ten immutable laws of atm security
TRANSCRIPT
-
8/13/2019 Ten Immutable Laws of ATM Security
1/3
Ten Immutable Laws of ATM SecurityFrom a security perspective, ATMs have some characteristics that are unique to Information Technology systems the presence ofcash being the foremost. But ATMs also have much in common with other IT systems when it comes to strategies and tactics inprotecting against fraud.
No so ware patch by itself will ever protect ATMs from the issues described below security is a function of People and Processes,in addition to technology. As Microso stated in 2000, sound judgment is the key to protecting yourself against these issues, andATM deployers who keep in mind these Immutable Laws and the best practices described in the ATMIA Best Practices guide willsignicantly improve the security of their ATM systems.
The components inside the locked ATM cabinet, but outsidethe safe, are also vulnerable to compromise from bothhardware and so ware attacks such as plugging in a USB oreven a DVD drive, replacing components inside the ATM even removing the ATM computer and replacing it with anattackers computer. Physical access allows any so ware orhardware component to be replaced; protecting physicalaccess to ATMs starts with security of the site and use ofunique keys for ATM cabinets.
3. If you allow a bad guy to uploadprograms to your ATM, its not your ATM
anymore
When a computer program runs, it will always do exactlywhat its been programmed to do, even if the program isharmful. Harmful computer programs can be loaded onto anATM at several points of vulnerability. With physical accessinside the ATM cabinet, a USB key or CD/DVD can beloaded and install malware. The telecom interface to an ATMalso provides an attack interface for malware. In addition, aremote service interface also introduces vulnerability, forexample through so ware distribution or remote controlaccess to the ATM system. Best practices for physicalsecurity, telecom data encryption and restricted accessthrough rewalls and related controls as well as serviceinterface and people processes protection are allnecessary to safeguard ATMs from malware.
* Adapted from Ten Immutable Laws of Security, originally published byMicroso in 2000http://technet.microso .com/en-us/library/cc722487.aspx
Reprinted with the permission from the ATM So ware Security BestPractices Guide, Version 2., published by the ATM Industry Association,October 2011. www.atmia.com. Authors: Pat Telford , Microso , and PeterKulik , Vantiv.
www.vantiv.com
1. If a bad guy can alter the operatingsystem on your ATM, its not your ATManymore
The threat of malware on ATMs is real and becoming greaterwith each day that passes. Malware can alter screen ow,intercept card data even PINs are at risk. Most ATMssystems are installed using a gold disk approach whichprovides enhanced security but also a single point ofvulnerability. Operating system les are the most trustedles in an ATM, and have almost complete control of anATMs operation - if the operating system on a gold disk is
infected, the ATM is compromised from the very rsttransaction it completes.
The key to protecting the gold disk installation is primarilythrough people and processes employee screening,strong access controls, and dual control for installations areall important. Creation and comparison of a hard disksnapshot can start by comparing a newly-installed ATMwith a known clean system to monitor for tampering in theinstallation process.
2. If a bad guy has unrestricted physicalaccess to your ATM, its not your ATManymore
The computer components controlling an ATM typicallyreside partly inside and partly outside the ATMs safe.Unrestricted physical access to the safe makes the cashvulnerable as well as the technology components butunrestricted physical access to components outside thesafe introduces risk as well. The most obvious are the cardreader and PIN pad on the front of the ATM, which can becompromised by skimmers, false keypads, etc.
Copyright ATMIA (www.atmia.com) and Vantiv, LLC. All rights reserved
-
8/13/2019 Ten Immutable Laws of ATM Security
2/3
but increasingly, these tasks are performed through remotemanagement tools. By denition, administrative tasksrequire control over the ATM, which puts the administratorin a position of unequalled power. Further, the developers ofthe ATM so ware itself are in a position of great power tocontrol the operation of an ATM, and could write so wareto change screen ow or content, capture PINs, or accessother condential information.
An untrustworthy administrator or developer can negateevery other security measure from uploading maliciousso ware, to compromising encryption, to introducing a
back door for access to ATM system les.
Best Practice People processes hiring honest people tobegin with, and then keeping honest people honest arethe basis for maintaining the trustworthiness of ATMsystems. Secure development practices such as keeping anaudit trail of changes to code and isolating developmentand testing activities and people help to secure thedevelopment environment. Dual control and the other bestpractices discussed for securing the Service Interface helpto ensure the honesty of ATM administrators.
7. Encrypted data is only as secure as thedecryption key
Like the front door of your house or the combination to abank vault encrypted data is only as secure as the key orcombination needed to unlock it. If a key is tucked under thedoormat, or the combination written on post-it notes in themanagers office, the strongest locks in the world will do nogood in keeping bad guys out. Triple-DES (3DES) and Encrypting PIN Pads (EPPs) arebasic building blocks of data encryption for ATMs. Remote
Key technology eliminates paper keys and is a best practicefor keeping 3DES systems secure and for passing keyaudits with ying colors. Hard-disk based journaling mayseem convenient, but has proven vulnerable to compromise;disk encryption may seem like a solution, but in practicalityhas proven unworkable since the encryption key is by naturevulnerable in an unmanned application. The best solution isto use a remote journaling system which can be effectivelysecured, and store no journal data on the ATM itself.
www.vantiv.com
4. If a bad guy can persuade you to run hisprogram on your ATM, its not your ATManymore
ATMs do not allow users to open up a browser window andbrowse the Internet, a common threat vector in laptops anddesktop PCs. However, even if the ATM manufacturersrecommendations and other best practices have beenfollowed, the bad guys continue to get more sophisticatedand may nd ways to break into ATM systems. Bestpractices to prevent and detect changes to ATM so wareles include a Whitelisting solution that controls ATM
processes and libraries executed, le access rights, networkcommunications control, and device access control; as wellas archiving a snapshot of an ATMs hard disk and regularlycomparing the ATM to the archived image as a failsafeapproach to detect an infection. Having the ability toquickly, securely, and (where practical) remotely reinstall anATM from a known good source is the ultimate remediationfor malicious code.
5. Weak passwords trump strong security
As Ben Franklin is once said, three people may keep asecret - if two of them are dead! His comment presagedtodays best practices for password protection; ATMpasswords should always be changed from manufacturersdefault at the time of installation. PCI requires use of strongpasswords that are changed regularly for ATMs thisincludes passwords for both the service interface as well asthe operating system. Some ATM manufacturers havebegun to introduce more sophisticated controls for serviceinterface access, such as logins requiring both a passwordand unique token, more securely establishing the identity ofthe person logging in and aiding in tracking and auditingATM access.
6. An ATM is only as secure as theadministrators and developers are
trustworthy
Every ATM has administrators trusted people who can install so ware, congure devices, manage accounts andestablish security policies, and handle the othermanagement tasks associated with keeping the ATMoperational. ATM administration tasks are o en completedon the ATM itself through a physical service interface
Ten Immutable Laws of ATM Security
-
8/13/2019 Ten Immutable Laws of ATM Security
3/3
Further, ATM deployers should have a plan in place in caseof compromise, including notifying authorities and workingwith the appropriate card associations and/or networks toidentify compromised cards and notify their issuers. Issuersshould be sensitive to compromised card reports from theirprocessors, networks, and card associations, and block andreissue compromised cards promptly. By reacting quickly,we reduce the value of stolen data to the bad guys, which inturn helps reduce the attractiveness of ATMs as targets forfraud.
10. Technology is not a panacea
Perfect security requires a level of perfection that is unlikelyto ever be achieved as long as security depends onPeople, Processes, and Technology, the peoplecomponent will keep us ever-striving for perfection.Technology continues to evolve in amazing ways, but aslong as human nature is vulnerable, technology will remainnecessary but not sufficient for optimum ATM security. An emerging best practice is to leverage human nature i.e.the human desire to safeguard our hard-earned funds toprotect ATMs. Including ATM users as part of the equationfor ATM security ranges from educating them to be awarethe ATM fascia and report anything that looks suspicious to displaying a picture on the ATM screen of what the ATMshould look like and asking them to check and report anydiscrepancies.
ATM security is a journey, not a destination as Microsostated in 2000, a constant series of moves andcountermoves between the good guys and bad guys whoboth continue to get better at what they do. Our bestpractices for ATM security have evolved considerably sincethe invention of the ATM, and will continue to evolve as long
as ATMs provide a valuable service to consumers.
www.vantiv.com
8. An out-of-date security system is onlymarginally better than no security systemat all
Microso s Patch Tuesday has become a highly-anticipatedmonthly event, though security patches for so warecomponents and antivirus updates are released almost dailyit seems. ATM operating systems are tightly controlled andlocked down so that most of these patches are notapplicable for ATMs but some are. Further, some securitycomponents on an ATM need to be updated regularly bydesign, such as malware detection systems which function
based on les that dene known malware and are alwaysgrowing. An ATM which has not been updated with securitypatches and current denition les is vulnerable to attack;over time, this exposure increases.
Good centralized so ware distribution systems areavailable today to economically administer ATM patch anddenition le updates. Using Whitelisting technology forantimalware will require fewer denition le updates thanother approaches. There are fewer attack vectors on ATMsthan on internet-connected laptops, for example, so thefrequency of patch updates can be lower for ATM operatorswho consistently follow best practices for ATM security.Deploying updates every one to three months is a typical,proven practice today for ATM deployers who haveaddressed the breadth of ATM So ware Security bestpractices in their ATMs.
9. Absolute anonymity isnt possible, inreal life or ATMs
Despite our best efforts, as long as ATMs have cash, badguys will seek to steal it. Likewise, as long as we use cards toaccess the cash in ATMs, bad guys will nd ways to stealthat card data as a means to steal cash. Whether through
low-tech approaches such as card skimmers and telecomsniffers, or high tech approaches such as malware thatalters screen ow and interfaces with an embedded mobilephone to phone home stolen data, the bad guys willalways be just as creative as the good guys.
As a rst step to protect cardholder data, ATM deployersshould complete a thorough review of their ATMcongurations to make sure their ATMs are not storing fulluser Primary Account Numbers, or storing them for only alimited period.
Ten Immutable Laws of ATM Security