Return to the list of news releases.

The Motive is the Money: ATM Security Threats and Your Best Defenses

Release Date: 1/5/2010

Most IT professionals have had a horrible nightmare along these lines: for some reason, several of your networked systems out in the lobby, in gas stations, in all kinds of places outside the physical security of my headquarters. It causes great pain, as you realize that these aren't your favorite systems from a security perspective - they process critical information and you can't always keep them updated with patches due to vendor constraints.  You're terrified to take any hardened systems and put them in the lobby, let alone these systems!
 
When you wake, you realize the truth behind the dread: these systems are your ATMs.

Availability and access of these systems is important to our customers and members, but it exposes us to significant amounts of risk. The systems are exposed to outside threats 24x7 for the convenience of our customers and membership. Although there are some physical security controls in place surrounding the system, they are often insufficient with respect to the value of the information they protect. Without circumventing those physical controls, ATM skimmers can be installed. With the availability of cheap, small, wireless technology the enemy has been given tools to develop amazing devices.

These devices can be attached to an existing card reader which will also scan the card data and either store it for pickup later or transmit it using wireless or cellular technologies. Consider the amount of data that a small SD card can hold! Now imagine how much customer information that could be. Beyond the physical attacks associated with ATMs, we’re also prone to other attacks. With an embedded operating system or a build of common operating systems like Windows which are only patched on a limited basis, we expose a huge attack surface area to the enemy.

This is a critical attack point, as it processes customer information. That makes the system valuable to our business and to the enemy, whose motive is money. Critical security vulnerabilities discovered each day in these operating systems may go unpatched for years on ATM systems because of the difficulty of patching an embedded system. All told, we need to take this threat seriously.

Consider the controls in place to protect these critical information systems. What patch management solutions can you utilize for these? What additional protections can be implemented?

HEIT and Cisco are painfully aware of the threat this poses to your business. HEIT recommends assessing your current ATM systems and evaluating whether host based intrusion prevention is a possibility. This solution will help protect systems, even when patches cannot be immediately applied, by enforcing policies at the endpoint and ensuring operating system and application software doesn’t violate behavior based rules.

Consider the risk to your business and to your customers or members. The exposure of these systems along with their value makes them a target. HEIT can help you improve your security posture and protect against these threats.

 

Return to the list of news releases.