CONTINUE TO SITE »
or wait 15 seconds

article

Protecting your ATMs, Part II: Understand your adversary

Most criminals are in it for the money, not the challenge, so they'll always pursue the easiest route to a payoff. The best-protected ATMs are those that make a thief's work the hardest — by minimizing attack surfaces and focusing first on the "handoff" points in a system that present the most likely targets for criminal exploits.

Protecting your ATMs, Part II: Understand your adversaryiStock.com/lcorsetti


| by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

The vast majority of criminals are in it for the money, not the challenge, so they'll always pursue the easiest route to a payoff.

Naturally, then, the best-protected ATMs are those that make a thief's work the hardest — by minimizing attack surfaces and focusing first on the "handoff" points in a system that present the most likely targets for criminal exploits.

The second half of a morning workshop on day one of this week's ATMIA US 2019 conference offered insights from industry experts on ways to harden the most vulnerable points of an ATM network against logical attack vectors. 

"Protecting your ATMs from criminal attacks: What you need to know," was moderated by Tom Moore, executive vice president and managing director for the Americas at TMD Security, with panelists including William Arnold, ATM operations manager at IberiaBank; Josh Hammond, senior security consultant at IOActive; and Michael Kearn, vice president and managing business information security officer at U.S. Bank.

Following are thoughts from Hammond and Kearn on protecting against logical attacks.

(If you missed Part One of this series, you can catch up here.)


'The art of the possible'

Hammond gave the audience a glimpse of "the art of the possible" from the attacker's point of view, looking at attack vectors aimed at the upper and lower cabinet of the ATM individually. 

Issues under the top hat include:

  • Connectivity to backend services, such as network services, and update and control applications.
  • Software controls involving privilege separation, XFS and secure storage.
  • Physical access controls that offer a way to load malware through insecur
  • Physical interface control, involving card skimming and PIN cameras.

Issues involving the lower cabinet include:

  • Physical access through safe interfaces.
  • Firmware security involving drivers and communications with the upper cabinet.
  • Lock security, including embedded electronics attacks.

"In terms of the upper cabinet we see a lot of vulnerable network services, especially when it comes to custom solute ions," Hammond said. "We've seen things like the update mechanism that didn't have strong authentication systems in place."

Being able to open up the upper cabinet and reach the PC core can be "a huge leg up," Hammond said. "Once I'm attacking a traditional PC, I've got a whole large tool set at my disposal." 

This can include PC functions that aren't even used on a day to day basis for ATM functionality. 

"There's a lot of footprint there that's overlooked because it's not external facing, it's not as obvious that it's there," he said.

Looking at physical security in the lower cabinet, Hammond said that he'd seen things like small holes drilled in the cabinet — not by the attacker, but by the manufacturer to accommodate cabling. In one instance, this allowed an attacker to access the dispenser, reboot it and gain control during initialization.

Anomalies in proprietary firmware — such as optional authentication — can also present opportunities for criminal access, as can devices like electronic locks. 

"There's exposure there as a lot of these have data signals going through the safe from the outside where you're able to put in a PIN or turn a dial to the inside where the controller is actually existing," he said. "That ends up being an attack surface as well, and there's the opportunity to bypass the locking systems."

Hammond said that the difficult part of defending vulnerabilities is that "Once you protect one way, the attackers are going to find the next way. The attackers generally look for the easiest option, so it's about being aware of security and about trying to stay on top of your security and kind of staying ahead of the game."

Staying 5 steps ahead

Coming from a background as a white hat hacker, Mike Kearn's job is "to stay at least five steps ahead of the adversary who wants to rob us blind. … From an adversarial perspective, the threatscape itself continues to expand and the cadence and frequency of the adversary continues to escalate."

The heart of Kearns' message was that ATM operators in the U.S. need to better prepared when the next attack method from Europe or elsewhere makes its way across our borders. He aggregates and combs through information about these attacks daily.

For instance, he said black box attacks had been around for several years before the first incidents occurred in the U.S. Nevertheless, when it did show up here, some law enforcement officials thought it was just another type of skimming attack. It wasn't until several months later that it became clear that black box attacks had finally washed up on our shores.

"It's a very fluid type of situation. It's not something that's going to become stagnant or that we can just kind of sit back, take a deep breath and say [sigh] 'Alright, we're done now.' It doesn't work that way. I fully expect this to get a heck of a lot worse before it gets better."

Ultimately, Kearns said, ATM security is a team sport in which all of the players have to come together, bring their expertise to the table, share information and talk about the real issues and what a solution that makes sense will look like.

And, though it might seem counterintuitive, immediate action is not always the best course when confronted with a security problem, Kearns said. 

It's important first to understand your problem and your adversary as well as you can and then to figure out how to take that option away from him at the point of attack — and to determine whether the action justifies the expense. Spending $1 million to address a $100,000 risk doesn't make sense; spending $1 million to prevent a $5 million loss does. 

Again, understand the real nature of the threat and you'll know better how to manage the risk.

"Sometimes the best response you have is patience," Kearns said. "You can choose not to act. Perhaps now is not the right time. Now maybe you need to do more homework. You need to figure out some more things for your business. That's OK. You can do as much harm to yourself by having a knee-jerk reaction and not thinking things through."

INCLUDED IN THIS STORY

sort by name

U.S. Bank

Cash Management Services

866.892.9842


U.S. Bank offers best-in-class cash management products and services to help your business thrive. We are the largest and most tenured cash provider in the nation. With over $3.8 billion in monthly vault cash balances and more than 50,000 ATMs under management, we know what it takes for our customers to succeed.

LEARN MORE

TMD Security

Randstad 21-39 // 1314 BG Almere // The Netherlands // Phone US: +1 215 431 47 34 // +31 36 7519400


Operational cost savings, ATM availability and consumer trust have never been more important than they are today. We are committed to help you achieve results with our proven ATM security solutions which protect against card fraud and explosive attacks.

LEARN MORE
REQUEST INFO FROM SELECTED SUPPLIERS

REMOVE ALL

Suzanne Cluckey

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.


KEEP UP WITH ATM AND DIGITAL BANKING NEWS AND TRENDS

Sign up now for the ATM Marketplace newsletter and get the top stories delivered straight to your inbox.

Privacy Policy

Already a member? Sign in below.

  or register now

Forgot your password?


You may sign into this site using your login credentials
from any of these Networld Media Group sites:

b'S1-NEW'