Every year, it seems that the ingenuity, persistence, and damage that criminals can bring to their trade continue to break new ground. Unfortunately, 2019 will likely be no different. With threats evolving and criminals taking advantage of new tools, features, and techniques embedded within ATMs, financial institutions will have their work cut out for them. The good news is, however, that the same tried-and-true types of defenses that you can employ against them work just as well as they ever have as long as they are used and tuned correctly.
Just as with any other security mindset in your organization, thinking about defense in depth is the best way to help ensure your equipment remains operational and secure. This, of course, takes advantage of security measures focused on the physical, software, and hardware layers of your ATMs, which individually and combined can deter criminals or, at a minimum, contain the risk for further exploitation.
While the physical risks to ATMs are among the most obvious, how your organization addresses these threats can be more complex but is equally important. In fact, according to the European Association for Secure Transactions, there were 1,700 physical attacks on ATMs in Europe in the first half of 2017, ranging from the use of cutting tools to ram raids, a 6 percent increase compared to the same period in 2016. In response, perimeter surveillance, access controls, and secured enclosures can be used to protect an ATM's physical security, according to Nitin Bhatnagar of the PCI Security Standards Council.
The physical security of the ATM is itself a layered approach, with tamper-proof barriers in place to protect the device without getting in the way of the customer’s ability to perform transactions. When these are combined with perimeter surveillance, careful placement, and secured enclosures with multiple locks and access controls, physical threats to the ATM can be potentially deterred or prevented altogether.
Going a step further, degradation tools can be added to the ATM, including ink staining that makes cash useless, as well as alerts that can trigger calls to security or sirens and lights built into the ATM. Finally, access audits and key rotation can also prevent physical threats.
Anytime a customer makes a transaction at an ATM, these tasks represent a complex interaction between the device’s hardware and software. While the software refers to the set of instructions for how data is processed, hardware refers to the circuits, user inputs/outputs, and drives involved in the transaction. While software, by its very nature, can be updated, patched, replaced, or downloaded, hardware is rarely changed after the ATM leaves the factory.
This does not, however, mean that there are no threats to be mitigated. In fact, hardware attacks can be initiated in several ways, including malicious functions built into the chip itself designed to degrade the ATM’s functionality or with physical modifications, such as with card skimmers. In addition, hardware attacks can be part of a larger coordinated effort in which a whole fleet, region, or model is affected or ATMs can be attacked individually. With card skimming, the ATM’s card reader is modified to read and record card information that could be exploited for fraud purposes. The result is havoc on a customers’ credit history, damage to your reputation, and costly repairs. Finally, hardware and software threats could be combined, where software could trigger hardware to perform in unintended ways.
To thwart hardware attacks, it is key for technicians to understand the proper form and function of the ATM hardware so that abnormalities can be identified and resolved. In addition, testing for dysfunctional hardware during regular maintenance or via remote monitoring can identify when and where issues may be occurring so they can be isolated and resolved. Physical protections, such as anti-skim devices that detect tampering, can also mitigate hardware risks.
The threats to the software running on ATMs are a lot more dynamic than those that affect the equipment’s physical or hardware security and can be grouped into two categories: local and remote threats.
Local threats, like black-box attacks—which involve connecting the ATM to a device that’s able to introduce malware—rely on a close, physical interaction with the ATM to attack its internal software and compromise the device. Remote threats can be further subdivided into those that are malicious and those that are related to poor software development. Poor coding released within a patch from a software provider can cripple a device just as much as a remote, network-based attack that takes advantage of vulnerabilities in firewalls or access controls. In any case, ensuring your devices have strong, logical security tools that include advanced encryption, fraud detection, and remote management that prevents unauthorized activity or software modification can help protect against software attacks.
Staying One Step Ahead
In sum, as we get deeper into 2019, be sure to think holistically—at the physical, hardware, and software layers—about protecting your financial and customer data within your ATM fleet. While the threats and actors change, knowing how their attacks work inside and out will be an invaluable tool to stay at least one step ahead and keep your name out of the headlines.