As more and more ATMs become connected to the internet of things, the need to protect communications between disparate ATMs and bank processing centers is critical. Though the first ATM was unveiled 50 years ago, the basic components that make up an ATM have not changed significantly. Many banks still have 20th century ATMs in everyday use, which unfortunately increases the risks of cyberattacks. The use of outdated, insecure software is widespread, and mistakes in network configuration are common while critical physical components are often not properly guarded.
Search engines for internet-connected devices, such as Shodan, only exacerbate security risks, allowing anyone to find the ATMs that are the most vulnerable. Without properly secured connections, stealing money remotely from ATMs is the cybercrime equivalent of taking candy from a baby.
With the number of touchless attacks on ATMs on the rise, secure remote connectivity is vital for machine-to-machine (M2M) environments. Last year, several banks around the world were attacked by malware that allowed cybercriminals to take full control of cash machines. This technique, known as touchless jackpotting, requires no physical tampering. Instead, it allows cybercriminals to attack poorly protected ATMs remotely via the global ATM network completely undetected by security services.
Mitigating risks with VPNs
Despite some of the strictest regulatory obligations and their attractiveness to cybercriminals, it appears that retail banking is no different than any other sector in quickly moving forward with IoT while comprehensive security measures lag. Older ATMs that have recently been connected to M2M environments are particularly at risk.
Although most bank ATM networks use advanced encryption to protect the sensitivity of the financial data being exchanged, the rise of remote ATM attacks show that many banks still have protective measures to take. The first step in protecting connections between large numbers of disparate ATMs and bank processing centers is to utilize virtual private networks (VPNs), firewalls and MAC-authentication.
Securing ATMs with VPNs is comprised of four essential components: automatic/always-on connectivity, authentication, central management and high availability.
With automatic/always-on connectivity, the VPN client is set to connect to the VPN automatically and remain connected. In the event of a disconnect occurring, due to network downtime for example, the VPN client will reestablish the session as soon as the data connection comes back up.
When it comes to authentication, ATM transactions use two or three human factors such as the customer’s ATM card, their unique PIN and, in some cases, their fingerprint or retina scan. In modern ATMs, the customer’s smartcard, in combination with a smartcard reader inside the machine, provides another layer of security to assist the digital side of the authentication process.
Ultimately, ATM VPN connections should be centrally managed. A VPN management tool allows IT administrators to update configurations, upgrade software and manage certificates remotely. The only alternative is to perform the updates manually using a memory stick or CD, which requires giving someone physical access to every machine. Unfortunately, this can give those with criminal intent an opportunity to gain access to the machine, inject malicious software or attach a device inside the machine and take control over it.
Lastly, since connections between individual ATMs and the main network cannot afford downtime, high network availability provided by a professional VPN system and supported by several backup systems is essential.
As the internet of things starts to permeate every aspect of business, the need to protect both old and new ATMs in M2M environments is urgent. The age of some traditional ATMs and the primitive nature of the software they run on leaves additional security loopholes for cybercriminals to exploit.
The deployment of VPNs, coupled with the prompt patching of every server on the network, is essential to secure interactions between thousands of ATMs communicating with their data centers. Comprehensive VPN software fits easily into existing infrastructure and require no additional hardware. Moreover, data traffic is secured at the device itself so that no unencrypted traffic ever leaves the endpoint.
Financial institutions can also stay protected by ensuring every device accessing their network has up-to-date firmware and by implementing network security technologies, such as intrusion prevention systems and firewalls, within an in-depth defense framework to minimize potential attack vectors.
As analysts predict the number of M2M connected devices will grow from 12 billion to 50 billion by 2020, securing connections must be a top priority. Using a VPN enables endpoint devices to communicate through a secure encrypted tunnel, which makes it nearly impossible for an attacker to access an IoT device and breach a financial network.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.