Diebold SolutionsCorporate and ATM security
Diebold Confidential 20092
Today’s Agenda
1) Consumer SensitiveInformation
2) PCI DSS
3) Attacks on assets
Diebold Confidential 20093
ATM Card Fraud
Skimming:n Small read head designed to fit into
ATM card reader.
n Skimming reader typically contain
storage capacity and time stamp.
n Equal number of attacks on motorized
and Dip style readers.
n Criminals very sophisticated in adjusting
designs.
n North American Bank spends $1 M USD
to change bezels.
n Criminal defeats in 6 months.
n Bank saves $10 M in losses.
Diebold Confidential 20094
ATM Card Fraud
PIN Spying:n Shoulder surfing
n Good Samaritan
n Hidden video camera
n Overhead cell phone camera
n Pin Pad Overlay
n RF transmission of information
n Time stamp recording
Spy Camera - $15036 Hour DVRWith Time StampAnd SD card.
Diebold Confidential 20095
Skimmer found in St. Petersburg
Diebold Confidential 20096
Would you recognize this as a threat?
Diebold Confidential 2009
Global Solutions to Consider
Anti Skimming ReduceRedemption
ReduceSkimming
DetectSkimming
DeterSkimming
EMV Smart Card x
Biometrics + Smart Card x
Magstripe Authentication (MagnaPrint) x
Mobile OTP or Authorization x
Enhanced PIN (Image/Sentence Knowledge) x
Contactless Card x x
Jitter on Motorized Card Readers x
CPK by TMD x
CPK+SDK by TMD x x
Fascia Video Analytics x
ASD - Optical x
Network Fraud Monitoring x
Bezel Design x
Surveillance – ATM DVR or IP NVR x
Pin Pad Shield x
7
Diebold Confidential 20098
Logical Attacks
n Viruses or worms intended to exploitan ATM’s software environment.
n Criminal hackers attempting to violatethe confidentiality, integrity, orauthenticity of transaction data.
n Logical attacks up 47% over 2007.n TJX Breach – 94 million accounts
n Hannaford Stores – 4.2 million accounts
n RBS WorldPay – Account numbers & PINsstolen from server
n Heartland Payment Systems
Diebold Confidential 2009
For Sale
Source: Symantec Internet Security Threat Report – Trends for 2008
Diebold Confidential 2009
Operational Fraud
Internal:n Ardent do-it-yourselfersn Collectorsn Middlemen who steal for othersn Disgruntled employeesn Debt-ridden employeesn Blackmail victimsn Professional thievesn Egotistsn Practical jokersn Irresponsible employees
Operational fraud is perpetrated from withinand account up to 30% ATM fraud.
Diebold Confidential 2009
Logical Attacks Hackers, viruses andworms
UnauthorizedExternal Connection
Unauthorized Sources/Commands
DataConfidentiality
Internal orOperational Fraud
Symantec Enterprise Protection ü ü ü ü
OS & software Max securitysettings
ü ü ü
Patch Managed Services ü ü ü ü
Intel Trusted Platform Module(TPM) and VeriSignCertificate Authority
ü ü ü
Point to Point EncryptionSSL Over IP
ü ü ü
Remote Key Management ü ü ü
Secure Service TokenStorage and Logon
ü
Hard Drive Encryption ü ü ü ü ü
Access Control (PACS & LACS)and Password Management ü ü ü ü ü
Reduce Losses and Mitigate Risk
11
Diebold Confidential 2009
PCI DSS for ATMs
Build and Maintain a Secure Networkn Requirement 1: Install and maintain a firewall configuration to protect cardholder data
n Sygate Firewall version 5 & Symantec Endpoint Protection version 11
n Diebold Professional Service can provide a Statement of Work (SOW) to provide Security Officethat will provide a centralized firewall management server for the customer
n Diebold Managed Services can manage and monitor the security events and security logs on theATM (per PCI requirements)
n Diebold can monitor the security events on your firewalls, routers, IDS, and internal servers thathave PCI cardholder data and manage the devices
n Requirement 2: Do not use vendor-supplied defaults for system passwords and other securityparametersn Customer Driven – Diebold Service will leave default Windows Passwords in place, unless
directed to otherwise by the owner of the ATM
n Diebold Professional Service can provide the financial institution with a SOW that will allow theATMs to join an Active Directory environment
n ValiTech
Diebold Confidential 2009
PCI DSS and ATMs
Protect Cardholder Datan Requirement 3: Protect stored cardholder data
n Key requirements are:n 3.2.1 - Do not store the full contents of any track from the magnetic stripe
n 3.2.3 - Do not store the personal identification number (PIN) or the encrypted PIN block
n Two primary areas of concernn Log and Trace files – Ensuring track data and PIN blocks are not recorded in any trace or log files
n EDC files – Information sent from the host must not have any proscribed data in it.
n Option to log captured card data to EDC
n Diebold can provide privileged user monitoring and can monitor all access to PCI cardholderdata in the environment.
Diebold Confidential 2009
PCI DSS and ATMs
Protect Cardholder Datan Requirement 4: Encrypt transmission of cardholder data across open, public networks
n Ipsec or SSL encrypted communications
n SSL part of ABC 4.4
n Part of Agilis 91x 2.4n In Agilis 91x 2.3 CSD 1, Agilis 91x 2.2 CSD 1
n Professional services can provide a statement of work to help customer implement SSL directlyto host or to Cisco network appliance
Diebold Confidential 2009
PCI DSS and ATMs
Maintain a Vulnerability Management Programn Requirement 5: Use and regularly update anti-virus software
n Updating of virus identification files, firewall/IDS signatures, and security software updatesavailable as a Diebold managed service
n Diebold Professional Services can present a financial institution with a SOW for Security Office.Security Office allows not only for a managed firewall but also, Anti Virus, Anti Spyware andProactive Network Threat protection
n Requirement 6: Develop and maintain secure systems and applications
n Operating System Patches available via DCIS service
n CSDs for Agilis applications available via Diebold Service contacts
n Diebold offers a managed service that will deploy the latest approved MS patches to the ATMfor a monthly fee.
n Diebold Professional Services can provide consulting for an institution to utilize their existingpatch management system
Diebold Confidential 2009
PCI DSS and ATMs
Implement Strong Access Control Measuresn Requirement 7: Restrict access to cardholder data by business need-to-know
n It is the financial institution’s responsibility to restrict access to system that contain cardholderdata based on their business practices and need-to-know requirements.
n Cardholder data not stored on ATM except:
n Data sent from host for EDC journal filen Check images stored on ATM for RSS Store and Forward capability. Future version of RSS
will encrypt this data
Diebold Confidential 2009
PCI DSS and ATMs
Implement Strong Access Control Measuresn Requirement 8: Assign a unique ID to each person with computer access
n Customer Driven – Diebold Service will leave default Windows Passwords in place, unlessdirected to otherwise by the owner of the ATM
n Diebold Professional Service can provide the financial institution with a SOW that will allow theATMs to join an Active Directory environment
n ValiTech
n Requirement 9: Restrict physical access to cardholder data
n Diebold can provide access control systems, video and DVR technologies to assistwith this requirement
Diebold Confidential 2009
PCI DSS and ATMs
Regularly Monitor and Test Networksn Requirement 10: Track and monitor all access to network resources and cardholder data
n The financial institution is responsible for tracking and monitoring all network access andcardholder data.
n Diebold does provide access control and video systems to aid in the tracking of the Physicalaccess to these systems.
n Requirement 11: Regularly test security systems and processes
n The financial institution is responsible for developing test process and procedures forperforming regular tests of their security systems.
Maintain an Information Security Policyn Requirement 12: Maintain a policy that addresses information security
n The financial institution is responsible for developing and maintaining policies and proceduresrelated to security for their associates and contractors.
Diebold Confidential 2009
Physical Attacks
n Ram-raid, Smash n Grab
n Explosive
n Torch
n Grinder
19
Diebold Confidential 200920
Diebold Confidential 2009
Physical Attacks BurglaryRam Raid or
Smash and GrabExplosives Cutting Torch
UL 291 level 1 rated safe ü ü
CEN rated safe ü ü ü
Anchoring system ü ü
Electronic locks-duress alarm ü
Ink Staining ü ü ü ü ü
Intelligent sensors ü ü ü ü ü
Basic thermal & door sensor ü ü ü ü
Seismic sensors ü ü ü ü
GPS ATM and/or Cassette Tracking
Universal camera mounts ü ü ü ü ü
Surveillance – DVR ü ü ü ü ü
Access Control & Monitoring ü ü ü ü ü
Reduce Losses and Mitigate Risk
21
Diebold Confidential 2009
1. Vestibule Access Reader2. ATM Vestibule Camera3. Transaction Camera through ATM
facia4. External Siren with Strobe5. Cellular Backup in Service Area6. Security Alarm Terminal7. Service Viewing Camera8. Passive Infrared Delectation Area9. Hold-up Button in Service Area10. Video Recorder in Service Area
(Digital or Analog)11. ATM Site Camera12. Light Level Monitoring13. Door Contact14. Seismic Detectors (2) – Chest Door,
Chest Wall15. Heat/Thermo Detector16. Main Door Contact
Layered Security Approach
22
Diebold Confidential 2009
Conclusion
ATM Fraud is repeatable, profitable and not likely to end. Evenso, consumer confidence in ATMs remains high and industryefforts to combat fraud, increase consumer awareness andpromote ATM security helps keeping the self-service industryat least one step ahead of the criminals.
"Fraud is like electricity; it is shocking andfollows the path of least resistance."
-Sriram Natarajan - Finextra, March 2008
Diebold Confidential 2009
Diebold ATM Security Web Site
n For further information, please visit;
n http://www.diebold.com/atmsecurity/
n http://www.diebold.com/atmsecurity/security/challenge/ATMSecurityChallenge.html
24
Thank You!