This was a research I made with a Russian colleague year ago and thought it might help someone out there.
Kindly note that at the end of this part you would find References section for the whole paper ( the 5 parts) this part and the upcoming ones, as it would be difficult to separate the references of each part
Also be noted that this paper was written to address Non-technical folks to give them an overview of Securing the ATM
Automated Teller Machines (ATM) Security
ATM's are vulnerable because they are rewarding targets for criminals. Sophisticated ATM systems handle deposits, withdrawals, account services, cash advances, and payment processing. While advanced features are great for customers, they require new code and PC-class systems. New code invariably brings new vulnerabilities that criminals can target. PC-class systems offer a large attack surface. There are some difficulties involved in hacking an ATM:
1- Often proprietary software
2-Often custom Operating System or modified embedded Windows
At the low-tech end, many ATM systems have very limited resources for running security software or other technical controls. They aren’t easy to service and are optimized for rough handling rather than thwarting hackers. ATM vulnerabilities must be addressed in system design and implementation to ensure that the customer data and the ability to service their needs are not affected. Effective ATM security must compensate for:
Limited CPU and memory resources.
Targeted attack vectors.
The trend in ATM devices is to build on a customized version of Microsoft Windows. Advanced malware targets these devices and cannot be detected using standard Anti-virus programs.
Gold image or baseline configuration drift.
Over time, these systems can drift from their approved baseline build. Whether it’s from falling behind on updates, introduction of new code, or change in configuration, baseline drift can introduce security weaknesses that can be exploited.
Operating system security patch updates.
Due to the distributed locations of these devices and their often nonstop operation, patches are difficult to implement, and are seldom performed on an emergency basis. It’s more efficient (but less safe) to upgrade at planned intervals after updates and patches have been tested and verified. When a critical security patch is shipped by a vendor (like Microsoft) organizations are faced with trading off security risk for revenue.
Poor accountability and compliance.
ATMs run payment applications and process cardholder data, making them subject to PCI DSS regulations. Yet these devices are handled by multiple people over different shifts. In the event of a compromise, it may not be possible to figure out what happened, and if it was a deliberate or malicious act. Value-added relationships complicate audit trails that might explain what was done, by whom, when. If you don’t know what happened, you can’t scope the loss, reassure auditors you have cleaned up the problem, or prevent its re-occurrence.
Management complexity.
These devices are often managed using specialized processes outside standard IT security operations, which adds a layer that can delay protection, complicate incident response, and add to the cost of compliance. (Joe McMahon.,2015)
Social engineering
A Trojan was named Skimer-A specifically targeted ATMs. The perpetrators used social engineering, to persuade stores to allow them physical access to the machine after hours, so they could install the virus. After an analysis of the malware, Diebold concluded the attackers also had to have inside information about the systems. (Kaufmann, 8/10/12).
Physical break-in burglary
Network Security
Effective IT security should considere to include procedures, such as, but not limited to:
a) Authenticating the user.
Most financial services providers, have managed to introduce second level authentication for their online banking services. However, when a banking giant HSBC Bank introduced for their online banking security gadget Secure Key, it has misfired. Secure Key is meant to protect against online fraud by requiring current account and credit card customers to enter a uniquely generated PIN number to log in. HSBC customers found three major flaws with the device. First, it required a second PIN code to get the unique six digit passcode to access online banking, as opposed to using the card's normal ATM code as other banks do. Many customers disagreed not least because having two PINs means having to remember two and increasingly the likelihood that they'll be written down or, if not written down, forgotten. Second, many customers did not receive the physical device gadget Secure Key that generates the second random pin required for login. Third, when the customers left the device at home, they were no longer able to login to their online banking from elsewhere. Fourth, the device proved to be physically fragile. (Kukiewicz, 8/30/11)
b) Strict whitelisting approach
c) Network firewalls. Misconfiguring the Symantec firewall software that comes with the ATMs is one of several factors that can increase the risk of a hack attack.
d) Anti-virus software or intrusion prevention system
e) Internet security software package
f) Encryption between hosts (APHIS,2014)
While ATMs support TCP/IP, about 95% of all ATMs still connect to the internet using Dial Up. This means War Dialing using a VOIP tool like WarVox, makes it possible to go and find ATMs on the net. Most of the ATMs use a proprietary protocol, so once you identify this protocol you know an ATM is listening on the other side and you can go and try to exploit it. Once you have access to the ATM you can spawn a shell and install a rootkit. (Kaufmann, 8/10/12).
Physical Security for ATM’s
There is a perception that there is no relationship between physical security and information systems security as not having the same level of importance or even relevant to safeguarding security information. This perception may be seen as physical security, as well as information security, is outside the control of the research activity only because ―someone else is taking care of it.‖ On the contrary,. If there is an ―insurance plan‖ for information systems security control, it would be ―physical security‖. The regulated community should consider looking at both information systems security and physical security in order to have a complete information security program. Information security utilizes an array of software to secure data and to prevent unwanted intrusions. The physical security side is designed to augment what information security cannot do and is within the control of the entity to implement. These are:
● Place ATMs in a secured zone with CCTV's and physically activated alarms.
● Ensure that only personnel authorized by the entity have access to the ATM's (this could and should include a systems administrator for IT and security services),
● Confirm that servers and mainframe systems that support information are in a secured location if not within the registered space, or that they can be quickly secured in the event of a breach.
● Ensure that the authorized user unique access to secured locations is not shared.
● Conduct periodic review of entry access journals and/or entry logbooks to verify that only authorized personnel are accessing space where the systems operate.
(APHIS,2014)
Physical burglary of an ATM machine or stealing one is a federal offence. Yet, it definitely happens all over the country. ―The thieves apparently tied ATM to the back of a pickup, then dragged the machine through downtown streets to their home several blocks away… Police followed a white trail gouged into the pavement to the culprits' home, police reported.‖ (Dunlap, 12/1/14)
A_Ram Raid‖_ is a physical attack on an ATM that involves uprooting an ATM from where it stands and transferring it to a place where it can be taken apart and the cash extracted. There are special anti theft devices (ATD) made by the ―Acketts Group‖ to guard against the possibility of these ram raids and they have been found effective in simulated ram raids and in real world attempts to hijack ATM systems. The ATD’s were able to protect the ATM’s from extraction against forklifts and head on collisions with a skip lorry. The device is cost effective and can be retrofitted on existing ATM’s. (Atmsecurity.com, 2015)
Peripheral devices. As part of the overall information systems security control there are peripheral devices to which the regulated community should pay attention. These peripheral devices can pose an unseen threat (insider/third party threat). These devices include, but are not limited to:
a) USB devices (commonly referred to as flash/thumb drives)
b) USB patch cords with mini/micro connectors
c) Electronic notebooks
d) PDA’s
e) Future technological development
f) As related to ATM a peripheral device which is a Point of Service reader devices such as produced by VeriFone communicate with remote administration server. (Kaufmann, 8/10/12).
Any devices, which can be hidden from sight or viewed as a non-threat (BlackBerrys, PDAs, etc.) pose a security vulnerability to information systems security. The regulated community may want to include these types of devices in their information systems security protocols, or, at a minimum, include them in their information security systems training program.(APHIS,2014)
Data storage. A data storage device is a device for recording (storing) information (data). A concern for the regulated community would be the storage of information on media that can be removed and stored separately from the recording device on, such as computer disks, CD-Rs, flash drives, memory cards, etc. component for the purpose of archiving or maintaining a data library or personal files. If an entity utilizes these means of archiving, even on a temporary basis, they should be handled and secured as if they were a paper hard copy (i.e., stored in a secured cabinet and in a location with the appropriate physical security measures in place). Items such as these are easily concealed and could get past institution security and their misuse can compromise sensitive information. (APHIS,2014)
Physical Security Access Controls, CCTV and Intrusion Detection Systems. Security access controls (e.g., card-key, biometric, etc.) generally operate on a separate security IT platform. The majority of these systems are isolated from other information systems and databases and not connected to the Internet. There may be some intranet applications where a single platform serves multiple buildings, or rooms within a single building, which is controlled and managed at a central location. These systems are critical in the detection of physical security breaches. (APHIS,2014)
References
Animal and Plant Health Inspection Service (APHIS). Information Systems Security Control Guidance Document (2014 February 12). Federal Select Agent Program. Clarke, J. (2009). SQL injection attacks and defense. Burlington, MA: Syngress Pub. http://www.selectagents.gov/resources/Information_Systems_Security_Control_Guidance_version_3_English.pdf
Atmsecurity.com,. (2015). Acketts Anti-Theft Device protects ATM attacked at Total Garage in Binchester, County Durham | ATMSecurity.com ATM Security new. Retrieved 24 March 2015, from http://www.atmsecurity.com/articles/atm-fraud/acketts-anti-theft-device-protects-atm-attacked-at-total-garage-in-binchester-county-durham.html
(5/20/12). BBC. HSBC cash machines hit by IT failure. Retrieved from: http://www.bbc.com/news/business-18140620
Bankinfosecurity.com,. (2014). Malware Attacks Drain Russian ATMs. Retrieved 24 March 2015, from: http://www.bankinfosecurity.com/russian-malware-attacks-drain-atms-a-7412/op-1
Berson, T. Kemmerer, R. and Lampson, B. (1999).Realizing the Potential of C4I: Fundamental Challenges. Retrieved from Microsoft research website http://research.microsoft.com/en-us/um/people/blampson/63-C4ISecurity/Acrobat.pdf
Brad, G. (2005,January 12) .The Role of the Security Analyst in the Systems Development Life Cycle. SANS Institute Retrieved from http://www.sans.org/reading-room/whitepapers/awareness/role-security-analyst-systems-development-life-cycle-1601
Clarke, J. (2009). SQL injection attacks and defense. Burlington, MA: Syngress Pub. https://books.google.co.in/books?id=KKqiht2IsrcC&printsec=frontcover&dq=Clarke,+J.+%282009%29.+SQL+injection+attacks+and+defense.+Burlington,+MA:+Syngress+Pub.&hl=en&sa=X&ei=zQ8PVdPNEdLauQTYrICoAg&redir_esc=y#v=onepage&q&f=false Shirley, R.(2009, April) THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC). Computer Security Division, Information Technology Laboratory (ITL), National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistbul/april2009_system-development-life-cycle.pdf
Daniel, K.(2011-2015). Various topics about Security systems. Retrieved from http://theinfopro.blogs.451research.com/index.php/tag/secureworks/
DoIt, State of Maryland, Department of information technology.(2008, September). Standards for Security Categorization of Information Systems. http://doit.maryland.gov/support/Documents/security_guidelines/Security_Categorization.pdf
Dunlap, S. (12/1/14). Silver City Sun-News. ATM machine stolen, dragged through streets of Silver City. Retrieved from: http://www.scsun-news.com/silver_city-news/ci_27046565
(3/19/09). InfoSecurity. Russians hack Diebold ATM software. Retrieved from: http://www.infosecurity-magazine.com/news/russians-hack-diebold-atm-software/
INTOSAI, EDP Audit Committee. (1995, October). Information System Security Review Methodology. International Organization of Supreme Audit Institutions. http://www.issai.org/media/13024/issai_5310_e.pdf
John, R. (nd). Firewall Planning and Design. York Technical College Retrieved from http://yorktech.com/department/itdept/rouda/PDF/IST292/Chapter%201.pdf
Kaufmann, L. (8/10/12). IT Security Community Blog. Exploiting ATMs: a quick overview of recent hacks. Retrieved from: http://security.blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/
Kukiewicz, J. (8/30/11) Choose.net. Anger grows over HSBC's online banking 'Secure Key'. Retrieved from: http://www.choose.net/money/guide/news/hsbc-secure-key-online-banking-problems.html
Joe McMahon. (2015).Secure Your ATMs. Retrieved from McAfee website http://www.mcafee.com/fr/resources/technology-blueprints/tb-securing-atms.pdf
Marianne, S. and Joan, H. and Pauline, B. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Computer Security Division, ITL, National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf
(nd) Paragon Applications Systems. Diebold (US) Enhances ATM QA Testing with Paragon Tools. Retrieved from: http://www.paragonedge.com/news/case-studies/diebold-enhances-atm-qa-testing-with-paragon-tools.html
PCI, (2010, October), PCI DSS Quick Reference Guide, Retrieved from https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
PCI Security Standards Council. (2013, Jan). PCI PIN Transaction Security Point of Interaction Security Requirements (PCI PTS POI). Retrieved from PCI website https://www.pcisecuritystandards.org/pdfs/PCI_ATM_Security_Guidelines_Info_Supplement.pdf
Perlroth, D. (2015). Bank Hackers Steal Millions via Malware. Nytimes.com. Retrieved 24 March 2015, from http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0
Sattarova, F. Y. and Prof.Tao-hoon, K. Vol. 2, No. 2. Security Review: Privacy, Protection, Access Control, Assurance and System Security. Retrieved from International Journal of Multimedia and Ubiquitous Engineering http://www.sersc.org/journals/IJMUE/vol2_no2_2007/2.pdf The Government of the Hong Kong Special Administrative Region. (2008, February).AN OVERVIEW OF INFORMATION SECURITY STANDARDS. Retrieved from: http://www.infosec.gov.hk/english/technical/files/overview.pdf
Weight, A. (Sept 2009). ATM Security Working Group. Best Practice for Physical ATM Security. Retrieved from: http://www.link.co.uk/SiteCollectionDocuments/Best_practice_for_physical_ATM_security.pdf