Changing Risk, Risking Change: Malware

Note: This post is part of a series dedicated to helping financial institutions better understand how they can protect themselves in a constantly changing security environment. Join the conversation with Diebold security experts by leaving a comment below or contacting Diebold directly. Read the first part of the series, on physical security, here.

As long as there’s been software, there’s been malware — “malicious software” that infects computers and networks in a laundry list of ways. Financial institutions in Russia faced a full-blown ATM attack from malware known as Troj/Skimer-A in 2008. As security experts working specifically at the ATM end-point, we had imagined and anticipated a lot of scenarios, and when the attack occurred we could see that it happened as a result of FIs taking a hasty approach to a big change.

The FIs at the time were struggling to implement Payment Card Industry (PCI)-compliant PIN pads. They were changing components and software in massive ATM fleets, and updating legacy equipment with new interfaces that had to be compatible with older terminals. Rather than thinking about security first and foremost, many were asking, “How do we get this deployed as soon as possible with the least amount of disruption?”

When you focus on just one aspect of your system, you leave yourself open to a lot of potential attacks. And that’s exactly what happened: Basic safeguards were not being followed, and hackers were able to exploit those lapses in security.

Obviously, change didn’t stop in 2008. As Diebold’s Director of Software and Core Security, I’m 100% focused on protecting ATMs, which are considered large “attack surfaces.” Today, that attack surface includes many microprocessors running in the modules, the Windows platform itself, connectivity to the network and Universal Serial Bus (USB). When we address security around that ever-changing complexity, we’ve come to understand that it demands a holistic approach — an approach many did not employ at the end of the last decade.

What that means is that for every layer of complex software or hardware in our ATMs, we add another layer of security. From the basic input/output system (BIOS) firmware used in powering the unit on, to the way each layer communicates with the platform, we add another protection factor meant to enforce authorized behavior.

If anything unauthorized does occur, the system is self-aware enough to recognize the criminal behavior. We’ve built a framework in which an ATM can identify suspected foul play on the platform, allowing the ATM modules to differentiate between authorized and unauthorized actions. We’re at a point where our capabilities may actually drive the bad guys down the street, to seek a target where the barriers are easier to overcome.

The idea of a masked bandit conscientiously avoiding Diebold machines may not be as far-fetched as you might think. Our bellwethers for malware attacks are Eastern Europe and Latin America. We have customers in those parts of the world that have deployed our latest capabilities, and haven’t experienced the kind of malware attacks that other banks in their area have. What’s more, now that we have such robust layers of protection built into our infrastructure, it’s a simple matter to tweak them in response to emerging security threats.

What we know, unfortunately, is that malware continues to change and adapt aggressively. But with proper risk assessment and a holistic view of ATM system security, we collaborate with our customers in smart, innovative ways to change just as quickly — which just might keep us from ever revisiting the attacks of 2008.

How is your FI managing risk? Find out how we can help.