In today’s digital landscape, cybersecurity has become a top priority. As both the industry and consumers embrace digital transformation, the threat landscape continues to evolve in parallel. Protecting the assets, intellectual property, and infrastructure from known and unknown threats is no longer optional—it is non-negotiable.
While digitization enables innovative banking services, seamless customer journeys, and enhanced experiences, it also increases the risk surface.
Implementing comprehensive cybersecurity strategies is critical to maintaining trust and operational resilience.
Recognizing the uniqueness of the self-service environment
In the drive to secure self-service channels, financial institutions (FIs) have been deploying a range of cybersecurity solutions—from traditional endpoint protection to heuristic detection tools. These aim to guard against a spectrum of threats and vulnerabilities, whether previously known or unknown.
However, while such tools are effective in conventional IT environments (like offices or homes), they fall short when applied to self-service devices. Here’s why.
Traditional cybersecurity solutions are largely reactive by default. They rely on prior knowledge of attack vectors or behaviours to offer protection.
This implies that, once deployed in the self-service environment, they require constant updates to remain effective against newly discovered threats.
And there is another issue. How do you recognize or protect yourself against something you are not aware exists, the so-called ‘’unknown”? This question is particularly relevant to the banking self-service channel, which is targeted by attacks developed specifically for that environment. These attacks are sometimes highly customized—designed specifically for a particular FI, vendor-device model, or deployment environment. So, how can you protect the self-service channel against such unknown and so-called “Zero-Day” threats and vulnerabilities?
Adopting a multi-layered approach
Securing a self-service environment requires a multi-faceted and layered approach. Here’s how.
The foundation of security starts with protecting the boundaries and, in particular, the boundary to the runtime environment (e.g., access to the BIOS or hard disk at rest).
BIOS Security
Safeguarding against unauthorized access to the BIOS, changes to device settings and/or enabling booting from an alternative operating system is paramount when delivering a secure foundation. Protecting, managing and redistributing terminal BIOS passwords, when and where required from a singular and central point of management, is of extreme importance and plays a fundamental role in any cybersecurity framework.
Hard Disk Encryption
Another essential safeguard is to protect data at rest. Allowing threat actors to access a terminal’s hard disk, inspecting and/or changing its content is similar to giving them the keys to the front door of your house together with instructions as to where to find valuables.
Deploying the correct Hard Disk Encryption solutions, specifically designed and developed for the banking self-service environment, will provide the right degree of protection. Even if a hard drive is removed or stolen, data remains inaccessible.
Let’s now consider attack vectors that can be performed in a runtime environment and how to ensure the right level of protection.
Operating System Hardening
The vast majority of self-service terminals run under a Microsoft Operating System. These operating system variants, e.g., Windows 7, 10, 11, etc., have served the industry well. They have enabled industry standards to be developed, optimizing processes and services, etc., to name a few of their benefits. However, if we are being honest, these same operating systems have a very broad scope and were not truly designed for the specifics of the self-service ecosystem and security requirements.
Standard processes/services, which are essential or beneficial to computers used in a home or office environment, are not required on a banking self-service device. These standard processes/services should, at a minimum, be removed or disabled. Users’ access rights and privileges, USB and keyboard usage must also be properly configured to protect against unauthorized usage. Further measures, such as communication, logging mechanisms, etc., will ensure that the natural attack surface inherent to a standard Microsoft Operating System is not only minimized but, more importantly, that the runtime environment meets all security and compliance requirements (e.g., PCI-DSS, ISO, etc.) applicable to the self-service industry.
Zero Trust Architecture
As previously explained, given the unique nature of threats targeting self-service terminals, traditional endpoint solutions are not enough.
For the purpose of securing this unique ecosystem, a Zero Trust model is critical. Unlike traditional endpoint protection and heuristic security solutions, the Zero Trust approach is centered on continuous verification and authentication.
Zero Trust enforces strict access controls based on the principle of Least Privilege Confinement (LPC). The adoption of Zero Trust not only minimizes the risk of attack from known but, more importantly, unknown exploits. It delivers a multi-layered approach to security/protection, preventing infection directly or via unauthorized lateral movement within the network. It is also the foundation for a secure self-service device servicing.
At Diebold Nixdorf, we recognize the evolving security needs of the self-service channel. Whether you prefer to manage your ATM security in-house with our
Vynamic® Security software or outsource it through our
managed service model, we've got you covered. Via our effective, adaptive, and proactive multi-layered security framework, self-service terminals are safe from both inside and outside attacks, from known and unknown threat actors and attack vectors.
Let’s speak about how we can help you implement the right level of security for your ATM fleet seamlessly.
.jpg?w=361&h=209&mode=crop&hash=E93920AACC51C546EA8809704B969C30)
