ATM / POS Fraud , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

ATM Security: The Fundamental Flaws

Security Leaders Say Manufacturers Must Be More Accountable
ATM Security: The Fundamental Flaws

Concerns around ATM security are rising in India. CISOs across the banking sector report multiple challenges, including a lack of security features built into the ATM machines by manufacturers, and external factors beyond their control, such as the OEM's choice of operating system, the bolt-on approach to security and physical security.

See Also: OnDemand | Payments Without Borders: Prevent Fraud and Improve the Customer Experience

Challenges are compounded by the most widely-used OS in ATMs - Windows XP - no longer being supported by Microsoft.

ATM manufacturer NCR recently released a security alert regarding malware attacks on ATMs. These attacks, also known as "jackpotting" or "cashout," are on the rise in India (see: Alert: Indian ATMs Face New Attacks).

"These malware attacks have expanded into nearly every global region and are increasing in frequency," says the NCR alert, urging operators to better protect machines against known attacks, especially against the "Top Box" where the operating system resides, to install or execute malware via USB or other means.

However, while the OEMs encourage more security on top of their product, banking and security leaders believe that fundamental issues need to be addressed from the top down, before it's too late.

A CISO at a leading bank, who asked to remain unnamed for this story, says, "The biggest issue is that any and all security features being provided by OEMs are add-on solutions; security is not built-in."

The OS Challenge

ATM security concerns have heightened ever since Microsoft's announcement of end of support for its XP operating system in 2014. A majority of ATMs operated still run XP, experts say. The choice of OS platform is completely up to the OEM - banks simply want a secure ATM machine without worrying about the underlying platform/OS, says the anonymous bank CISO.

There is a clear need for purpose-built software to operate ATMs that is not subject to vulnerabilities that affect consumer operating systems that require regular patching. "For instance, compliance with PCI-DSS requires regular patching of ATMs. However, with XP going out of support, vendors are conveying their inability to patch their XP-based ATM machines," the CISO says.

The CISO also says there are thousands of XP-based ATM machines from various OEMs in the field, and banks are employing compensatory controls in the form of whitelisting, OS hardening and similar solutions. He says that while PCI-DSS accepts compensatory controls in the short term, it is not acceptable as a permanent solution, even though it is more secure than regular patching.

Whitelisting software is therefore an additional investment that quickly becomes redundant from a compliance perspective. The cost is expected to rise more with OEMs asking banks to upgrade ATM machines to Windows 7 at the bank's cost. In many cases, this will require an additional hardware upgrade, the CISO says.

However, in less than five years, when support for Windows 7 is likely to be withdrawn, ATMs being purchased today will again become non-compliant. "OEMs are considering ATM machines as an assembly of discrete components, and are able to disown the responsibility for support during the useful life of the product," the CISO says.

Ideally, the OEMs should design ATMs as appliances, with complete control and ownership over its components during the machine's life - about seven years - without linking dependencies on external factors like an OS going out of support, he asserts.

Unique Security Issues

Banking and security leaders argue that while security should be a basic requirement in a machine such as an ATM, solutions are often sold by OEMs as an optional add-on. The reason for the fragmented approach may be that the cost of the machines in India is 40 percent to 50 percent less than in other markets - probably the cheapest in the world, says Prakash Joshi, COO at Electronic Payment & Services, a third-party service provider that deploys and operates ATMs for banks.

Joshi argues that OEMs may be trying to manage this margin pressure by providing additional functionality at a cost, he says. In addition, banks sometimes also choose to opt out of these add-on security solutions as, apart from the reputational risk, the financial cost of fraud is perceived by many banks as less than the cost of incorporating these solutions, he says.

"The other issues is that there is no machine-specific key - be it Wincor, NCR, or Diebold or others," Joshi says. "The top hatch for any ATM of a particular model can be opened using a universal key for that model." The primary idea behind this design was to expediently address faults - usually done by third-parties - in a deployed base of thousands of machines of the same model.

But this same convenience in design has become a security handicap. Most perpetrators of ATM fraud know how to source keys and expertise to exploit these machines, Joshi says.

Security Recommendations

This tacked-on approach to security is driven by market dynamics, and instituting security as a basic demand at the RFP level itself may be able to address this, Joshi says. OEMs would then be required to address security considerations as part of the design, rather than banks dealing with issues on a piecemeal basis.

Experts also say manufacturers may need a push from industry and regulators in this direction. Regulatory guidelines from the Reserve Bank of India, mandating security and support for ATMs, may compel OEMs to adhere to incorporating security at the design stage.

Meanwhile, Dhruv Phophalia, managing director and and head of business consultancy Alvarez & Marsal's forensics, dispute and investigation services in India, suggests practical ways to prevent malware attacks on ATMs, which include:

  • Periodically monitor physical security and invest in upgraded security measures, such as real-time monitored cameras, security guards, anti-skimming devices, etc.
  • Change locks and passwords provided by the ATM manufacturers. Machine passwords should be provided to individuals only after conducting rigorous background checks.
  • Change ATM BIOS default passwords and configure BIOS so that the ATM cannot be booted from any source other than the primary hard disk.

Reshmi Khurana, managing director and country head of operations for Kroll Advisory Solutions India, a corporate investigations and risk consulting firm, finds attacks that target the back end of the ATM or its OS are much more sophisticated than attacks that skim customer information.

"Many factors come into play, and hence banks need to go back to basics and check their entire process flow to determine whether the vulnerability is on the process end, with the people or with their systems."


About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.