Vladimir Guskov, ex-Head of Technical Support, SafenSoft
Recommendations of ATMIA
Every year in our country a number of ATMs becomes more and more, a life without them it is not easy. For example, in January 2011 only Sberbank had 27.7 thousand ATMs - 4.8 thousand more than in 2010. However ATMs not only bring comfort in our life, but became a fertile ground for financial fraud.
Today in contrast to the situation prevailing 5-6 years ago, the forefront threat unrelated to the physical risks.
Earlier the most pressing problems in the security services were preventing physical hacking ATM and installation of fake devices over faceplates ATM, to combat theft of Bank cards and given money. These problems are easily solved with the help of using cameras and correct choice of a place for ATM location.
Now came to the fore the threat of another kind.
Transactions related to Bank cards go through the Internet hackers and other cyber criminals. Veterans still remember that 10 years ago the ATM software component in most cases was OS/2. And perhaps it would have continued, if 31 December 2006 IBM has discontinued support for OS/2 users. Currently the ATM network is usually installed one or another version of Windows XP. According to Trend Micro, Windows will be applied in 75% of new ATMs. The process is already running: every year about 10% of the total number of in-service ATMs replaced by new models. On the average, in modern conditions the lifetime of ATM makes up to 10 years, at that the mass replacement began 5 years ago, it is already close to the time when the vast majority of ATMs will be running Windows. Certainly, there is a «stripped-down» OS on the ATM , and a smaller set of functionality, the smaller areas, error-prone and opportunities for security attacks. However, the architecture of Windows is familiar attackers and this means that ATM can be exposed to the attack of any malicious program that is written for that operating system.
Such attacks have many negative consequences: loss from monetary funds from the accounts of cardholders to blow on the Bank reputation due to the lighting of negative events in the media.
Thus, the protection of the ATM software component becomes priority in the complex security measures ATM.
There are particularly relevant basic theses «ATM Software Security Best Practices (best practices ATMs information security) containing recommendations on the protection of ATM or payment terminal from cyber threats.
ATMIA gives tips how to protect ATM better.
First of all, one must strive to lead ATM in compliance with the PCI DSS . The Payment Card Industry Data Security Standard (PCI DSS) is a protection standard payment card in industry data developed by the international payment systems Visa and MasterCard.
What about the same software installed on ATMs, AIMIA makes the following recommendations:
To reliably protect the ATM or another autonomous device, with which financial transactions are carried out from cyber attacks you must observe the following rules:
These help protect ATM from hackers and cheaters.
Certainly, these proposals are only describe a General approach to the protection requirements of ATMs and payment terminals on the software level.
Currently, output is preparing a new edition of the ATMIA Best Practices, which should see the light at the end of 2011. This document contains recommendations ATMIA relating to security policies, industry standards, including an analysis of common threats and risks and detailed recommendations for the protection of the ATM level. In the future we will cover this topic in more detail, on the basis of the new edition of best practices ATMIA.