CONTINUE TO SITE »
or wait 15 seconds

Article

ATM security: What can we learn from a hacked iPhone?

The ATM industry needs reliable security solutions to address increasing threats — without speculation as to whether there are or should be security backdoors.

April 26, 2016

by Eric de Putter, Managing Partner and Co-founder, Payment Redesign Ltd.

In an undoubtedly patriotic act, Bill Gates suggested that Apple should assist the FBI with unlocking a terrorist's iPhone, oblivious not only to the security agendas of Apple and the FBI but also to the effect that his views have on his own client base.

It's a client base that, where the ATM industry is concerned, might look something like a disgruntled spouse after 25 years of marriage to Windows — believing there is no alternative and increasingly skeptical about the next operating system's increased security features.

To hack or not to hack. Was that really the question?

Apple has been selling iPhones since 2007 and currently has a market share of approximately 40 percent in the United States. If this is the first time the FBI has requested cooperation from Apple, surely we can conclude that Apple's customers are the most law abiding citizens in the U.S., can't we?

Well, perhaps not. The FBI's ulterior motives might not relate to a single iPhone; they might have waited for a high profile case in order to force legislation mandating backdoors in security.

This raises bigger questions — not only as to who guards the guard, but also as to whether the FBI has managed to obtain cooperation from other technology giants without legislation.

Bill Gates' middle-ground approach to cooperation in extreme cases was not seconded by Microsoft and, since then, Gates (quite sensibly) has rejected suggestions of his siding with the FBI — especially on the topic of backdoors.

The ATM industry needs reliable security solutions to address increasing threats — without speculation as to whether there are or should be security backdoors. Just how good is our security?

Jackpotting malware; easier than gas attacks?

Just over three years ago, Russian hackers demonstrated the security vulnerabilities of ATMs by uploading the "Angry Birds" game. This has morphed into attacks known as jackpotting in which a cyberhacker empties the machine by using a particular card or PIN.

Today, many banks, credit unions and other ATM operators hope that hackers will continue to pursue data breaches rather than raid their ATMs with malware like Tyupkin or Suceful.

The ATM industry has looked at a number of measures to prevent malware attacks. Its basic assumption is that any attack would require USB access to the ATM's PC. If it were just that, traditional measures would work fine.

More headaches; new pain relief

Panama-based Krypto ATM Systems Inc. has demonstrated, with what appear to be straightforward attacks, that malicious third parties can get their malware onto an ATM in different ways. They deserve a few Brownie points for hacking ATMs via audio features meant for blind and visually impaired users.

"We wanted to demonstrate that operational measures to combat malware are a false sense of security," said Alvaro Andrade, the Krypto CEO who designed and executed the hacks. "Rather than use antivirus solutions, ATM operators may want to run a set of extra tests on their ATMs to check for suspicious activity — which could be, for example, inserting an audio plug. We have also managed to get malware onto the ATM by putting it on an EMV chip card."

The actualityof this new approach is reiterated by Idris Kothari, CTO of Silicon Valley-based VSi, who in the '90s co-founded VPNet and developed the hardware security mechanism for VPN.

Kothari was preaching solutions at a time when hardly anyone acknowledged there was a problem that needed fixing:

Within our new company we operate thousands of PCs in hotel lobbies globally, where business executives access emails and Web sites with high levels of confidentiality. In our design we accept that those PCs will contain malware. Since there is no sure way to prevent it, we have found ways to remove malware without any interaction from system administrators. It is impossible to secure Windows 7 and XP. The solution is not prevention but removing malware after every use. The ATM industry may want to rethink using the same philosophy.

Finally, hardware security in Windows 10

Every new service pack and new version of Windows has been promoted as higher security. Windows 10 is no exception.

This time, though, it might be for real. For Windows 10, Microsoft has reviewed hardware capabilities and allows ATM operators to lock down an ATM completely, restricting applications to those authorized by Microsoft and the operator.

The model is similar to mechanisms used on tablets and smartphones with signed applications. PCs are multithreading devices and Internet connected; Microsoft has gone the extra mile to ensure that the CPU can validate whether an application is genuine.

Putting it all together

Bill Gates did not help anyone, including himself, by suggesting that Apple should assist the FBI. But now that the FBI seems to have done the job itself, let us hope that any discussion of backdoors will disappear.

Let's hope that, instead, Microsoft and Bill Gates focus on their own challenges.

If Microsoft had not reacted immediately, the company's security policy would have been questioned. Fortunately, Microsoft has stepped up security with Windows 10 big time at a time when our industry most needs it.

The FBI-Apple debate should not distract the ATM industry from focusing on the imminent fight against malware. The big question is whether prevention is the only weaponry available.

According to some experts, the security playing field has changed and ATM operators might want to look beyond traditional measures to protect aging operating systems. They might consider moving to Windows 10 at their earliest opportunity on the assumption that this OS will deliver the right security.

Eric de Putter is co-founder and managing partner at Payment Redesign Ltd., a boutique consultancy in the payment industry with specialized expertise in associate partner selection and commercial strategy. He is also an executive advisor to Paymint AG, a German company that provides business and technical support for the entire payment value chain. De Putter has spent 20 years in the payments and cards industry and has previously worked at Evry ASA, VocaLink and Visa Europe.

photo istock

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
ParaScript intros verification solution for checks
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
SEC accuses former ATM businessman Daryl Heller of funneling $185M from investors
Fifth Third named as top veteran friendly employer
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'