Securing Self Service Terminals

Self Service Terminals (SST) like ATMs, Cash Recyclers, Note Accepters, Self Service Kiosks etc. are pretty much part of everyone's life these days. They offer almost unrestricted access to cash and other banking services at any point of time. These SSTs offer great levels of convenience but they are regularly in the news related to some fraud or another. While some attacks on the ATMs are genuine and indigenous, others are just hyped to create a juicy news story.

SST Security vs Digital Security

It's quite common to benchmark all types of digital security to the security used in for laptops/desktops/servers. This is where it all goes wrong when we talk about SSTs. Unlike general hardware which are regularly accessed by technicians, SSTs are completely unmanned terminals. This means that no technician is regularly accessing the terminal with a keyboard, unless authorised. Hence, there is no real way to remotely validate (due to network and security limitations) if a patch has been properly installed or if an application is interfering with the SST functioning or if an alert pop-up is thrown up on the screen. It should be noted that SSTs are, at times, installed in far-out locations where it could take a couple of days to get a technician to reach. Uptime of an SST is of optimal importance and hence it becomes all the more important that the security of SSTs are treated differently from the security setup of manned terminals.

Pin the Blame

For any incident that occurs, everyone wants to know the Root Cause, irrespective whether it is properly understood or not. SSTs, especially ATMs, have been the victim of many such misrepresentations of RCAs. An SST fraud is limited to a fraud on the terminal due to a security lapse. However, there have been cases where a lapse in the security of the backend infrastructure is the cause of the issue, but the fingers are pointed to the SST. As mentioned earlier, since they are unmanned terminals, SSTs can have a limited set of security alerts. However, the backend systems should ideally be completely secure as they are completely manned terminals. There have been many cases where SSTs have had to bear the brunt, largely due to media coverage. It's common for people's minds to quickly register misinformation rather than accurate information due to its simplicity. That being said, it doesn't mean that adequate security measures are not built in to the SST itself.

SST Safeguards

Monetary loss is acceptable to an extent, reputation loss is irreparable

Creating a security plan for SSTs needs focussed planning with a vision on the future roadmap. Proper funding needs to be allocated for such activities. Below are a high level set of security features implemented at SSTs. This is by no means a full laundry list and the extent of implementation could vary by Institution and requirement.

Infrastructure Security

Infrastructure setup of SSTs, especially cash handling terminals, are designed with its own level of security. The applications running on the terminal undergo their own audits and testing before they are cleared for deployment. PA-DSS certification is now mandatory for any terminal involved with card payments. Most terminals handling cash dispensation are designed to have a multi-way encryption handshake between a pre-defined set of hardware modules of the SST. This ensures that if any of the original configured hardware module is tampered with, the SST would cease to opearte and safeguard against attacks like black-box and jackpotting. In addition, the SST network is designed as a secure VPN with the Financial Institution with no Internet access. Secure network level encryption like IPSEC are overlayed within the MPLS network seetup. Further, network firewalls and routers are configured to enable only authorised systems access to the SSTs.

Physical Security

Having a Security Guard outside an SST terminal is one of the oldest known means of Physical Security. While some still exist, most FIs have started digitizing their security using electronic surveillance systems with sensors for lux, motion, seismic as well as two-way audio-video communication. With the advancement of technology, there are many types of Artificial Intelligence based methods getting built into such electronic security systems. Due to the impact of skimming, card readers are not fitted with different types of anti-skimming devices. Strategically positioned reflectors are also available to help prevent shoulder surfing.

Data Security

Data is amongst the most valuable assets in the world; in the wrong hands, it can destroy a nation. The hard disks of SSTs are adequately hardened and encrypted to ensure that the data on is protect against unauthorised access. When transacting on an SST, the sensitive information like Card Number, Account Number, Pin etc. are properly encrypted before transmission. Adequate checks and controls are in place to mitigate attacks like MITM. Solutions like Whitelisting, Blacklisting, Sandboxing etc. are also implemented in various proportions to protect the terminal from Malware attacks or Trojan Horses. Lately, bank's have started adopting secure data transmission methods like TLS as an added layer of security.

Are SSTs Secure?

Post one of my customer presentations, I was asked whether the Bank Terminals would be completely secure if my solution was taken. Anyone with the basic knowledge of security would answer in the negative. No matter how many layers of security you build in, a miscreant would always find a new way to bypass the security. Most of them do it for the money, but there are some such characters who are in it just for the "kick" of it. They spend their time identifying stronger levels of security and then enjoy finding out new ways to bypass the built-in security.

We cannot say that anything is completely secure, be it an SST or be it your home. That doesn't mean that we stop trying to secure it. Security gives us a sense of comfort as it becomes a deterrent for people to try to break in. Security and frauds are always in a never-ending race with each trying to play catch-up. Currently, SSTs have got a commendable level of security built in to act as a deterrent and these security levels are periodically reviews and updated. Financial Institutions constantly invest into upgrading their SST security so as to provide secure convenience to their customers. Ultimately, with enhanced convenience , there is always some amount of associated risk.

Disclaimer: The views expressed here are totally personal and do not represent the view of any community or professional organisation that I'm a part of. The article/blog is intended to present readers with different perspectives of situation and does not intended to lure anyone in any specific direction. The views expressed are not intended to hurt or offend any individual, group, organisation or community in any way. The names of people, groups or organisations mentioned in the post are based on what is available in public domain only. Any grievances caused are highly regretted.