Mike Lee, CEO of the ATM Industry Association based in Brookings, S.D., acknowledged that the move to mainstream technologies such as Windows XP operating systems and IP networks over the past few years "is altering the vulnerability landscape associated with this traditionally proprietary system."

"The use of proprietary technologies afforded ATMs a degree of defense against malware, hacking toolkits and utilities, denial of service attacks and other threats that have been used to exploit vulnerabilities in more prevalent operating systems and networks," he said. Most modern ATMs are running on operating systems and network communication protocols "known by and familiar to the majority of computer users," he said.

At the same time, Redspin's white paper ignores the fact that ATM manufacturers support firewall integration, antivirus integration and vulnerability patching, to mitigate some of these risks, he said.

"The paper also confuses private, nonrouteable IP addresses--which most IP networks use--with publicly addressable IP addresses," he said. "Triple DES is a very comprehensive global end-to-end encryption standard, but of course there are degrees and stages of implementation," Lee said. " In reality, there will always be cases of noncompliance and failures to implement best practices in any industry," he added.

More banks than Redspin assumes also appear to know about the security issues involved and have taken steps to mitigate them, said a spokesman at a major payments processing network who requested anonymity. Earlier industry research into this issue has shown many "financial institutions securely configuring ATMs by implementing firewalls, diligently applying security patches and utilizing virtual private networks as opposed to ones with public IP addresses," he said.