International Cyber Expo International Cyber Expo
  • About Us
Wednesday, 15 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How to protect ATMs against logical attacks

by The Gurus
March 29, 2018
in This Week's Gurus
Share on FacebookShare on Twitter

One of the fastest-growing threats facing banking technology is the risk posed by malware – in particular, malware that can be remotely implemented via logical attacks. A recent study by Europol and Trend Micro found that the size and frequency of logical attacks on ATMs has been increasing in recent years, with criminals becoming more sophisticated and able to take advantage of poorly protected networks and the vulnerabilities found in ATM technology.

Fortunately, there are steps that financial institutions and independent ATM operators can take to better protect their networks so they are well defended against cybercriminals. This process starts with operators taking a layered approach to network security; by conducting security preparations in this way operators could avoid leaving any cracks in the ATM’s armour.

As any security expert knows, creating a holistically secure environment can be complicated, and if any elements are forgotten it could bring an organisation’s security infrastructure tumbling down. Owen Wild, Security Marketing Director at NCR discusses the 15 rules all operators should abide by to help to protect ATMs against logical attacks:

Rule 1: Secure the BIOS

The Basic Input-Output System (BIOS) is a set of programs consisting of code and configuration settings that enables an ATM’s central processing unit (CPU) to communicate with peripheral devices. The settings are used to control the BIOS program’s operation and also the hardware parameters that are exposed to the operating system of the ATM.

Securing the BIOS is fundamental to the security of the ATM. To do this, administration of the BIOS must adhere to the following principles:

  • During normal operations, operators should configure the BIOS to boot from the primary hard disk only
  • BIOS updates must be reviewed and tested prior to deployment
  • Editing of BIOS settings must be password protected

Rule 2: Establish a password policy for all passwords – no matter the level of access

Every ATM deployment needs to come with a secure user account and password policy. For most ATM operators, the secure user account policy will be managed by a central account management system, such as Microsoft Active Directory. The password protection policy however, is more process driven.

The minimum password policy standards that need to be adopted include: all default passwords must be changed; all user accounts and passwords for every ATM machine must be different so the successful hacking of one does not lead to the hacking of another; passwords should be changed at least every 90 days and should be at least 14 characters long, incorporating at least one number, both upper and lower case characters, and non-alphanumeric characters.

Rule 3: Implement communications encryption across all networks

The transmission of sensitive cardholder data must be encrypted across all networks, so cyber-criminals if able to view data in transmission, cannot read it. Furthermore, PCI DSS Requirement 4.1 actually dictates the use of strong cryptography and security protocols to safeguard sensitive cardholder data transmission, so this rule is also a legal imperative.

Rule 4: Install a firewall and configure it correctly

The ATM firewall must be configured to only allow known authorised incoming and outgoing connections that are necessary for the ATM environment, and the connections must be configured per programme as opposed to per port. Different firewalls have different configurations, so it’s important that no assumptions are made with regards the deployment and that the unique configuration settings for the product purchased are examined carefully to ensure successful implementation.

Rule 5: Adopt a principle of “if you don’t use, disable it”

It is recommended that any unused services and applications are removed from the system to reduce the attack surface area open to criminals.

For example, if the applications do not require output caching, the relevant module should be disabled. Thereafter, if future security vulnerabilities are found in this module, the application remains protected. This is just one example – the full spectrum of services and applications within the ATM environment must be examined to identify redundant areas.

Rule 6: Deploy an effective anti-malware mechanism

By deploying appropriate anti-malware software, operators can maintain the integrity of the ATM software stack and help to prevent malicious software compromising the inner workings of the ATM. An active white-listing solution will provide protection beyond both known and unknown malware threats. This can include memory protection, zero-day attacks and threat alerting.

Rule 7: Establish a regular patching process for all installed software

Just like any computing device, it is important that all the software running on an ATM is kept up to date with the latest security patches. By ensuring all software is up to date, attackers will not be able to take advantage of known vulnerabilities within it. If this isn’t the case, operators could be leaving their ATMs open to infection by malicious software that could steal customer information or cause the ATM to freely dispense the money inside it – straight into the hands of the criminals.

Rule 8: Harden the Windows Operating System (OS) to make it more secure

The Windows OS must be hardened to restrict the privileges and behaviour of the ATM so only the functions necessary for its operation in a self-service environment take place. This consists of setting up a locked down OS environment on a standalone ATM based on:

  • Disabling Windows Auto-play
  • Implementing a locked-down user account
  • Implementing a keyboard disable to block keypresses being interpreted within the locked down account
  • Apply file, folder and registry permissions to restrict the access to the minimum required for the ATM to function
  • Apply computer and user policies to restrict the minimum functionality required to the ATM to work correctly and securely

If an alternative OS is being used, operators should speak with the manufacturer for guidance on the best way to harden that OS.

Rule 9: Implement role based access control to minimise the human based attack surface area

The more people within an organisation who can access cardholder data environments, the greater the risk that a consumer’s account details will be compromised. Therefore, access must be restricted to those who have a legitimate business reason for needing access to this data.

For all users accessing the ATM environment, access permissions should be based on the role they have. For example, branch staff who only need to replace the receipt paper do not need access to the cardholder data, so their user privilege should reflect that. Access restriction should also cover those who access the ATM computer remotely.

Finally, operators may wish to consider multi-factor authentication for those ATMs equipped for this. Multi-factor incorporates something a user knows well, like a password; something owned, like a token device or smart card; and something unique to that individual, like a fingerprint or retinal scan.

Rule 10: Deploy a full hard disk encryption solution

Deploying full hard disk encryption affords protection against:

  • Malware attacks when the ATM hard disk is offline
  • Attackers reverse engineering software on the ATM hard disk
  • Attackers harvesting data from the ATM hard disk
  • The hard disk being seen by attackers when the ATM is booted from removable media
  • The hard disk being removed from the ATM and mounted as a secondary drive
  • The core being removed from the ATM

Rule 11: Ensure communications between the ATM core and the cash dispenser are protected

By encrypting the communications between the ATM core and the cash dispenser, operators can better protect against black-box attacks. In this kind of attack, criminals gain access to the ATM via physically cutting into it, they then disconnect the cash dispenser from the core and reconnect it to an external electronic device – the black box – then tells the machine to dispense its cash reserves.

If the communications are encrypted, attempted commands from hackers to the cash dispenser will be recognised as invalid and therefore be ineffective.

Rule 12: Perform a security test of your ATM annually

The best practice method is to liaise with an external organisation to conduct annual penetration tests. The test needs to be made up of various simulated attacks and attempt to find misconfigurations, weaknesses and vulnerabilities in the ATM system that could be exploited by an attacker. It should also consider vulnerabilities in the physical casing of the ATM that could allow criminals to access the ATM core to upload malware. The test will enable the operator to identify any areas that need to be addressed from a security perspective.

Rule 13: Deploy a software distribution tool that will assist in maintaining the confidentiality, integrity and availability of ATMs

A software distribution capability that has best practice security controls, authorisation and authentication built in to make it secure, is an essential layer that will assist in maintaining the confidentiality, integrity and availability of ATMs.

If ATM malware is found or suspected, software distribution will expedite the clean-up and update the malware signature files across the ATM estate. This will help put the ATMs into a more secure state, helping to prevent attacks from occurring and help limit damage to those that may be compromised.

Rule 14: Consider the physical environment of the ATM deployment

Even if an ATM operator has the best technological protection, the physical environment in which the ATM is deployed can influence the risk of attack. For example, if located in an unattended environment, it is more appropriate to install a through-the-wall ATM, as this will have greater physical security that a standalone unit.

Rule 15: Consult an enterprise security specialist to assess and deploy industry best-practice security controls within your enterprise

By working with a third party security specialist, ATM operators can ensure they are identifying and better protecting themselves against both human and technological security risks. For example, a specialist may instruct special Security Aware Training for all employees to minimise the risk of phishing attacks. Similarly, they may offer a robust patching process to ensure that ATM software is kept up to date with the latest security and operational patches. Even the most prepared organisation can benefit from an independent look at its security policies.

Tags: CybersecurityTechnology
ShareTweet
Previous Post

New malware named 'Fauxpersky' identified

Next Post

New security regulations are fine, but there is no substitute for innovation

Recent News

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

July 14, 2026
Lidl Confirms Data Breach After Third-Party IT Provider Hack

Lidl Confirms Data Breach After Third-Party IT Provider Hack

July 14, 2026
Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

Black Duck Adds AI-Powered Triage and CRA-Ready Checks to Coverity Static Analysis

July 14, 2026
AI Appreciation Day: Celebrating Progress, Embracing Responsibility

AI has crossed from assistant to operator, Check Point research warns

July 14, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol