Changing Risk, Risking Change: Security at the ATM

How a simple question could have kept brute-force theft from becoming disaster.

Note: This post is part of a series dedicated to helping financial institutions better understand how they can protect themselves in a constantly changing security environment. Join the conversation with Diebold security experts by leaving a comment below or contacting Diebold directly

Under cover of darkness, a large piece of construction equipment approaches your ATM. The ATM is violently ripped out of the ground and lowered into the back of a second vehicle, idling in wait. The second vehicle speeds away, leaving behind only a cloud of dust and a messy hole where a terminal once stood.

This is what “normal” ATM theft looks like and it’s a relatively common type of attack. In this case, the physical theft would have been bad enough. Unfortunately, after the theft, it was discovered that full card-holder data was sitting on an unencrypted hard drive inside the machine. Now, in addition to cash, thieves won access to funds that would have been otherwise secure.

So how did a relatively common brute-force theft turn into a full-blown disaster?

Lack of awareness.

The customer had moved from one type of network processor (where cardholder data was masked before being sent to the ATM) to a processor that transmitted unmasked information. The processor change would have been a non-event, if one very important question had been asked: “How does this processor secure my consumers’ data?”

Breakdowns in awareness are particularly elevated during times of change—and we know the environment of FI security is one of constant change.

If you’re involved in the process of change at your FI, it’s crucial to understand the technology that you’re working with. If you’re changing a process, or technology partner, or solutions provider, no matter how simple it may seem, a standard risk analysis exercise is critical to discovering how the changes could affect your vulnerabilities.

A risk analysis prior to the ugly theft I described above might have meant consequences only as severe as having to replace an ATM and the cash inside. Now there are legal issues, as well as an accelerated project to mitigate similar risks on remaining terminals.

Risk management is not a one-time process. Financial institutions, regardless of size or reach, must keep up to date with the evolving threat landscape.

The best way to stay on top of changes, whether they’re external or self-initiated, is to be vigilant using commonly available sources. Here are a few helpful links:

Diebold’s free ATM security alert service.
The Department of Homeland Security daily newsletter on threats to financial institutions.
Federal Financial Institution Examinatory Council [FFIEC] security guides.

These resources should be examined on a regular basis, but that isn’t enough. Any time a financial institution faces any change in their physical or information security infrastructure, it’s important that those involved harness the change as an opportunity for a new risk analysis.

Asking questions in times of change may be the best way to make sure that if a bulldozer rips out your ATM, it isn’t also ripping off your consumer’s data, and with it, the hard-earned trust and reputation of your FI.