Protecting ATM Connections
Amid security threats, end users must consider IoT and M2M
- By Julian Weinberger
- Aug 01, 2017
The first Automated Teller Machine (ATM)
machine was installed in 1967, dating back
well before the millennium to a time when
network security was unsophisticated. The
rollout of ATMs was a global phenomenon,
meeting bankers’ needs with instant cash
distribution after business hours.
With the rising popularity of the Internet accessible machines,
the need to protect connections between the disparate ATMs and
the banks’ processing centers became critical.
Though the first ATM was unveiled 50 years ago, the basic
components that make up an ATM have not changed significantly.
Many banks still have 20th century ATMs in everyday use,
which unfortunately, increases the risks of cyberattacks. The use
of outdated, insecure software is widespread, and mistakes in
network configuration are common while critical physical components
are often not properly guarded.
At the same time, more and more ATMs are being connected
to the Internet of Things. Search engines for Internet-connected
devices, such as Shodan, only exacerbate security risks, allowing
anyone to find the ATMs that are the most vulnerable. Without
properly secured connections, stealing money remotely from
ATMs is the cybercrime equivalent of taking candy from a baby.
Remote ATM Attacks
In 2016, banks in the United Kingdom, Russia, Netherlands and
Malaysia were attacked by malware that allowed cybercriminals
to take full control of cash machines.
The technique, known as touchless jackpotting, requires no
physical tampering. Instead, it allows cybercriminals to attack poorly
protected ATMs remotely, from anywhere in the world, via the
global ATM network completely undetected by security services.
The number of touchless attacks on ATMs is on the rise. According
to the European ATM Crime Report, 28 incidents were
reported in the first half of 2016 (up from five during the same
period in 2015).
Older ATMs that have recently been connected to machine-tomachine
(M2M) environments are particularly at risk and some
of the most vulnerable ATMs still do not have any network
protection at all.
Despite some of the strictest regulatory obligations and their
attractiveness to cybercriminals, it appears that retail banking is
no different than any other sector in quickly moving forward with
IoT while comprehensive security measures lag.
The first step in protecting connections between large numbers
of disparate ATMs and bank processing centers is to utilize Virtual
Private Networks (VPNs), firewalls and MAC-authentication.
Protecting ATM Connections with VPNs
Although most bank ATM networks use advanced encryption to
protect the sensitivity of the financial data being exchanged, the
rise of remote ATM attacks show that many banks still have protective
measures to take.
Securing ATMs with VPNs is comprised of four essential
Automatic/always-on connectivity. The VPN client is set to
connect to the VPN automatically and remain connected. In the
event of a disconnect occurring, due to network downtime for
example, the VPN client look to reestablish the session as soon as
the data connection comes back up.
Authentication. As everyone knows, ATM transactions are
authenticated using two or three human factors namely the customer’s
ATM card, their unique PIN and, in some cases, their fingerprint
or retina scan. In modern ATMs the customer’s smartcard,
in combination with a smartcard reader inside the machine,
provides another layer of security to assist the digital side of the
Management. Ultimately, ATM VPN connections should be centrally managed. A VPN management tool allows IT administrators
to update configurations, upgrade software and manage
certificates remotely. The only alternative is to perform the updates
manually using a memory stick or CD, which requires giving
someone physical access to every machine. Unfortunately, this
can give those with criminal intent an opportunity to gain access
to the machine, inject malicious software or attach a device inside
the machine and take control over it.
High availability. Connections between ATMs located in the
branch offices of banks or in retail stores and the main network
must never break down. This means high network availability
provided by a professional VPN system supported by several
IoT and M2M Security
In summary, global ATM networks are fast becoming machineto-
machine environments. As the Internet of Things starts to permeate
every aspect of business, the need to protect the communications
of machines both new and old is becoming more urgent.
The age of some traditional ATMs and the primitive nature of
the software they run on leaves additional security loopholes for
cybercriminals to exploit.
Globally, cybercriminals have successfully carried out multiple
remote hacks on ATMs, prompting the FBI to warn American
banks to be on the lookout for similar attacks. Heists like
these prove that poor remote connectivity can ultimately result in
the loss of billions of dollars as well as identity theft and fraud.
The deployment of VPNs, coupled with prompt patching of
every server on the network, is essential to secure interactions between
thousands of ATMs communicating with their data centers.
Comprehensive VPN software solutions fit easily into existing
infrastructure and require no additional hardware. Moreover,
data traffic is secured at the device itself so that no unencrypted
traffic ever leaves the endpoint.
Financial institutions can stay protected by ensuring every
device accessing their network has up-to-date firmware and by
implementing network security technologies, such as intrusion
prevention systems (IPS), and firewalls, within an in-depth defense
framework to minimize potential attack vectors.
As analysts predict the number of M2M connected devices
will grow from 12 billion to 50 billion by 2020, properly securing
connections is urgent. By leveraging a VPN, endpoint devices can
communicate through a secure encrypted tunnel, which makes
it nearly impossible for an attacker to access an IoT device and
breach a financial network.
This article originally appeared in the August 2017 issue of Security Today.