiration date, account balances and withdrawal amounts frequently remain unencrypted. This was not as much of a problem when the data was traveling over dedicated lines, but poses a security risk on an IP network, he said.

Unless protective measures are taken, a hacker tapping into a bank's network would have access to every ATM transaction flowing over its network, he said. The situation also is open for other possibilities, including so-called man-in-the-middle attacks, that could for instance, spoof a processor's response to an ATM machine and instruct it to keep on dispensing cash, he said. The risks are especially severe in the cases of ATMs located outside of banks, in places such as grocery stores, where the machines are simply plugged into a standard ethernet cable outlet in the wall, he said.

But many banks appear to be unaware of the issue, and are not taking the fairly simple measures needed to mitigate the risk, such as implementing firewalls, installing antivirus software and putting ATM traffic on a separate network segment, Abraham claimed.

Ironically, the move to triple DES encryption has only masked the threat because most banks simply assume that all transaction data is safer, when in fact it is most often only the PIN data that is being encrypted using the stronger standard, he said. Redspin, for instance, learned of the problem only when it was conducting an audit for a banking client and noticed ATM transaction data flowing over its networks in clear text, Abraham said.

"Bank managers are surprised when we tell them this. They think that everything is encrypted," especially after upgrading to triple DES, he said.