A look at how ATM security has changed … and how it hasn’t.

I was out of the banking space for years before I came to Diebold Nixdorf, working in government security, and one thing really surprised me when I returned to the financial industry as a security architect last year: how little has changed in the ATM space. I see many financial institutions still operating with a “security by obscurity” strategy that neglects the great strides in security innovation—as well as the new attack vectors from innovative criminals.

More than a decade ago, when the internet was still in its early growth phase, criminals didn’t have a whole lot of access to ATMs, their manuals or hardware components, whereas today, organized crime can more easily purchase ATMs themselves, pick up components cheap as chips (as we say in Australia), find detailed information about specific ATM models online and network with other hackers to gain insights on new attack methods. And on top of that, many ATMs are 10 years old, and some even older—so thieves have had a long, long time to familiarize themselves with the machines. All this is to say, obscurity is no longer an option as a security strategy.

The Obscurity Advantage Has Shifted to Criminals

If you are managing an ATM network with a handful of terminals, those machines are likely all in pretty protected, monitored locations. But for ATM operators managing a network of a few hundred or even a few thousand terminals, not every ATM is in a location where it can be closely monitored. Think about your ATM locations—are any of them freestanding? At a remote store or unmonitored location? How closely are your terminals monitored after-hours?

Consider that criminals can access an ATM, remove the hard drive and apply malicious code in well under half an hour.

This is where hard disk encryption and advanced BIOS password management become critically important to securing an ATM network. We designed DN AllConnect Managed Security Services℠ to complement banks’ existing security frameworks with robust monitoring, updates and management capabilities to limit access to a terminal, and prevent the ability to tamper with the internal software stack.

Jackpotting & BIOS Attacks

Jackpotting covers a broad range of cyber-attacks and occurs most often in conjunction with some type of physical attack, such as drilling a hole to insert an endoscope. Cyber prevention such as encrypting the hard drive—and ensuring updates are made in a timely fashion—prevents thieves from applying malicious code to the hard drive (which contains the operating system and the financial services layer) reducing the attack surface of the ATM. Additionally, encryption stops hackers from accessing sensitive data like configuration files and other information stored on the ATM’s hard disk, which can be sold online and when combined with a thriving second-hand ATM components market provides a test bed for producing malware.

The BIOS (basic input/output system) controls the hardware, booting the ATM and selecting the hard disk to boot off. If criminals access the BIOS, they can simply direct the ATM to boot off of their drive instead, bypassing the terminal’s software entirely. If a large fleet has many techs and other personal involved in servicing and maintaining ATMs, who all have access to the same passwords, there is more opportunity for this type of cyber-attack.

Your approach to locking down the BIOS should include comprehensive password management, with an eye toward mitigating default or widely known passwords, randomizing passwords and providing techs with a temporary password that allows them to access the terminal during a specific window of time or for a specific purpose.

The Holistic Approach to ATM Security

We are advocates of a multi-layered, holistic approach to ATM security, one that acknowledges the shifting trends in attacks, and provides an ironclad foundation for success. Tighter password control, hard drive encryption, intrusion protection, security monitoring and as-a-service support can all help bridge the gaps in security across your self-service network.

Interested in finding out more? Let’s talk about your network’s specific needs, and how we can help address the top priorities on your security roadmap. In the meantime, check out our recent podcast, “Security Management: A Changed Approach.”