How To Eliminate the Need for Password Sharing Among ATM Admins & Techs

Shared any passwords lately?

If you’re a typical human being, you should’ve answered “yes” to that question. Password security firm LastPass found that 95% of the people they surveyed share up to SIX passwords with others. In fact, 61% of those surveyed were more likely to share a work password than a personal password!

Since the advent of personal computers, even the most basic terminals have always required passwords to keep them safe from unauthorized users. Just like a lock, passwords provide protection against various forms of intrusions. While they may not be able to stop all unauthorized accesses, passwords are still quite effective.

Given their importance, aren’t we all too careless in sharing them?

In addition to sharing passwords, we often make our passwords too simple, use the same password for every secure encounter, and tend to be less than discreet while typing them in public places or on unsecured wireless networks.

In the financial industry, when it comes to ATM operations, we have been accustomed to sharing passwords with our entire team of technicians. We usually even choose to keep default Windows passwords across our fleet so that technicians always have access to administrator accounts when required. When these technicians change jobs, they still have knowledge of the passwords since the default passwords are not changed frequently. This can even lead to issues with PCI compliance due to requirements 2 and 8.

You may think: Isn’t this all a necessary evil?  The answer is no, absolutely not.

There are ways to avoid compromising passwords – and it must be avoided since internal fraud (intentional or accidental) is one of the primary contributors to attacks. Diebold Nixdorf’s Terminal Security Access Protection takes care of such situations by providing a very powerful and unique feature called Ticketing.

Access Protection’s Ticketing feature creates secure, controlled ticket files which allow technicians to temporarily access high-privilege Microsoft Windows accounts (such as administrator accounts) without ever knowing the actual password. These ticket files are created to work only …

  • On specified device or devices.
  • On a chosen date and duration.
  • Supporting a configurable number of reboots.

In addition, they’re signed with a secret key that only your security administrator has. The technician can then carry these tickets either on a whitelisted USB stick, or they can be pushed directly to the ATM using a monitoring and administration solution such as Diebold Nixdorf’s ProView. Once the technician finishes his work, the system automatically locks down – again, without the need of ever entering or knowing a Windows password.

With the latest 2.2 version of Access Protection, we take this concept a step further. It is now possible to have technicians call a central security helpdesk and get access to a system’s different Windows accounts using a unique challenge/response mechanism. The technician provides a one-time dynamic code from the ATM to the helpdesk and, after authenticating himself, receives a one-time response code from the helpdesk which results in immediate privilege escalation. This solution works with the same controls that exist in the ticketing feature. The new method is especially beneficial in cases where the technician was unable to carry a ticket file due to unplanned work, or when ATMs are operating without a network connection.

It’s an innovative solution that meets PCI guidelines, and a modern approach to operating a secure fleet. Being ATM service providers ourselves, we are acutely aware of the problems and challenges that our customers and their operational teams face when following required security practices. Diebold Nixdorf’s logical security solution, the Terminal Security Suite, has various built-in mechanisms to address your hyper-specific operational needs while still maintaining a very high level of security.

Get in touch with us today to find out how we can help you operate a secure ATM fleet without the need for complicated processes or workarounds that are susceptible to fraud. Let’s start a conversation.