With the recent ATM fraud, its natural and required to revisit security measures, and specifically the transmission of customer information between ATM's and bank host systems. That information travels a long way over disparate systems from the ATM, often through a processor, and then on to the bank.

This paper issued by Redspin Inc. is based on their experience conducting internal security audits for US banks. Their key point is found here:

ATM_Vulnerabilities_04_10_06.pdf

Given the current application protocol, confidentiality of user account information is clearly a significant issue. While the PIN is encrypted, the card number, expiration date and current balance are not. How valuable is that information? It can be used to create a duplicate physical card to be used for signature-based transactions or on-line purchases.

This is something each bank must do to ensure the security internally transmitted data is adequately secured. The surprise for this Bank that was audited, was that after implementing Triple DES (Visa requirement), they assumed that they were at end of job.
Redspins conclusion:

ATMs are not immune from this trend because they share the very same network and similar protocols as POS devices. While this paper has focused on the smaller to mid-sized bank architectures, even larger banks with TCP/IP ATMs are vulnerable without the proper controls. All of these devices use the same application layer protocol with sensitive customer information transmitted in the clear.

Relevance to Bankwatch:

In this case the bank was obviously small, however all banks must perform regular security audits to ensure they are providing the right level of service and security for their customers.