ATM manufacturers along with the UK-based Global ATM Security Alliance (GASA) are working to improve protection for automated teller machines (ATMs), as many more of these machines now incorporate commercial off-the-shelf (COTS) operating systems.
Founded in 2003 with help from the ATM Industry Association (ATMIA), GASA last year released a set of guidelines for the ATM industry that addressed both physical and cyber security concerns surrounding ATMs.
Mike Lee, GASA’s CEO, said the organization has three sets of guidelines for protecting ATMs: a General Cyber Security Best Practices Manual; a white paper on Continuous Security Process, and an ATM Cyber Security Manual for securing Microsoft Corp. Windows-based machines.
Jim Richardson, a security expert in Houston and a GASA member, said the guidelines came about because in the last few years ATM manufacturers have moved away from IBM Corp.’s OS/2, and towards machines using Windows.
OS/2 was originally supposed to be the result of a partnership between Microsoft and IBM to make a DOS successor. Microsoft, however, abandoned the partnership in order to concentrate on developing its now ubiquitous Windows operating system.
IBM did not abandon OS/2, and the operating system soon found a niche running computers in banks, airlines and ATMs. OS/2 had a good reputation for stability and up-time. But as Windows came to dominate the desktop PC market, it also grew popular where OS/2 once reigned. In 2001, for example, ATM maker NCR Corp. announced it would begin rolling out machines based on Microsoft’s Windows XP.
However, Windows has a less than stellar reputation in the area of security, especially against hackers, viruses and worms. For example, in 2003, 13,000 Bank of America Windows-based ATMs were shut down when the Slammer worm, exploiting a Windows flaw, infected databases that used the same network as the ATMs.
“There is some truth in the fact that hackers and virus-generators know all about common operating systems and software,” Lee said. “However, the ATM Cyber Security Manual is based on actual tests on securing Windows-based bank ATMs from these vulnerabilities. We believe the manual offers the know-how derived from actual practice and testing to set up perfectly secure Windows-based ATMs.”
While Richardson would not go into detail about the guidelines — they’re only available to GASA and ATMIA members — he did touch on some more general advice. For example, ATM manufacturers should incorporate firewalls and antivirus programs into Windows-based systems, and they should shut off services not required.
There are also guidelines for securing the TCP/IP network connections that ATMs use to communicate with databases. While ATMs are not connected to the public Internet, Richardson said ATMs might still be vulnerable to viruses or security compromises so it is best to make sure that even the slimmest possibility is not exploited. Other guidelines cover how to secure Windows-based ATMs from hacking toolkits, utilities and denial-of-service attacks.
“Last year there were a few reported incidents of successful cyber attacks on ATMs, but the downtime was minimized by quick response; these cases were isolated,” said Lee. “Nevertheless, as the industry faces massive migration to open Windows operating platforms, we take these threats seriously,” he added, pointing out that the automated-banking sector “has a three-decade old reputation for excellence of service and delivery.”
Mischa Weisz, CEO of Toronto-based TNS Smart Network Inc., which connects independently owned ATMs to the Interac network, said the GASA guidelines are a good set of procedures for any ATM company to follow.
Still, Weisz said ATMs are relatively safe from hackers. Many of these boxes operate on an IP-over-Frame Relay network — a point-to-point connection that is very hard to crack. Most independently operated, stand-alone ATMs — those not connected to a financial institution — use dial-up connections, which are even harder to hack into, he said.
Not to mention, “there is nothing to hack into,” Weisz said. “Most of the programming in ATMs are fixed and it is not possible to tell it to give you 5,000 bills. It would be like standing outside a car and saying, ‘Lights,’ and expecting them to turn on.”