One of the fastest-growing threats facing banking technology is the risk posed by malware – in particular, malware that can be remotely implemented via logical attacks. A recent study by Europol and Trend Micro found that the size and frequency of logical attacks on ATMs has been increasing in recent years, with criminals becoming more sophisticated and able to take advantage of poorly protected networks and the vulnerabilities found in ATM technology.
Fortunately, there are steps that financial institutions and independent ATM operators can take to better protect their networks so they are well defended against cybercriminals. This process starts with operators taking a layered approach to network security; by conducting security preparations in this way operators could avoid leaving any cracks in the ATM’s armour.
As any security expert knows, creating a holistically secure environment can be complicated, and if any elements are forgotten it could bring an organisation’s security infrastructure tumbling down. Owen Wild, Security Marketing Director at NCR discusses the 15 rules all operators should abide by to help to protect ATMs against logical attacks:
Rule 1: Secure the BIOS
The Basic Input-Output System (BIOS) is a set of programs consisting of code and configuration settings that enables an ATM’s central processing unit (CPU) to communicate with peripheral devices. The settings are used to control the BIOS program’s operation and also the hardware parameters that are exposed to the operating system of the ATM.
Securing the BIOS is fundamental to the security of the ATM. To do this, administration of the BIOS must adhere to the following principles:
- During normal operations, operators should configure the BIOS to boot from the primary hard disk only
- BIOS updates must be reviewed and tested prior to deployment
- Editing of BIOS settings must be password protected
Rule 2: Establish a password policy for all passwords – no matter the level of access
Every ATM deployment needs to come with a secure user account and password policy. For most ATM operators, the secure user account policy will be managed by a central account management system, such as Microsoft Active Directory. The password protection policy however, is more process driven.
The minimum password policy standards that need to be adopted include: all default passwords must be changed; all user accounts and passwords for every ATM machine must be different so the successful hacking of one does not lead to the hacking of another; passwords should be changed at least every 90 days and should be at least 14 characters long, incorporating at least one number, both upper and lower case characters, and non-alphanumeric characters.
Rule 3: Implement communications encryption across all networks
The transmission of sensitive cardholder data must be encrypted across all networks, so cyber-criminals if able to view data in transmission, cannot read it. Furthermore, PCI DSS Requirement 4.1 actually dictates the use of strong cryptography and security protocols to safeguard sensitive cardholder data transmission, so this rule is also a legal imperative.
Rule 4: Install a firewall and configure it correctly
The ATM firewall must be configured to only allow known authorised incoming and outgoing connections that are necessary for the ATM environment, and the connections must be configured per programme as opposed to per port. Different firewalls have different configurations, so it’s important that no assumptions are made with regards the deployment and that the unique configuration settings for the product purchased are examined carefully to ensure successful implementation.
Rule 5: Adopt a principle of “if you don’t use, disable it”
It is recommended that any unused services and applications are removed from the system to reduce the attack surface area open to criminals.
For example, if the applications do not require output caching, the relevant module should be disabled. Thereafter, if future security vulnerabilities are found in this module, the application remains protected. This is just one example – the full spectrum of services and applications within the ATM environment must be examined to identify redundant areas.
Rule 6: Deploy an effective anti-malware mechanism
By deploying appropriate anti-malware software, operators can maintain the integrity of the ATM software stack and help to prevent malicious software compromising the inner workings of the ATM. An active white-listing solution will provide protection beyond both known and unknown malware threats. This can include memory protection, zero-day attacks and threat alerting.
Rule 7: Establish a regular patching process for all installed software
Just like any computing device, it is important that all the software running on an ATM is kept up to date with the latest security patches. By ensuring all software is up to date, attackers will not be able to take advantage of known vulnerabilities within it. If this isn’t the case, operators could be leaving their ATMs open to infection by malicious software that could steal customer information or cause the ATM to freely dispense the money inside it – straight into the hands of the criminals.
Rule 8: Harden the Windows Operating System (OS) to make it more secure
The Windows OS must be hardened to restrict the privileges and behaviour of the ATM so only the functions necessary for its operation in a self-service environment take place. This consists of setting up a locked down OS environment on a standalone ATM based on:
- Disabling Windows Auto-play
- Implementing a locked-down user account
- Implementing a keyboard disable to block keypresses being interpreted within the locked down account
- Apply file, folder and registry permissions to restrict the access to the minimum required for the ATM to function
- Apply computer and user policies to restrict the minimum functionality required to the ATM to work correctly and securely
If an alternative OS is being used, operators should speak with the manufacturer for guidance on the best way to harden that OS.
Rule 9: Implement role based access control to minimise the human based attack surface area
The more people within an organisation who can access cardholder data environments, the greater the risk that a consumer’s account details will be compromised. Therefore, access must be restricted to those who have a legitimate business reason for needing access to this data.
For all users accessing the ATM environment, access permissions should be based on the role they have. For example, branch staff who only need to replace the receipt paper do not need access to the cardholder data, so their user privilege should reflect that. Access restriction should also cover those who access the ATM computer remotely.
Finally, operators may wish to consider multi-factor authentication for those ATMs equipped for this. Multi-factor incorporates something a user knows well, like a password; something owned, like a token device or smart card; and something unique to that individual, like a fingerprint or retinal scan.
Rule 10: Deploy a full hard disk encryption solution
Deploying full hard disk encryption affords protection against:
- Malware attacks when the ATM hard disk is offline
- Attackers reverse engineering software on the ATM hard disk
- Attackers harvesting data from the ATM hard disk
- The hard disk being seen by attackers when the ATM is booted from removable media
- The hard disk being removed from the ATM and mounted as a secondary drive
- The core being removed from the ATM
Rule 11: Ensure communications between the ATM core and the cash dispenser are protected
By encrypting the communications between the ATM core and the cash dispenser, operators can better protect against black-box attacks. In this kind of attack, criminals gain access to the ATM via physically cutting into it, they then disconnect the cash dispenser from the core and reconnect it to an external electronic device – the black box – then tells the machine to dispense its cash reserves.
If the communications are encrypted, attempted commands from hackers to the cash dispenser will be recognised as invalid and therefore be ineffective.
Rule 12: Perform a security test of your ATM annually
The best practice method is to liaise with an external organisation to conduct annual penetration tests. The test needs to be made up of various simulated attacks and attempt to find misconfigurations, weaknesses and vulnerabilities in the ATM system that could be exploited by an attacker. It should also consider vulnerabilities in the physical casing of the ATM that could allow criminals to access the ATM core to upload malware. The test will enable the operator to identify any areas that need to be addressed from a security perspective.
Rule 13: Deploy a software distribution tool that will assist in maintaining the confidentiality, integrity and availability of ATMs
A software distribution capability that has best practice security controls, authorisation and authentication built in to make it secure, is an essential layer that will assist in maintaining the confidentiality, integrity and availability of ATMs.
If ATM malware is found or suspected, software distribution will expedite the clean-up and update the malware signature files across the ATM estate. This will help put the ATMs into a more secure state, helping to prevent attacks from occurring and help limit damage to those that may be compromised.
Rule 14: Consider the physical environment of the ATM deployment
Even if an ATM operator has the best technological protection, the physical environment in which the ATM is deployed can influence the risk of attack. For example, if located in an unattended environment, it is more appropriate to install a through-the-wall ATM, as this will have greater physical security that a standalone unit.
Rule 15: Consult an enterprise security specialist to assess and deploy industry best-practice security controls within your enterprise
By working with a third party security specialist, ATM operators can ensure they are identifying and better protecting themselves against both human and technological security risks. For example, a specialist may instruct special Security Aware Training for all employees to minimise the risk of phishing attacks. Similarly, they may offer a robust patching process to ensure that ATM software is kept up to date with the latest security and operational patches. Even the most prepared organisation can benefit from an independent look at its security policies.