March 25, 2019 | B. SCOTT HARROFF
How many times each day do you Google something?
Bad guys do it too.
We are living in a pretty modern era. A world of information is at our fingertips, and those of us in the financial industry have to remember that hackers and thieves have access to way more information about systems, software and internal processes than they’ve ever had before—and that’s before they maliciously hack into a network. A simple Google search can reveal XFS specifications for a particular ATM cash dispenser, for example, along with instructions on how to manipulate XFS into operating the dispenser. If they’re feeling even lazier, would-be hackers can search for apps that conduct test dispenses online, and access the actual software itself that interacts with XFS to make the machine dispense cash.
The bottom line is that new opportunities for theft are simply stacked on top of more traditional robbery methods: Today’s criminals can find, purchase and/or download the details they need to plan an attack of any kind, whether their modus operandi is physical, cyber or data-related. That means financial institutions have to be prepared to fight on every front—which can quickly become incredibly complex. I’ve compiled five of the most common security gaps I see across the financial industry. Take a look and see if any apply to you.
Gap #1: A blanket approach to security.
How can a blanket have gaps? Just like every one of your children is different, so too is every ATM in your network. Some are nestled securely inside a bank branch, or close by in the vestibule or under the awning of the drive-up area. Some are at far-flung outposts, inside retail locations, or in poorly-lit areas without much oversite. Yet we see financial institutions (FIs) treat them all the same, implementing (or neglecting to implement) the same measures on every terminal, regardless of location, age or usage.
Not only is this inefficient, it’s not cost-effective. Rather than spreading your security budget evenly across your network, conduct an analysis to determine which terminals are high-risk, and which are low-risk—then allocate your funds accordingly. This can be a great first step toward prioritizing updates and new software or hardware installations. Which leads us to the second major gap …
Gap #2: Skipping simple steps that maximize the security precautions you already have.
I can’t tell you the number of FIs I’ve talked to where every single one of their remote ATMs has exactly the same key that was shipped from the factory, and they don’t have an alarm on the top hat, and there’s no one monitoring the ATM in real time to see if it’s running or if it’s down.
There are many, many things you can do to tweak the settings, passwords, keys, etc. on your terminals to enhance their security. It’s been hammered into all of us that our own personal passwords need to be complex and we need to change them frequently, yet we see ATMs that have been out in the field for years and they still have a factory-issued password in use. That is the lowest hanging fruit that a criminal can find.
And here’s the other important take-away on this topic: we work closely with the FBI, Secret Service and other government security agencies to monitor emerging threats. We often issue warnings regarding potential threats, and when we issue those warnings, we also outline steps you can take to ensure your network is protected—when your organization receives those warnings, take them seriously. Go over your protocols, check your keys and passwords, do the due diligence beforehand so you’re not going in with the cleanup crew afterward.
Gap #3: No documented instant response plan for potential attacks.
I think sometimes the issue of security is so complex, and security or IT teams are so far down in the weeds trying to address every threat under tight budgets and limited capacity, they never get around to putting down on paper exactly what the process should be if there is an attack on the network.
Many banks are relying on someone to protect them—security specialists like our team at Diebold Nixdorf, or their own internal team—but when it comes down to critical details, they’re not sure how to respond in the immediate aftermath of an event. They don’t know how to turn off an account, for example (especially if it happens in the middle of the night), they’re not sure how quickly their support team will acknowledge and address the issue, etc. I encourage every bank to go through the exercise of a mock attack, so they can see how and where the triggers are happening—or not happening—to better understand exactly what they need to do in the case of a security issue.
Gap #4: Lack of full commitment to security.
This one can be a tough pill to swallow, because every bank wants to believe they’re doing everything in their power to prevent breaches that cost money, reveal consumer data and erode trust.
But the reality is, we see FIs that hesitate on big decisions like upgrading to EMV—they have a “what’s the worst that could happen?” philosophy that is dangerous at best, and very costly at worst. TLS protocol is another one where we see banks that still haven’t rolled it out or turned it on.
Hackers certainly use and exploit the most advanced tools at their disposal. FIs must respond in kind. While a bank may be reluctant to spend money on a new security solution or a sweeping round of software updates, criminals have no such qualms. They will spend the money to make their money; so FIs simply can’t use budget constraints as an excuse any more. Likewise, terminals must be kept up to date, with the latest firmware, the latest updates to the OS, signatures in place, whitelisting activated, encryption fully engaged, etc. If you’ve got the greatest security running on your hard drive, but you’re missing a key firmware update, you’re vulnerable.
Gap #5: Attack vectors that are difficult to identify and thwart.
Transaction Reversal Fraud is low-tech and hard to spot. Is it any surprise it’s making a comeback? Social engineering is also becoming trickier to address. In a conversation with STAR Network’s Director of STAR ATM Acceptance at First Data Incorporated, John Campbell, on our podcast, COMMERCE NOW, he explained how challenging it can be for banks: “[criminals are] importing a new phone number, a new email address, and then they don’t have to get around security. They’ve taken over the identity. The cardless transaction now is just a funnel for them—they don’t have to beat the ATM, they don’t have to beat the networks, they don’t have to beat the processor. They beat the human. By doing so, they’re bypassing all this wonderful security we’ve put into place.”
The best thing an FI can do to eliminate every single one of these gaps is sit down with a security expert to walk through all the different attack vectors out there, and put a plan together that identifies where they are today, where they want to get to, and then the steps they need to put in place to get from here to there. And then, one more critical thing: how to keep everything up to date once they get to that next-level, ironclad security status.
Hear more from Scott and other Diebold Nixdorf security experts on COMMERCE NOW.