CONTINUE TO SITE »
or wait 15 seconds

Article

Strategies for securing ATMs

Encryption protocols and remote key management are just two of the tools that help prevent ATM security breaches.

November 21, 2013

by Richard Pohl, senior director of software and IT, Triton Systems

Not too long ago, it took a group of hackers just 30 minutes to steal $9 million from 130 ATMs in 49 cities around the world — and the problem of ATM theft continues to grow. Fraudulent ATM activity cost consumers more than $50 million in 2010.

Operators around the globe are turning to EMV to increase security. The United States, however, remains primarily dependent on mag-stripe cards, leaving deployers vulnerable to criminal activity. Should a network be breached, IAD deployers could be liable for millions of dollars.

The simplest way to avoid being hacked is to keep your ATM portfolio upgraded.

Keep software up to date

Everyone who owns a PC knows that software becomes obsolete quickly, and it can seem like new patches are available daily. For an ATM deployer who owns multiple machines, it is essential to keep software current on an ATM.

The longer software has been available to ATM deployers, the more time thieves have had to determine any vulnerabilities. Software providers, however, also have been paying attention to potential weak spots, and most likely have developed patches or new versions of the software.

An ATM provider should provide free software upgrades and easy access to the software, making it easy for deployers to install.

"Triton notifies me with a technical service bulletin whenever a patch is available," said Gavin Reubenson, a business development executive at Paycorp Holdings, an IAD that operates 4,500 ATMs in South Africa and Namibia. Reubenson said that he can simply download software to machines.

"I stay up to date without having to put in a lot of time and effort," Reubenson said.

Make good use of passwords 

  • Make it unique;
  • don't use significant dates that can be guessed easily. It might be tempting to pick a birthday or a regular PIN number, but if that information becomes available to thieves, they can quickly figure out the password.

ATMs come loaded with default passwords set by the factory. Almost every deployer knows that these password should be changed, but it is a task that easily can be overlooked.

If the default password remains in place, anyone who knows that password can use the ATM in an administrative capacity, with the ability to bypass all security.

For more than six years, new ATMs have shipped with software that forces the technician to change the ATM master password at installation, combating the problem of default passwords.

Many IADs, however, are using older ATMs, and even new installations can include refurbished ATMs. Updating older ATMs with the latest software will require the deployer to set new passwords.

Choose a software package that allows different passwords with different levels of authority. For example, the cash loader can have one password that allows them access only to parts of the system involved in loading money, while an employee in the back office has a password that allows a greater level of access.

Of course, the IAD deployer should have a master password that allows access to all parts of the system.

Keep hardware up to date

While software security is most widely discussed — and most often updated — let's not forget that ATMs must be physically secured. Hardware updates, upgrades, and options are available to further protect this investment.

Security modules are devices that reside within the ATM vault between the motherboard and dispenser, and are designed to encrypt messages that flow between the two devices.

Security modules employ the latest in encryption security and, as with any secure device, they can and should be updated as directed by the manufactuer to ensure that an ATM is secured with the latest encryption.

Manufacturers offer options for high security, pick-resistant locks for control panels and door fascias that can be customized for individual ATMs or fleets. In addition, third-party security and alarm devices can secure an ATM and deter possible thefts. Performing a quick internet search, or asking your manufacturer, for details on these solutions.

Enable message authentication codes

ATMs are networked, sending messages to and from the host. This represents a point of vulnerability for IADs, because a criminal can intercept and alter the messages, or impersonate an ATM or a host and send counterfeit messages.

Message authentication codes are 'cryptographic checksums' appended to messages sent to and from the ATM. They verify that messages sent are identical to those messages received, and that the messages originate from a legitimate source.

MACing ensures that the correct machines are speaking to one another and only authorized messages are being received and transmitted. It can also prevent man-in-the-middle attacks and provides authentication of both the ATM and host processor.

Enable SSL and a firewall on TCP/IP machines

When TCP/IP communications are used — for example over the Internet — an attacker can attempt to eavesdrop upon or modify a message in order to impersonate a server, or to act as a man in the middle.

Enabling SSL prevents these activities, but the operator must ensure that the SSL certificate comes from an approved certificate authority.

SSL, or secure socket layer, should be enabled on both the server and the client (in this case, the ATM). This allows the ATM client to authenticate the host server and ensures the integrity of messages.

At the same time, enabling SSL prevents snooping on the line by a criminal. If information is transmitted only from an SSL-enabled client to an SSL-enabled server, a thief cannot capture the message to use for fraudulent activity.

Use remote key management

PCI DSS mandates that deployers update keys at least annually. Traditional key-loading involves manually input of keys into each ATM by service personnel, which costs a deployer money and leaves the system vulnerable. Security keys may become compromised due to accidental disclosure or infiltration of the system by criminals. Additionally, manual inputting of long strings of numbers can lead to typing errors.

Remote key-loading allows keys to be updated over a network from a secure environment. Removing humans from the equation eliminates the possibility of human error or criminal activity from the update. And since remote uploading is both easier and more cost-effective than manual uploading, deployers can update keys more frequently, making them less prone to attack. In the case of a suspected breach, new keys can be uploaded quickly.

Partner with a trusted provider

ATMs will always be vulnerable to attack, and thieves will grow ever more sophisticated. This means that security must be paramount to a deployer, but it doesn't mean that it has to be a burden. A few simple strategies can help keep a deployer safe, and partnership with an ATM provider who provides a comprehensive security protocol can ease security headaches.

Read more about security.

photo: kev-shine

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'