ATM and IoT security: Be proactive to be protected

By Garry McCracken, Vice President of Technology, WinMagic

Security and risk management is no longer an IT issue; it's a business strategy. After all, without security how can we innovate? 

In this era, regulatory roadblocks and consumer risk awareness can quickly stifle growth, so corporate and consumer protection must be at the heart of innovation, particularly when it comes to increasing transactions via ATMs and other IoT devices.

While consumers have no doubt adopted payment apps and digital banking to manage their finances, ATMs remain a common platform for transactions. This is especially true in emerging markets where accessibility of cash is essential.

The problem is, ATMs have increasingly become a target for crime. That's because, like many IoT devices, ATMs start up in a physically accessible environment without any trusted user present, leaving them vulnerable to attack.

What exactly is meant by 'attack'?

There are a multitude of threats, but they can easily be broken down into three categories — physical attacks, financial fraud and logical attacks.

• Physical attacks— Attempts to physically breach the cash enclosure or other valuable media inside the ATM.
• Financial fraud— Attempts to steal cardholder data to make a counterfeit card, such as card skimming or card trapping.
• Logical attacks— Attempts to steal cardholder data or to control the dispenser and cash out the ATM via external devices, malicious software, or both.

Whether attackers are after the cash or — even more valuable these days — the data, they will always pursue the path of least resistance. As protections against financial fraud and physical breaches of the ATM have improved, logical attacks have increased in both frequency and scale.

The risks of logical attacks

Logical attacks target the ATM's firmware or software to manipulate it for the attacker's purposes — typically to cause an unauthorized dispense of cash, otherwise known as jackpotting. Considering some machines can hold up to $200,000 — although most contain $10,000 or less — a criminal can effectively secure a larger payout than most of us could ever dream of winning at a casino gaming machine in Las Vegas.

How do criminals do it? There are two methods, but the most common type of logical attack against an ATM is an offline attack. In this case, the attacker inserts a removable media (for example, a CD, DVD or USB). The ATM then boots to an operating system on the removable media. 

At this point, the machine is virtually defenseless, allowing the attacker to disable anti-malware software, copy malware onto the ATM hard disk, and re-boot the ATM back to normal operation mode once the USB is detached. Now running malware, a "mule" returns to the ATM to activate the code and dispense the entire cash enclosure.

How can you protect your ATMs?

The answer is simple — encryption. Encrypting PIN Pads is a must, of course.

But what about hard drive encryption? When it comes to ATMs, HDE is the simplest and most effective way to protect against these offline malware attacks. 

HDE ensures that no data — including the operating system and other software — can be tampered with while the ATM is offline. This way, attackers cannot get the access they need to disable the anti-malware, copy their malware or read any contents of the drive. 

It also helps with PCI DSS requirements to securely dispose of the drive and any related data — for instance, check deposit JPEGs — if the ATM is decommissioned or in maintenance.

The bottom line

If you are an ATM network operator, you have multiple priorities to juggle, and probably a few in the realm of security. 

ATM jackpotting attacks are nothing new. In fact, this type of attack was first discovered in Mexico more than five years ago, and since then it has been mostly limited to regions of Europe and Asia. 

However, early last year there were reports about the first known jackpotting attacks in the U.S. The threat is real.

The bottom line: Don't wait for attackers to find the weakness in your ATM security. Be proactive with your encryption efforts to protect both your investment and your customers.

Garry McCracken is vice president of technology at WinMagic. He has more than 30 years of experience in data communications and information security. Prior to working at WinMagic, Garry was vice president at Kasten Chase, where he played a key role in assuring the company's compliance with strict security standards. www.winmagic.com