071910 ATMIA & GASA Fraud Alert on ATM Software Attacks 2010 -2 | Automated Teller Machine | Online Safety & Privacy

GLOBAL FRAUD ALERT

ISSUE NUMBER 2010-02 Preventing ATM Software Attacks & Failings
FRAUD RISK SCENARIO The issue of ATM vulnerability to viruses, hacker attacks, and software failure has been under discussion since the mass migration of ATMs from IBM’s OS/2 operating system to Microsoft’s far more widely-used, and consequently more vulnerable, Windows XP. In 2009, staff at Doctor Web, a Russian anti-virus company, uncovered a computer virus stealing cardholders’ data directly through ATMs. Some major Russian banks incurred significant damages because of this virus. This year an employee at a large US bank installed malicious software on his employer’s ATMs that allowed him to make thousands of dollars in fraudulent withdrawals over a period of seven months, all without leaving a transaction record, according to federal prosecutors. In the past, the “Slammer” computer worm shut down ATMs and the Worm W32/Nachi, also known as “Welchia”, infected ATMs in a “denial of service” attack. In general, malicious code gains access to banks’ networks through undocumented Internet connections or employees’ infected laptops. Targeted attacks by cyber criminals are also becoming more common. BEST PRACTICE RECOMMENDATIONS FOR PROTECTING ATM SOFTWARE ATMIA has published extensive best practices entitled “ATM Software Security Best Practices Guide”, outlining international minimum security guidelines and best practices for operating ATM software. Its aim is to help you develop an IT Security Operational Policy for ATM Operating Software. An additional focus is to facilitate planning for compliance to PCI DSS and PCI ATM as these global standards impact on ATM hardware and operating software. The scope of the manual covers governance of all ATM software up to the point at which the ATM plugs into the communication link to the host system. SUMMARY OF BEST PRACTICES ATMIA’s “ATM Software Security Best Practices Guide” focuses on three dimensions you should continuously review: Processes, Technology and People Policies. Processes     Provisioning of ATMs and Software Installation ATM Monitoring & Intrusion detection Servicing and Maintenance Decommissioning of ATMs

Technology       PIN Security Data security – data at rest, and in transit Transactional data Management data Software Patch Updates Intrusion prevention – layered approach

The Global ATM Security Alliance The ATM Industry Association

with repeat usage prevented for as long as is practicable. apply the appropriate security settings for user rights and review all default policy settings for relevance to the ATM environment. mixed-case. Keep up-to-date with patches (ensuring of course that OS customizations are not overwritten as part of the process). and keep updated good-quality anti-malware software. please check the following areas of your software operating environment and associated systems. Install. if network topology does not permit this. Detection and prevention o o Apply network intrusion prevention. Minimize the number of services that automatically start up when the device boots (most standard services are not required for ATM operation). and ensure any alert messages are sent to the appropriate internal personnel. The Operating system o o o o o Remove all unnecessary components (preferably have the supplier do this before delivering the device). supported by appropriate monitoring and incident response policies and procedures. Disable unused switch points and do not use network HUBS. apply the principle of “what is not specifically permitted should be denied”. with a lockout kicking in after three unsuccessful attempts. Introduce firewall enforcement points along the communication path between ATM and host systems if possible. Ensure event logs are monitored and stored in a tamper-proof manner. packet filters should be configured at each perimeter router that provides TCP/IP connectivity. numbers. not displayed on the device screen. In general. Command line access should not be permitted for day-to-day operations. Access control o o o o ATMs should only connect to host systems via dedicated network segments. Account security o o Enable only the number of accounts required for device operation and control access to those accounts with strong. For Windows XP. use.GLOBAL FRAUD ALERT People Policies   Enforcing dual-custody controls Enforcing password policies and multi-factor authentication In particular. Ensure that passwords for both user accounts and application access incorporate letters. and non-alphanumeric characters. not those shared with general usage workstations and servers. These passwords should be changed periodically. passwords. The Global ATM Security Alliance The ATM Industry Association .

as cyber space is a critical new security frontier.com) The ATM Industry Association is a global non-profit trade association with over 1. About ATMIA (www. best practices. For more information. growth and usage worldwide.atmia. contact Mike Lee at mike@atmia. Acknowledgment ATMIA would like to thank SafenSoft Inc and the ATM Software Security Committee for their inputs which has made this industry fraud alert possible. improving security against unauthorized access control the use of wildcards to significantly simplify system settings control user/group access with the aid of a well-defined corporate policy-driven access class differentiation system prohibit access to system resources for all applications except those specifically authorized to do so centrally log and report all system events easily secure the end point with remote or local installation (including silent mode option) using standard Microsoft tools We urge all our members to acquire “ATM Software Security Best Practices Guide” and implement its best practices.com. The Global ATM Security Alliance The ATM Industry Association . interests.750 members in about 50 countries. DVD or CD) schedule system resources access and create dedicated service periods when endpoints can be serviced. protect the ATM industry's assets. and provide education.com or Sharon Lane at sharon@atmia. political voice and networking opportunities for member organizations. good name and public trust.GLOBAL FRAUD ALERT Critical success factors for protecting ATM software systems: • • • • • • • detect and prevent the launch of malicious software introduced via removable media (USB. Its mission is to promote ATM convenience. ATMIA established the Global ATM Security Affiance (GASA) with the mission to employ global security resources in a united alliance in order to protect the ATM industry from criminal activity. In June 2003.

Sign up to vote on this title
UsefulNot useful