This blog is guest-authored by John Campbell, Director of STAR ATM Network Acceptance at First Data.
I recently had the opportunity to talk about one of my favorite topics—ATM security—with Diebold Nixdorf’s security expert, Scott Harroff while we were both in Las Vegas for the 2018 TAGxPIX summit. We had an excellent conversation that covered a lot of ground, given the diverse nature of ATM attacks. But the thing that kept coming up was that financial institutions really need to do some simple things to better protect themselves from attacks before they happen, not when the industry is in panic mode because they just received a security alert from Diebold Nixdorf or the FBI, or worse, because it’s too late and their ATM was compromised.
ATM attacks have evolved, but some things stay the same.
When I started working in the ATM space in 2000, the biggest scares were the occasional ram-raids and the old “Lebanese Loop” capturing ATM cards before dip readers came into existence. The move away from OS2 in the early 2000s brought a whole new degree of logical attacks most of us had never thought of before, but they came in slow, sporadic hits.
But now in response to all the steps our industry has taken with the added layers of firewall security, EMV, encrypted hard-drives and TLS 1.2, the attacks feel constant and almost renewed. The criminals are not only attacking ATM funds in new ways logically, they are going back after ‘low hanging fruit’ such as cash trapping, physical attacks and less-secure financial institutions’ core platforms. The ATM cash-outs are now getting renewed publicity due to the magnitude of the fraud losses, and the recent the FBI alerts.
In many of these cases, the industry best practices that include software and hardware whitelists, velocity monitoring, transaction-level monitoring and real-time unusual activity alerts for issuers and acquirers were just not in place.
“I think as an industry, we have to admit that too often we are late or reactionary with fraud at the FI and processor levels. There is a flurry of excitement when something big happens, then everyone sort of falls asleep again until the next big attack.”
Look at Ploutus and other malware that popped up way back in 2013. At that time, industry leaders—including Diebold Nixdorf—warned ATM owners about the dangers, and provided best practices. Fast forward five years, and in early 2018, the variant Ploutus-D hit some ATMs in North America. Some financial institutions that didn’t heed those best practices started to panic, and it’s unfortunate because they had the tools and the support to help ensure they were protected long before the attack took place.
The human element of fraud … and what we can do about it.
At the end of the day, it’s real people who are attacking ATM networks, and it’s real people who have to defend against the attacks. I’ve seen a great step forward in security where more and more ATM owners are moving to point-to-point encryption of data between the ATM and the host, which helps prevent ‘man in the middle’ attacks. Folks often forget that even in an EMV environment, the native debit information continues to be visible to someone watching the data as it leaves the terminal. Many financial institutions have moved to some sort of encrypted MPLS communication between the router and the host, but the data is still susceptible at different points and easily captured before it hits the telecommunications pipeline. There is no reason why, in the year 2018, we’re still pushing ANY data in the clear from hardware to hardware.
Having said all that, account takeover is still a real problem, and one that bypasses the onsite security measures financial institutions have put in place.
“We can put all the gates and cameras and barbed wire we want around the physical unit, but people can still steal the proverbial ‘guard’s uniform’ through social engineering, and imitate someone else in order to walk right into the castle without too many obstacles.”
The human factor, in many cases, is still the weakest link in the payments security chain. Default passwords, unrestricted USBs, vulnerable telecom connections, easily accessible ATM top-hats … the list of problem areas goes on and on, but criminals who can sidestep traditional ATM security through account takeover are really causing big issues for financial institutions around the globe. Which means the industry can’t let down its guard, and has to help ensure that staff and customers are properly educated about how to avoid social engineering scams and protecting consumer data.
Scott and I covered these threads and many more during our podcast conversation. You can listen to the show here.
Is your ATM network prepared to combat social engineering, cyber-attacks and physical threats? Let’s talk about your security strategy now, before it’s too late.