Professional Documents
Culture Documents
ABSTRACT 4
COMPREHENSIVE PROTECTION 14
BEYOND AUDIT 16
CONCLUSION 17
2 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
ABSTRACT Several options are available on the market to help controlling and
Do you believe your ATMs or Kiosks are secure? If you do, you should mitigating the risks associated with ATM security. After all, an ATM is a
take a look at the recent news related with ATM hacking that have been hardened Windows-based PC with specific peripherals, and software
published during the last year, and then, you should not ask yourself to secure PCs which has existed for a long time. However, the majority
“HOW” your ATM could be vulnerable but “WHY”, and then and only of PC security products have evolved for typical office computer
then, you will find the appropriate answers. environments, whose particular characteristics (stability, updating
frequencies, connectivity and service needs, performance etc.) are quite
Nowadays, cybercrime is one of the main government’s security agencies different to those of the financial self-service environments.
of the most important security issues. Recent cyber attacks like Stuxnet has been paid to preventing “…there are new threats
or Skimer in Russia and the Ukraine to the ATM Financial infrastructure thieves from stealing the most which are far from evident and
have demonstrated that targeted attacks against valuable assets are evident asset in an ATM: cash. are also rapidly evolving”
becoming more and more sophisticated. Do you think your ATM network Many physical security controls
is a valuable asset? Are you aware of the new techniques employed are in place in modern ATMs, and
to attack ATM networks? New risks are arising and new protection most ATM network managers believe their ATM network’s security is
paradigms must be deployed in order to minimize the consequences. reasonably managed, since the ATM controls in place obviously face the
evident threats an ATM is subject to (things like breaking the ATMs using
This whitepaper will try to show you the new risks on ATMs, the causes, trucks or explosives).
motivations, and which are the necessary elements that an ATM needs in
order to minimize the risks of logical fraud. More recently, the raise in card fraud has resulted in the appearance of
an associated credit card data market. Today, criminals can easily sell
Checker ATM Security product will provide you all those elements, credit card data over the Internet for a profit, and thus it is only natural
since Checker ATM Security is a product specifically design to solve this that they wonder how they can obtain those data. Of course ATMs
problem, being compliant with the most advanced regulations as PCI-DSS. are an obvious source of PINs and magnetic stripe data. Due to these
facts, ATM security focus is slowly shifting to ensure that proper security
WHICH ARE THE RISKS ASSOCIATED TO AN controls are also in place to prevent card and PIN data stealing from the
ATM NETWORK self-service network. However, in order to select the proper software
The arrival onto the financial self-service scene of the Microsoft security controls, it is necessary to understand the threat. Well known
Windows operating system together with the use of IP networks, for attacks such as card skimming are already being addressed (like for
communications services, has resulted in a considerable increase instance through EMV initiative). Still, there are new threats which are far
in security risks for Automatic Teller Machines (ATMs) as a direct from evident and are also rapidly evolving.
cyber attacks. Worldwide criminal gangs are currently pursuing low risk, poorly understood by ATM network managers. Part of the problem
sustainable sources of revenue and it is a matter of time before many probably is that data stealing from an ATM does not immediately result
criminals in modern countries join this emerging “criminal value chains” in a loss for the ATM network itself, but for the financial entity behind
and target attractive assets in an organized manner. In this respect, there the data. There is no clear liaison from ATM data compromise and ATM
3 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
loss expectation. Furthermore, many security incidents in ATM networks to decrease risk (of being caught) and increase the amount of stolen data
are currently not detected and thus the rate of occurrence of breaches is (or its quality, e.g. knowledge of customer profile associated to the data)
usually underestimated. It seems contradictory that what appears to be and also decrease the effort to obtain it.
a new promising business for criminals is getting so little attention from
ATM network managers. In this way, as in most technology
based “businesses”, the threat is “Once you manage to intro-
In order to understand how this is possible, let us first discuss what rapidly evolving. For instance, if they duce malware in the ATM,
would be the best strategy that a criminal could follow, for instance to just manage to have access to the why not use it to withdraw
obtain some credit card data from an ATM, data that he could later sell ATM at one particular time (instead cash? Indeed that is what Ski-
on the market. Criminals focus on three basic aspects: that on a regular basis), they can mer malware is able to do”
inject some malicious software and
--The effort must be worth the risk of being caught. later collect the data using the ATM
--This risk must not surpass some acceptable level, and printer or sometimes send it over the network. The well known “Skimer”
--They prefer tactics that would provide sustainable revenue better malware that expanded in a few countries at the end of 2008 does just
than actions that would result in punctual profit. that. And, once you manage to introduce malware in the ATM, why not
use it to withdraw cash? Indeed that is what Skimer malware is able to
And sustainable revenue usually comes from a situation where assets do: By means of a particularly built card you can instruct the infected
(data or cash) are stolen regularly and without notice. ATM to dispense cash. The cash that “disappears” does not belong to a
particular customer, and tracing the loss is sometimes difficult. Moreover,
Now, if criminals would come with a truck and steal a single ATM (or, less in the very near future this type of malware is expected to behave as
dramatically, install some hardware device on it, like a dispenser trapper), a “worm” and be able to self-replicate in a network, thus reducing the
they would get money and/or data, but this would require a great effort and exposure of the criminals and increasing their revenue expectations.
would provide limited profit. On the other hand, if they could somehow,
and without being noticed, get their hands on ATM data on a regular basis, At a first glance it may seem that building this kind of malware is quite a
they would sell the data and thus have a source of sustainable revenue at a sophisticated task, and it is indeed, even for a well known open system
very low risk. Surely this possibility deserves some attention. like Windows. However, most criminals do not build their malware, they
can buy it from organized criminal gangs just the same as they can later
sell the obtained credit card data. These malware kits are available and
News: Many Corrupt Ukrainian Bank Workers Assist Cyber are quickly becoming inexpensive. This criminal “specialization” is at the
Criminals. very core of the new threat model that we are facing.
Ukraine’s national security agency had detected a rise in
bank-related cyber in the country. Apparently many of the attacks ATM SECURITY TECHNOLOGIES
rely on insiders, as banks are advised to review and strengthen New generation of ATM-focused malware coexists with a crisis in the
their employee selection processes. classic anti-malware solutions (a.k.a. antivirus) that have so far protected
Windows-based systems. This crisis has three aspects.
One could think of two ways to achieve this goal. If the criminal (or an --First, new malware is expanding exponentially so as to render
accomplice) has periodic access to an ATM (say he is in charge of some eventually unmanageable the number of patterns that a classic
sort of maintenance task) all that is needed is some knowledge and/or antivirus solution needs to cope with.
tools in order to get these data (provided of course they know where --Second, so called zero-day exploits cannot be effectively dealt
it is). This has been the main approach for some time. However this with using pattern recognition technology which is the technology
possibility is reduced to a limited number of people and therefore the widely used by most antivirus manufacturers.
associated risk of being caught is higher. At the same time, the card --Finally, malware is evolving to use self-compiling technologies
fraud market is becoming commoditized and the price of the stolen that result in customized versions with unique patterns, so that
magnetic stripe data is decreasing. This, as in any other business, is all instances of the malware look different for a classical antivirus
demanding from the criminals a higher degree of sophistication, in order which yields pattern based recognition ineffective.
4 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
5 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
that might be storing sensitive information (for example card numbers installing an antivirus in an almost unattended environment such as an
and associated transaction data) which can later be retrieved on a ATM? How could their resource consumption affect the ATM? Have you
regular basis and be used in fraud attempts. It is also easy to download ever experienced degradation of your PC environment and blamed the
already existing files containing sensitive information to USB storage antivirus? Clearly, Windows-based antiviruses or personal firewalls were
devices. It is easy to inject code that intercepts peripheral drivers and, not developed to secure ATMs. How does one go about selecting a
for instance, dispenses cash. proper security control for an ATM?
As a consequence, there is an urgent need to install suitable security Fortunately for us, one of the main features of an ATM, its stability, is
controls in ATMs. Naturally, security controls cannot have the intention of here to help us with the answer. An ATM is a very specific environment
making Windows more secure than it is. But they can, depending on the which has a clear advantage with respect to other Windows
situation, avoid, counteract or minimize security risks. environments such as desktop PCs from a security perspective: Its
configuration (programs, files and generally required resources) and
When ATMs first appeared around its behavior (for example, permission for writing, reading or execution)
“Due to classic anti-malware 1968 they quickly became one of may be precisely defined, and it generally remains stable (or with few
solutions crisis, new the most influential technological alterations) for a longer time than office computer environments.
required to secure it or not, ATMs were the first We can thus imagine an ATM specific security product as some sort
Windows-based ATMs” large-scale example of commercial of software that is installed between the operating system and the
use of cryptography, and actually resources which it handles in the ATM, in order to ensure that actual use
they contributed to establish a of resources conforms exactly to the expected use in the ATM. Here
number of crypto standards. ATMs security-by-design was a main concern by resources we are meaning files, peripherals, everything controlled
at that time. Time has, however, turned a highly sophisticated, distributed, by the operating system. In this way, a large quantity of attacks may be
retail transaction processing technology into a legacy system. Today detected as “unexpected use” and the countermeasures immediately
many ATMs feature unsupported versions of Windows and their RAM taken in order to avoid damage and to warn managers. It is this concept,
memory is almost ridiculous when compared with the standard offer in a that of conformance or compliance in the use of the resources, which
PC store. Surely there are new modern machines available every year, but leads us to the quite interesting concept of “ATM security policy”.
large networks cannot be changed as fast as the evolution of technology
would suggest. There are around 2 Millions ATMs in the world today, SECURING YOUR ATM NETWORK, SECURITY
and changing all of them every three years would be absurd. On the POLICIES
other hand, current ATMs might not be the most modern machines, but In a general manner, we could define a Security Policy as a set of rules,
certainly they are quite stable systems, much more reliable than your office principles and practices which determine the manner of implementing
PC. Software upgrades are well controlled, and some ATMs even feature and managing security in a particular environment (such as, for example,
sophisticated monitoring and failure-prediction systems. Essentially, a financial self-service network). Once a security policy is established,
an ATM is not a machine where one wants to introduce a source of it is possible to design and implement a well-reasoned set of security
unreliability or a performance problem. controls. Controls will be selected so as to ensure compliance with
policy, and when this is not the case, detect and inform about non-
It is in this context that ATM network managers are facing the urgent compliances.
need to install security controls. Since an ATM is essentially a PC, one
might argue, they should be The power of security policies is that they allow you to select the security
equipped with the same security controls that you need. A security policy should also be able to help
controls that we have in our PCs: “Essentially, an ATM is not in the selection of a balanced set of procedural, administrative and
antiviruses (or something of the a machine where one wants technical controls for a particular scenario.
sort). But the threats to ATMs, as to introduce a source of
we have seen, are not viruses. unreliability or a performance Specifying a security policy for our ATM network will enable us to select
And even if they were, could you problem” the proper security controls. This selection is an important task which is
imagine the risks associated to often disregarded. In many cases it is relatively common to introduce
6 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
7 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
The above list of features is quite extensive, and indeed only ATM
Some of the mentioned features might seem redundant in their purpose, specific security products could be expected to provide them all in a
for instance why control communications to prevent malware exporting single product. The main reason for this extensive list is that, an ATM
sensitive data, when the malware cannot be executed in the first place? must prevent attacks from people having physical access to the ATM.
Well, this approach, known as “defense in depth”, is a common strategy in This is an unusual situation, and indeed some security experts would
the security scenario, and essentially consists in deploying several layers of argue (convincingly) that it is quite impossible to secure a Windows-
defense just in case the attacker is able somehow to bypass one of them. based machine from someone that has physical access to it.
8 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.
checker
ATM SECURITY
While this might look like a typical security requirement, there is one
interesting feature that we want to propose for our ATM security
product. In addition to registering all failed attempts, we would like in
some cases to relax security in order to understand what the attacker is
doing.
We will not elaborate more on this topic, we will just say that a fully
controlled, remotely managed surveillance of the ATM when it is under
attack (as opposed to just denying all access in the first place) is a
powerful tool which can result in deeper understanding of new threats.
CONCLUSION
In this paper we have discussed the emerging security threats and
we have proposed an ATM security concept summarizing the reasons
why such a far reaching security product is a real need for self-service
networks, and why a typical PC-focused product solution, no matter
how advanced, would certainly not provide the required assurance. This
concept has been implemented by GMV in its product Checker ATM
Security, a product that will help you to protect your ATM network and
being compliant with most of the PCI-DSS requirements.
9 / Copyrights 2011. GMV Soluciones Globales Internet, S.AU. All rights reserved.