Protecting an ATM's hardware, software by slowing down criminals

Protecting ATMs is crucial, but the actual task is easier said than done. ATMs have historically always been high profile targets for criminals, due to the large amounts of cash stored inside. With each innovation meant to stop criminals, they have utilized new methods to get around it such as explosives to break into the ATM or advanced software attacks.

One overlooked factor with ATM security is speed. Criminals rely on speed to get in and out as quickly as possible with the cash from the ATM. The longer it takes, the more time law enforcement has to arrive on the scene. How can operators delay or frustrate attacks long enough to be effective?

To get the answer to this question, ATM Marketplace spoke with Joe Myers, EVP, global banking at Diebold Nixdorf.

Q.How can banks help improve the security of the cassettes inside the ATM?

A. By delaying an attack as long as possible, the risk of capture increases, prompting attackers to give up and flee. The design of the ATM can play an important role in how long an attack takes. A lack of accessible openings in the safe makes attacks harder and more time-consuming. Also, inserting gas or solid explosives into the safe becomes more difficult. Likewise, without any openings in the safe door, ripping it off is also harder. The choice of the right safe for the right level of threat adds another security layer. Banks can complement these with reinforced steel plates and extra locking mechanisms.

Another way to improve the security of the cassettes is to neutralize the cash by equipping the cassettes with ink-staining solutions. This ensures it will be unusable to attackers. In the event of an attempted attack, an indelible or permanent security ink is released that stains the banknotes making them unfit for use.

There are also various levels of safes available, so financial institutions can choose one that best fits the risk landscape in which they operate. In addition, DN Series ATMs can be equipped with built-in sensors that can detect cash traps and secure the cash if a trap is detected during a transaction. The ATM can also detect shutter drillings related to transaction reversal fraud attacks.

Q. What are your top three ATM hardware security tips?

A.

1. Detect the attack as soon as possible. Conduct regular security assessments to expose weak points and install alarming packages and monitoring solutions to help detect an attack as soon as possible.
2. Delay the attack as long as possible. Protect the ATM against brute force attacks and fraudulent access by installing high-grade safes and physical ATM enforcement.
3. Neutralize the cash to ensure it will be unusable to attackers by equipping cassettes with ink-staining solutions. In the event of an attempted attack, an indelible or permanent security ink is released that stains the banknotes making them unfit for use.

Q. Top three software security tips?

A.

1. Since ATMs have a unique context and attack surface, general-purpose security measures are often insufficient and create a false sense of security. Ensure security practices (especially around authentication and authorization), tools and policies are customized for your unique security challenges for the ATM network.
2. Ensure your software is up to date with the latest upgrades and patches and follow the maintenance plan. This is one of the most effective software security practices to thwart common attacks and avoid vulnerabilities associated with old or out-of-date software. This helps secure the software as well as the ATM.
3. Encrypt entire drives. Securing transactional and personal data has compliance obligations, whereas unencrypted system data might become an entry point into the device. In addition, while encryption is a commodity, securing encryption keys in a self-service environment brings the desired level of protection.

Q. Is there anything else you'd like to add?

A. Financial institutions must take a holistic and in-depth view of their security environment to protect their assets, consumers and employees as well as their brand image. Security is never one-size-fits-all, so their security solutions should be targeted to meet their individual requirements, mitigate respective risks and balance their business needs.

Cooperation among financial institutions, law enforcement and solution providers is essential to combat threats and prevent attacks. Diebold Nixdorf recommends that financial institutions join local and global security associations to stay up to date on the changing threat landscape and attack patterns.