GLOBAL FRAUD ALERT

ISSUE NUMBER 2010-02 Preventing ATM Software Attacks & Failings

FRAUD RISK SCENARIO The issue of ATM vulnerability to viruses, hacker attacks, and software failure has been under discussion since the mass migration of ATMs from IBMs OS/2 operating system to Microsofts far more widely-used, and consequently more vulnerable, Windows XP. In 2009, staff at Doctor Web, a Russian anti-virus company, uncovered a computer virus stealing cardholders data directly through ATMs. Some major Russian banks incurred significant damages because of this virus. This year an employee at a large US bank installed malicious software on his employers ATMs that allowed him to make thousands of dollars in fraudulent withdrawals over a period of seven months, all without leaving a transaction record, according to federal prosecutors. In the past, the Slammer computer worm shut down ATMs and the Worm W32/Nachi, also known as Welchia, infected ATMs in a denial of service attack. In general, malicious code gains access to banks networks through undocumented Internet connections or employees infected laptops. Targeted attacks by cyber criminals are also becoming more common. BEST PRACTICE RECOMMENDATIONS FOR PROTECTING ATM SOFTWARE ATMIA has published extensive best practices entitled ATM Software Security Best Practices Guide, outlining international minimum security guidelines and best practices for operating ATM software. Its aim is to help you develop an IT Security Operational Policy for ATM Operating Software. An additional focus is to facilitate planning for compliance to PCI DSS and PCI ATM as these global standards impact on ATM hardware and operating software. The scope of the manual covers governance of all ATM software up to the point at which the ATM plugs into the communication link to the host system. SUMMARY OF BEST PRACTICES ATMIAs ATM Software Security Best Practices Guide focuses on three dimensions you should continuously review: Processes, Technology and People Policies. Processes Provisioning of ATMs and Software Installation ATM Monitoring & Intrusion detection Servicing and Maintenance Decommissioning of ATMs

Technology PIN Security Data security data at rest, and in transit Transactional data Management data Software Patch Updates Intrusion prevention layered approach

The Global ATM Security Alliance The ATM Industry Association

GLOBAL FRAUD ALERT

People Policies Enforcing dual-custody controls Enforcing password policies and multi-factor authentication

In particular, please check the following areas of your software operating environment and associated systems. The Operating system o o o o o Remove all unnecessary components (preferably have the supplier do this before delivering the device). Keep up-to-date with patches (ensuring of course that OS customizations are not overwritten as part of the process). Minimize the number of services that automatically start up when the device boots (most standard services are not required for ATM operation). For Windows XP, apply the appropriate security settings for user rights and review all default policy settings for relevance to the ATM environment. Ensure event logs are monitored and stored in a tamper-proof manner.

Account security o o Enable only the number of accounts required for device operation and control access to those accounts with strong. passwords, with a lockout kicking in after three unsuccessful attempts. Command line access should not be permitted for day-to-day operations. Ensure that passwords for both user accounts and application access incorporate letters, numbers, mixed-case, and non-alphanumeric characters. These passwords should be changed periodically, with repeat usage prevented for as long as is practicable.

Access control o o o o ATMs should only connect to host systems via dedicated network segments, not those shared with general usage workstations and servers. Introduce firewall enforcement points along the communication path between ATM and host systems if possible; if network topology does not permit this, packet filters should be configured at each perimeter router that provides TCP/IP connectivity. Disable unused switch points and do not use network HUBS. In general, apply the principle of what is not specifically permitted should be denied.

Detection and prevention o o Apply network intrusion prevention, supported by appropriate monitoring and incident response policies and procedures. Install, use, and keep updated good-quality anti-malware software, and ensure any alert messages are sent to the appropriate internal personnel, not displayed on the device screen.

The Global ATM Security Alliance The ATM Industry Association

GLOBAL FRAUD ALERT

Critical success factors for protecting ATM software systems: detect and prevent the launch of malicious software introduced via removable media (USB, DVD or CD) schedule system resources access and create dedicated service periods when endpoints can be serviced, improving security against unauthorized access control the use of wildcards to significantly simplify system settings control user/group access with the aid of a well-defined corporate policy-driven access class differentiation system prohibit access to system resources for all applications except those specifically authorized to do so centrally log and report all system events easily secure the end point with remote or local installation (including silent mode option) using standard Microsoft tools

We urge all our members to acquire ATM Software Security Best Practices Guide and implement its best practices, as cyber space is a critical new security frontier.
Acknowledgment ATMIA would like to thank SafenSoft Inc and the ATM Software Security Committee for their inputs which has made this industry fraud alert possible.

About ATMIA (www.atmia.com) The ATM Industry Association is a global non-profit trade association with over 1,750 members in about 50 countries. Its mission is to promote ATM convenience, growth and usage worldwide, protect the ATM industry's assets, interests, good name and public trust; and provide education, best practices, political voice and networking opportunities for member organizations. In June 2003, ATMIA established the Global ATM Security Affiance (GASA) with the mission to employ global security resources in a united alliance in order to protect the ATM industry from criminal activity. For more information, contact Mike Lee at mike@atmia.com or Sharon Lane at sharon@atmia.com.

The Global ATM Security Alliance The ATM Industry Association