As ATM 'Jackpotting' Spreads, India Sizes Up SecurityWhat New Defenses Are Needed to Protect ATMs From Attacks?
The news that "jackpotting" or "cashout" attacks have now spread to the United States is renewing concerns about ATM security in India as well.
In fact, the new cautionary advice from NCR about the spread of the attacks is similar to a warning it had issued two years ago about the rise of jackpotting incidents in India.
"The challenge isn't just the financial loss such an attack can cause," says Ratan Jyoti, CISO at Ujjivan Bank in India. "It can also be a damage to the company's reputation when it becomes known that a breach has happened. The large network [of banks] and interdependence are other challenges."
Some security practitioners contend that security defenses for ATMs in India are inadequate. They argue that ATM hardware must be redesigned to ensure that all input/output and external ports can only be accessed through lock and key. And they also advocate a number of other security measures.
A Sophisticated Crime
ATM jackpotting - a sophisticated crime in which thieves install malicious software or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand - has long been a threat for banks in Europe and Asia. This week, the U.S. Secret Service warned financial institutions that jackpotting attacks have now been spotted targeting cash machines in the United States.
In addition, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.
Indian ATMs, like those in other nations, run on outdated software - Windows XP, which makes them more vulnerable to attacks. And so far, banks have found it tough to upgrade ATM.
"There is a lot of backward integration that needs to be done for the applications to work on new software," says C.N. Shashidhar, founder and CEO at SecurIT Consultancy. "It become especially challenging for Indian CISOs who have a vast network of ATMs across the country."
Nevertheless, security practitioners stress that banks ATMs must eliminate the use of outdated operating systems.
"ATMs are always vulnerable to attacks as they have hardware and old software vulnerabilities," says Sriram Natarajan, COO and chief risk officer at Quattro. "The Windows 10 upgrade was a common issue that banks faced in upgrading their ATMs without leaving them open to Windows XP vulnerabilities."
Lack of Resources
But one bank CISO, who asked to remain unnamed, tells Information Security Media Group that it's challenging to make the upgrading of ATMs' operating systems a top priority. "We are caught with multiple other things and have a very limited budget," the CISO says.
Dinesh Bareja, COO at Open Security Alliance, notes: "To add to this problem are the extremely small teams sanctioned for information security function in the enterprise. This leaves the CISO without much quality time in risk management, leaving him to engage in a continuous fight against unknown malicious actors."
The ATM networks in Asia "operate on outdated infrastructure, and many ATM designs have not kept up with changing technology, allowing easy access to cybercriminals," says Reshmi Khurana, managing director and head, South Asia, at Kroll, a risk consulting firm. "The hackers/attackers are usually one step ahead of the banks and ATM manufacturers."
Lack of Security
Shashidhar notes that ATM technology is outdated.
"Security was not built into the design of the ATM's hardware or software, and these weaknesses are being exploited by hackers and criminals," he says. "Moreover, the flaws related to the ATM system can be technical (the ATM is operating on an outdated OS); physical (the ATM is poorly protected), cyber vulnerable (technology is advanced but not fully secure or compartmentalized allowing hackers easy access); or related to process flaws (secure information is not properly protected at the backend)." (See: As ATM Attacks Rise, Banking Group Improves Incident Tracking)
In addition to redesigning ATM hardware to ensure that all input/output and external ports can only be accessed through lock and key, other security measures are needed.
Those include network segregation, strong security controls between networks, updated operating systems, regular patching and deep packet inspection of incoming and outgoing traffic, Shashidhar says.
"Security information and event management systems must be deployed," he adds. "And monitoring of logs, coupled with regular penetration testing, will considerably reduce the surface area for attackers."
Khurana suggests that at the very minimum, ATM manufacturers and banks need to ensure that their machines have adequate encryption and that they are updating their networks in some systematic fashion, initially targeting the most vulnerable ATM locations.
(Managing Editor Geetha Nandikotkur contributed to this story.)