Complete Guide for ATM Security Assessment


Introduction to ATM Security Assessment

Guide to ATM Security Assessment-02

ATMs are popular targets for hackers as they are the direct source of cash. While we often see burglary or theft as the most common attack faced in an ATM set-up, we today see a growing trend of cyber-attack on ATM networks as well. Given the evolving threat landscape and sophistication of cybercrimes, ATM Networks are equally susceptible to risks of cyber-attacks. While banks often ensure good physical security for ATMs, when it comes to ATM Networks the security measures are never enough. This is especially when we see that cybersecurity risks are evolving at a fast rate.

For addressing these issues there are a series of Standards and frameworks developed for ATM Security. Covering more on this we have shared a complete guide on how ATM Security Assessments are conducted and a checklist for ensuring maximum security of ATM network.

How is ATM Security Assessment Conducted?

Performing a complete ATM security assessment is a comprehensive process that requires more than just a simple checklist to be ticked off. Auditors will have to conduct an in-depth audit and analysis for reviewing the infrastructure. Elaborating on the stages and techniques, we have listed out a complete stage-by-stage process of ATM Security Assessment.

Network Design Review

The ATM Security Assessment involves reviewing the ATM network to identify possible vulnerabilities in the ATM/POS environment. The evaluation includes reviewing the effectiveness of security controls established in the ATM environment and bank networks. So, with an in-depth infrastructure analysis of the ATM network, it can help determine security flaws in the network design resulting in an insufficient level of network security

Internal Penetration Testing

Manual and automatic penetration tests are performed on the ATM environment considering various international information security standards. This is to evaluate the security of systems like the installed components in the ATM operating system and its associated network. This would mean testing the routers, firewalls, control system servers, database systems, etc to identify associated vulnerabilities. Penetration testers often adopt application standards like the Open Web Application Security Project (OWASP) Testing Guide, PCI PIN Transaction Standards (PCI PTS), and other ATM security standards and guidelines.

Remote Access Review

Remote access review is a technical test conducted to identify vulnerabilities in ATM systems, networks, and associated applications. The auditor/tester identifies misconfigurations in systems, unpatched software and evaluates the level of secure remote access capability to the ATM/POS network. The evaluation includes

Remote access entry points used by employees and third parties that may be exposed publicly such as on the Internet or PSTN. The test may even include reviewing associated policies, processes, procedures, and technical standards mandated by your compliance requirements like PCI DSS.

Local Network Access

This stage is all about reviewing the local network connection to see the level of security established in the environment. The test involves identifying unfiltered network traffic, non-encryption of data flow and lack of authentication in ATM network, and lack of security in ATM network and the backend services. The testing would also mean reviewing access points, routers, switches, and other physical components that connect to various internal servers, web servers, and other LANs via wide area networks.

Physical Access Review

Physical Access review includes identifying physical devices, access points, and network hardware that are unprotected. This would mean detecting any possible rogue devices, weak physical locks and security, weak operating systems, unprotected computers, local network infrastructure, and anti-skimming devices in the ATM environment.

ATM Software & Backend Service Review

Testing of all related applications including payment and non-payment applications of ATMs and networks related to backend systems is crucial. The test includes identifying application-level gaps and flaws including identifying errors in input validation, authorization, authentication, and possible flaws in other network services.

Review of Policies & Procedures

The ATM Security Assessment would also include running a quick review of the existing security policies and procedures established and enforced to protect the ATM environment. Identifying the gaps in the current policy and procedures helps address related security flaws. This would also mean evaluating critical infrastructure against best security practices and standards.

Vendor Responsibilities

Vendor responsibility is another critical component in the ATM security assessment as the ATM ecosystem includes several vendors who impact operational security. Moreover, it is during such assessments that several gaps get identified between the existing security measures and the needed security measures, especially when vendors consider security to be a low priority.

ATM Security Assessment should include all associated components within its network including the Physical devices, Payment and Non-payment applications, Security Software, and Networks. Testing all of these critical components may help identify potential vulnerabilities to the machine’s hardware software and network.

Checklist for ATM Security Assessment

  • Ensure hardening of all Operating Systems connected in the ATM Network.
  • Implement encryption techniques between the ATM and the host.
  • Implement strong security measures against the unauthorized access manipulation of networks and ATM controls and related authorization systems.
  • Install firewalls in ATM Network to filter network traffic.
  • Install Malware Protection in ATM Network
  • Ensure Data Integrity and Confidentiality to protect user-related information exchanged in ATM Network.
  • Ensure access protection to the Windows desktop at the ATMs, and password management policy.
  • Protection against ATM Hacking in terms of breaking into websites through the bank’s network and accessing card information, card processors, and other components of the transaction processing network.
  • Establish password protection to prevent settings from being altered without authorization.
  • Establishing policies, procedures, rules, and security measures to protect self-service machines against unauthorized software installations into ATM Network.
  • Ensure security of all communication interfaces of the ATM.
  • Implement Security measures which mean physical security controls against tampering of ATMs.
  • Security controls are designed to prevent unauthorized modification of the ATM software configurations.
  • Security arrangements implemented around EPP (Electronic Pin Pad).
  • Implement patches into the ATM Network.
  • Establish Protection against skimming, Card Trapping.
  • Ensuring Compliance with PCI standards where applicable.
  • Establish strong protection against ATM Pin Cracking.
  • Ensure security of Secure Card Readers (SCRs).

Considering the above-listed checklist will help organizations address the risk of evolving threat landscape and exposure to ATM systems, networks, and applications.

Final Thought

ATM Security is critical as there are huge financial stakes involved in it. The assessment helps uncover vulnerabilities across the ATM environment and prevent the risk of theft and compromise. Further, the assessment report and analysis provide detailed findings and actionable remediation to address the vulnerabilities detected during the process. But apart from the regular assessment process, adopting a widely accepted cybersecurity management framework and standards like ISO standards and NIST is essential. They are comprehensive standards that cover basic elements of an ATM security management system. However, it is also important to understand that these standards and frameworks do not offer ATM-specific guidelines. But these frameworks help standardize and implement security measures essential for protecting the ATM environment.

Author Bio :

Author Bio:
Narendra Sahoo (PCI QSA, PCI QPA, PCI SSLCA, PCI SSFA, CISA, CISSP, CRISC, CEH, and ISO27001 LA.) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the United States, Singapore & India. Mr. Sahoo has more than 25 years of experience in the IT industry, with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance, and Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. Since 2004, VISTA InfoSec has worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.



Add comment

Leave a Reply

By Sidharth

Recent Posts