ATM Security: The Fundamental FlawsSecurity Leaders Say Manufacturers Must Be More Accountable
Concerns around ATM security are rising in India. CISOs across the banking sector report multiple challenges, including a lack of security features built into the ATM machines by manufacturers, and external factors beyond their control, such as the OEM's choice of operating system, the bolt-on approach to security and physical security.
Challenges are compounded by the most widely-used OS in ATMs - Windows XP - no longer being supported by Microsoft.
ATM manufacturer NCR recently released a security alert regarding malware attacks on ATMs. These attacks, also known as "jackpotting" or "cashout," are on the rise in India (see: Alert: Indian ATMs Face New Attacks).
"These malware attacks have expanded into nearly every global region and are increasing in frequency," says the NCR alert, urging operators to better protect machines against known attacks, especially against the "Top Box" where the operating system resides, to install or execute malware via USB or other means.
However, while the OEMs encourage more security on top of their product, banking and security leaders believe that fundamental issues need to be addressed from the top down, before it's too late.
A CISO at a leading bank, who asked to remain unnamed for this story, says, "The biggest issue is that any and all security features being provided by OEMs are add-on solutions; security is not built-in."
The OS Challenge
ATM security concerns have heightened ever since Microsoft's announcement of end of support for its XP operating system in 2014. A majority of ATMs operated still run XP, experts say. The choice of OS platform is completely up to the OEM - banks simply want a secure ATM machine without worrying about the underlying platform/OS, says the anonymous bank CISO.
There is a clear need for purpose-built software to operate ATMs that is not subject to vulnerabilities that affect consumer operating systems that require regular patching. "For instance, compliance with PCI-DSS requires regular patching of ATMs. However, with XP going out of support, vendors are conveying their inability to patch their XP-based ATM machines," the CISO says.
The CISO also says there are thousands of XP-based ATM machines from various OEMs in the field, and banks are employing compensatory controls in the form of whitelisting, OS hardening and similar solutions. He says that while PCI-DSS accepts compensatory controls in the short term, it is not acceptable as a permanent solution, even though it is more secure than regular patching.
Whitelisting software is therefore an additional investment that quickly becomes redundant from a compliance perspective. The cost is expected to rise more with OEMs asking banks to upgrade ATM machines to Windows 7 at the bank's cost. In many cases, this will require an additional hardware upgrade, the CISO says.
However, in less than five years, when support for Windows 7 is likely to be withdrawn, ATMs being purchased today will again become non-compliant. "OEMs are considering ATM machines as an assembly of discrete components, and are able to disown the responsibility for support during the useful life of the product," the CISO says.
Ideally, the OEMs should design ATMs as appliances, with complete control and ownership over its components during the machine's life - about seven years - without linking dependencies on external factors like an OS going out of support, he asserts.
Unique Security Issues
Banking and security leaders argue that while security should be a basic requirement in a machine such as an ATM, solutions are often sold by OEMs as an optional add-on. The reason for the fragmented approach may be that the cost of the machines in India is 40 percent to 50 percent less than in other markets - probably the cheapest in the world, says Prakash Joshi, COO at Electronic Payment & Services, a third-party service provider that deploys and operates ATMs for banks.
Joshi argues that OEMs may be trying to manage this margin pressure by providing additional functionality at a cost, he says. In addition, banks sometimes also choose to opt out of these add-on security solutions as, apart from the reputational risk, the financial cost of fraud is perceived by many banks as less than the cost of incorporating these solutions, he says.
"The other issues is that there is no machine-specific key - be it Wincor, NCR, or Diebold or others," Joshi says. "The top hatch for any ATM of a particular model can be opened using a universal key for that model." The primary idea behind this design was to expediently address faults - usually done by third-parties - in a deployed base of thousands of machines of the same model.
But this same convenience in design has become a security handicap. Most perpetrators of ATM fraud know how to source keys and expertise to exploit these machines, Joshi says.
This tacked-on approach to security is driven by market dynamics, and instituting security as a basic demand at the RFP level itself may be able to address this, Joshi says. OEMs would then be required to address security considerations as part of the design, rather than banks dealing with issues on a piecemeal basis.
Experts also say manufacturers may need a push from industry and regulators in this direction. Regulatory guidelines from the Reserve Bank of India, mandating security and support for ATMs, may compel OEMs to adhere to incorporating security at the design stage.
Meanwhile, Dhruv Phophalia, managing director and and head of business consultancy Alvarez & Marsal's forensics, dispute and investigation services in India, suggests practical ways to prevent malware attacks on ATMs, which include:
- Periodically monitor physical security and invest in upgraded security measures, such as real-time monitored cameras, security guards, anti-skimming devices, etc.
- Change locks and passwords provided by the ATM manufacturers. Machine passwords should be provided to individuals only after conducting rigorous background checks.
- Change ATM BIOS default passwords and configure BIOS so that the ATM cannot be booted from any source other than the primary hard disk.
Reshmi Khurana, managing director and country head of operations for Kroll Advisory Solutions India, a corporate investigations and risk consulting firm, finds attacks that target the back end of the ATM or its OS are much more sophisticated than attacks that skim customer information.
"Many factors come into play, and hence banks need to go back to basics and check their entire process flow to determine whether the vulnerability is on the process end, with the people or with their systems."