Reducing banks’ security risk – a safe and secure ATM network

Reported by: |Updated: April 28, 2017

Jaivinder Singh Gill

The responsibility of protecting a financial institution from security threats is no small task. With the ever-evolving digital threat landscape and the persistent risk of physical breaches, security teams are required to constantly face new challenges. For banks, the security of their banking assets is further extended by the associated ATM fleets that include hundreds and thousands of onsite/ offsite terminals, multiple manufacturers, software sets and managed service providers. For all the advantages that the ATM fleet brings to consumer banking, there are multiple touchpoints where potential breaches of ATM technology can occur. The requirement of securing and protecting these ATM fleets from the unceasingly evolving security threats is a technology function that requires considerable management.

In mid-2016, an Eastern European gang of criminals had stolen over 12 million baht (approximately $350,000) from a total of 21 ATMs in Bangkok by hacking a bank’s ATM network (Source: Bank Infosecurity, Hacker News)

SECURITY BREACHES

Apart from the various attacks on ATMs globally, there have been a fair number of instances in India itself of late where the ATM security has been breached. While the monetary value associated with the breach can be estimated, the compromise of customer data and brand reputation weighs heavily on the financial institutions. Lack of updated technology, changing nature of threat landscape, large ATM networks and lack of a trusted partner are some of the major challenges faced by the banks today.

Attackers are constantly innovating and creating new malwares to tap into the vulnerabilities of the exiting ATMs to access any or all information they can. Advancements in technology today makes it possible for attacks to be initiated from one country and an actual ATM fraud could be executed in another country. This makes it difficult to track the origin of the fraud and even more difficult to catch the fraudsters. In a world where every device is connected to a network, if the ATMs are not properly secured, fraudsters could easily attack the bank’s entire fleet of ATMs and use the consumer sensitive data to execute frauds on other channels (eg web, mobile etc). The answer to these challenges begins with acknowledging that the self-service environment is very different than the normal office network. Yes, there are PCs inside the ATMs, they are running an operating system and they are connected to the TCP/IP network. However, the hardware, software and processes on and around the ATM are quite different from an office PC, and this needs to be reflected in the security measures being implemented.

VALUE FOR BANKS

An ATM fleet provides tremendous value for banks, but without proper security and management of that fleet, it can become much more of a burden than a boon for a financial institution. Banks recognize the security risks of ATMs and have dedicated teams for managing the security of their ATM fleets. However, as the fleet sizes continue to grow and threats continue to evolve, the task of protecting a fleet can become too challenging for internal security teams alone to handle.

PRECAUTIONS

As banks explore their options for improving the management of their ATM fleet security, they should:

  • Talk to vendors, including existing ATM partners, about their security management capabilities. Many ATM vendors already have the capability to manage the ATM security. Not only can they reduce the security costs but, more importantly, they can improve the response time to fix breaches and mitigate potential threats. But not all ATM vendor capabilities are the same, so banks need to make sure they gather the evidence of the partner’s expertise, and ask for proof points from existing clients with similar challenges to better understand the vendors’ capabilities and track record in security management. Also they should ask for evidence of a vendor’s current and long-term investment and resource commitment to this part of its business. Banks want a vendor that offers ATM security management as a core dimension of its value proposition and has the technology capabilities and scaled infrastructure to deliver.
  • Choose a vendor that understands the overall controls required in the ATM network. Given the significant financial, legal, and reputational risks of ATM security breaches, it makes sense to ensure that banks can remain in control as part of an outsourced arrangement. When comparing the offerings of vendors that can help with, banks need to look for one that they can partner with collaboratively and provide the necessary tools and services that complement the bank’s long-established banking controls. For example, look for:
  • Real-time reporting tools provide information on when breaches are identified, the type of breaches, and how quickly the vendor anticipates it will take to fix.
  • Frequent communication with bank’s internal security experts that includes robust escalation protocols for significant threats. This includes proactive alerts informing the bank of new threats, and what the vendor is doing or how it will work with the bank to mitigate that threat.
  • Skill and flexibility in all incident management while still preserving the bank’s proprietary ownership over all transactions and consumers

Banks should choose the right partner capable of delivering a tightly integrated multi-layer approach that protects the ATM networks against historical and newly-evolving attack vectors, thus making the ATM networks more secure.

 Jaivinder Singh Gill is Managing Director – South Asia & Vice President Operations Asia Pacific, Diebold Nixdorf