ATM and IoT Security – Get Proactive, Be Protected

Takeaways from NCR Innovation Conference 2018

Innovation, Meet Security

Digital banking has transformed the way we connect and transact with one another. From mobile banking apps to contactless payments, a focus on consumer experience has driven new technologies like never before seen. The consistent, common factor – convenience.

That said, we’ve seen breaches of personal data and financial losses reach an all-time high. Why? Tighter compliance regulations and the irresistible appetite to leverage consumer data for business growth has put immense pressure on security professionals to keep pace.

In late August, I had the privilege of speaking at Innovation Conference 2018, run by one of our core partners in the financial services sector – NCR. As a leader in digital banking, NCR now enables more than 700 million transactions a day across nearly every industry. More importantly, they prioritize securing these transactions by protecting the users, devices and applications behind them.

Security and risk management is no longer an IT issue, it’s a business strategy. After all – without security – how can we innovate? In this era, regulatory roadblocks and consumer risk awareness can quickly stifle growth, so corporate and consumer protection must be at the heart of innovation, particularly when it comes to increasing transactions via Automated Teller Machines (ATMs), Point-of-Sale (PoS) systems, and other Internet-of-Things (IoT) devices.

Evolving ATM Threats

While consumers have no doubt adopted payment apps and digital banking to manage their finances, ATMs remain a common platform for transactions. This is especially true in emerging markets where accessibility to cash is essential. Problem is – ATMs have increasingly become a target for crime. That’s because like many IoT devices, ATMs start up in a physically accessible environment without any trusted user present, leaving them vulnerable to attack.

But what exactly do I mean by “attack”? Well, there is a multitude of threats, but they can easily be broken down into three categories – physical attacks, financial fraud, and logical attacks.

  • Physical Attacks – Attempts to physically breach the cash enclosure or other valuable media inside the ATM.
  • Financial Fraud – Attempts to steal cardholder data to make a counterfeit card, such as card skimming or card trapping.
  • Logical Attacks – Attempts to steal cardholder data or to control the dispenser and cash out the ATM via external devices and/or malicious software.

How can you protect against these attacks? Well, whether an attacker is after the cash or – what is more valuable today – the data, they will always seek the path of least resistance. As protections against financial fraud and physical breaches of the ATM improve, logical attacks have grown in both frequency and scale.

Logical attacks target the ATMs firmware and/or software to manipulate it for their purposes – typically to cause an unauthorized dispense of cash, referred to as ‘jackpotting’. Considering some machines can hold up to $200,000 – though most contain $10,000 or less – a criminal can effectively get a larger payout than most of us could ever hope to win at any casino gaming machine (when in Vegas).

How do they do it? There are two methods really, but the most common type of logical attack against ATMs, according to NCR, is an offline attack. In this case, the criminal inserts removable media (for example a CD, DVD or USB). The ATM then boots to an OS on the removable media. At this point, the machine is virtually defenseless, allowing the attacker to disable anti-malware software, copy malware onto the ATM hard disk, and re-boot the ATM back to normal operation once the USB is detached. Now running malware, a ‘mule’ returns to activate the code and dispense the entire ATM cash enclosure.

Is it really a threat to your ATMs? If you are an ATM network operator, it’s an important question. You have multiple priorities to juggle, probably a few in the realm of security. ATM ‘jackpotting’ attacks are nothing new. In fact, this type of attack was first discovered in Mexico about five years ago, and since then it has been mostly limited to regions of Europe and Asia. However, earlier this year NCR received reports from the US Secret Service about the first known ‘jackpotting’ attacks in the US.

Malware variants thus far have targeted non-NCR ATMs, but network operators will need to be proactive if they want to prevent these types of attacks from occurring in the future. Again, criminals are often “lazy”, and they will always seek the path of least resistance. Depending on the location, time and security of the ATM, fraudsters have and will continue to find a way in.

Protect Your Investment

Encrypting PIN Pads are a must. But why Hard Drive Encryption (HDE)? We hear this question often, and it’s a valid one. After all, isn’t HDE just for laptops and desktops? PCI DSS does not allow sensitive cardholder data to be stored on the ATM, so why would you need to encrypt the drive? What are you protecting?

When it comes to ATMs, drive encryption plays a different game. It’s less about protecting the data and more about protecting your investment. That’s because HDE is the simplest and most effective way to protect against these offline malware attacks. How? HDE ensures that no data – including the OS and other software – can be tampered with while the ATM is offline. That way, the attacker cannot get the access they need to disable your anti-malware, copy their malware or read any contents of the drive. For that matter, it also helps with PCI DSS requirements to securely dispose of the drive and any related data – for instance, check deposit JPEGs – if the ATM is decommissioned or in maintenance.

The Honest Truth

Now, from a security perspective, this makes sense. However the honest truth is, from an operational perspective, most IT pros avoid encryption any chance they can get. In fact, during my presentation, I asked the room, “How many of you deal with encryption in some capacity?” Of the 40-50 in the room, at least half raised their hands. Then I asked, “How many of you enjoy it?” Not one hand. Of course, this is obvious to most, but it is the reality we face.

In 2015, NCR partnered with WinMagic to power NCR Secure Hard Disk Encryption (HDE). Why? Because WinMagic believes that security should not come at a compromise to convenience or productivity. Encryption by its very nature is often disruptive, something ATM network operators cannot accept. NCR Secure HDE was designed and configured with ATM operations in mind – no compromise.

Bottom line, don’t wait for attackers to find the seam in your security. Similar to ATMs, you likely have multiple platforms without trusted users to authenticate, including servers, cloud workloads, IoT and edge devices. So as your business grows – and your IT infrastructure with it – remember that innovation and security can only move forward together.

Previous Post
Enterprise Encryption for Linux
Next Post
Do physical servers really need to be encrypted?