Security Breaches and the ATMBy Tracy Kitten
This story was originally published on ATMmarketplace.com, July 14, 2005; reprinted with permission. © 2005 NetWorld Alliance LLC. All rights reserved.ou didn't hear much about phishing attacks, identity theft and hackers 10 years ago. Before the explosion of e-mail, the Internet and Microsoft Corp.'s Windows-based platforms, most of us never thought about personal information being intercepted somewhere in cyberspace. Firewalls and virus patches: We never even considered them. But things are different today, especially in the financial industry.
Take as an example the security breach at Tucson, Ariz.-based CardSystems Solutions Inc. in late May. The company, a third-party processor of payment card transactions, suffered a data breach that affected somewhere between 200,000 and 40 million cardholders.
Hackers broke into the company's system and found cardholder information that was held after transactions were complete, a violation of Visa International's and MasterCard International's processing policies.
To prevent breaches like the one suffered by CardSystems, card Associations have upgraded computer systems with sophisticated fraud-detection software, and processors and financial institutions have taken similar precautions.
Stuart Spinner, Director of Information Security Engineering of Debit Services for Greenwood, Colo.-based First Data Corp., operator of the STAR Network, said questions about security are the first to come up in conversations with financial institutions.
Now that more FIs are moving their ATMs to Windows, possible security breaches are a big concern.
"When they hear that they are going to run on Windows, they think they may get infected by a virus, and there are reasonable concerns," Spinner said. "But the ATM is a very unique device. It only needs a very limited portion of what Windows provides. ... The information that is needed can be kept to a bare minimum.
"The worms that get in are usually through ports that are well known," he added, "and none of those services needs to run on a Windows-based ATM.
So as long as the ATM is configured in such a way that the vulnerable services are turned off, then [FIs] don't have to worry about the vectors by which viruses and worms hit the ATM."
Too Much Protection?
Putting too much software on an ATM network, even in an effort to protect it, can make it more vulnerable.
"From that standpoint, virus software has no function," Spinner added. "We prefer that it not be used. From our perspective, you are better off not using the patches for things that we don't need."
Claire Shufflebotham, Director of Global Security Research and Development for Dayton, Ohio-based NCR Corp., said hackers are changing how they try to break into networks and systems by attacking security software.
"Hackers are trying to target the software [security] environment itself," she said. "Rather than going after the operating system they are going after the virus [security] protection.
"... That's happening on the PC right now. It hasn't come to the ATM yet, but we want to be sure that we are prepared [if it does]."
"Putting too many patches on the ATM isn't necessary," she added. "There aren't many that have been truly applicable to the ATM environment, and if they're not needed, why use them?"
Scott Harroff, Chief Security Architect of Global Software and Services for North Canton, Ohio-based Diebold Inc. agrees. "We don't want our customers downloading and using too many patches," he said. "... [The ATM] is a very dedicated device; you're not running a lot of different applications on it, and you need to understand the applications that apply to the ATM. So customers need to rely on their vendors to know which patches are applicable."
A Network of Their Own
For that reason, ATMs should be kept on a network separate from PCs. "TCP/IP networks can be vulnerable," Spinner said. "Institutions need to configure their networks with that in mind, and they should keep their ATMs off the standard networks."
Both NCR and Diebold have divisions dedicated to monitoring ATM networks, but FIs that don't sign up for the service are on their own.
Many FIs do monitor their own networks, through a manufacturer or third-party provider. And since most FIs' networks include ATMs from multiple vendors, Harroff said, real-time monitoring is crucial.
Both NCR and Diebold also tout ATMs that are completely immune to attacks. Their ATMs, they say, are not visible on the network. Other vendors' ATMs on a network could be visible, meaning in theory that if a hacker can see an ATM, he could figure out how to get into it.
But if the overall network is secure, Shufflebotham said, FIs will know when a breach or attack is occurring. "If we're really going to make the ATM able to protect itself, we have to have end-to-end intelligence," she said. "We have to make the ATM safe on the outside and the inside."
What Retailers Don't Know
Triple DES and unique keys also work to ensure users' data isn't compromised at the ATM, said Bill Jackson, Vice President of Research and Development for Long Beach, Miss.-based Triton Systems of Delaware Inc.
But remote key distribution, he added, is the biggest recent improvement in ATM security, and most deployers aren't using it.
Larger FIs are catching on. Other FIs are working through their processors for remote key distribution. But retailers, who haven't been as affected by fraud, are not really paying the hype much attention.
Although Triton is making a break into the FI market, about 90% of the ATMs it sells are placed in retail locations, he added. "Most retailers just want to be sure that their money is safe," Jackson said. "A lot of them wouldn't even know what card-skimming means. ... I think it's only going to take one really good fraud to get people aboard."
With that in mind, Triton is working to educate its retail customers through Triton distributors about fraud and points where security could be breached.
"We expect by the first quarter of 2006 to offer a remote key transfer option at the ATM," Jackson said.
"... NCR and Diebold claim that they are doing this now, but it is not being done in a widespread fashion. It will probably be the biggest improvement in key security since the ATM was invented."
Link to original: www.atmmarketplace.com/research.htm?article_id=23576&pavilion=4&step=story
|