The good news: The X-Force Red team survived Black Hat and DEF CON and is back with a new edition of the X-Force Red in Action podcast.
The bad news: A rapid uptick of automated teller machine (ATM) attacks has recently hit the headlines.
And a little more good news: David “VideoMan” Bryan, global leader of technology at X-Force Red, is here to talk about the need for improved ATM security and how his team is prepared to help.
Good Timing for ATM Testing
According to Bryan, client requests for ATM testing are up 300 percent, which makes sense given the FBI’s recent warning about global ATM cash-out attacks. While the warning itself was part of a confidential alert that was shared with banks, Bryan suggests the likely impetus was an ATM breach that gave attackers unauthorized access to database information such as clients’ personal identification numbers (PINs).
A Dual Risk
Bryan explains that most ATMs have two major points of vulnerability: an embedded device (often a cash drawer) and the Windows machine running any ATM software. In one test, he compared two seemingly identical machines: One machine was highly secured and the other was vulnerable. The difference is that the first was properly patched. In another scenario, he found that the physical locking mechanism for computer systems was faulty, allowing full access to the hardware.
ATM Security Best Practices
How can financial companies protect their ATMs? It starts with patching. Keeping machines up to date is always the first line of defense.
Next, Bryan suggests reviewing ATM systems regularly. In one testing case, he found an ATM that was well-hardened but contained a zero-day vulnerability in its management hardware.
Finally, financial institutions must test network, logical and physical defenses to improve security. Bryan points to the example of maintenance bays in ATMs often leaving hard drives exposed while cash vaults have better protection.
See X-Force Red in Action
When it comes to closing ATM loopholes, the newly announced X-Force Labs can help. IBM’s global testing facilities offer both the benefit of publicly available data — the team purchases Internet of Things (IoT) devices, tests them and releases its findings — and client-specific testing. Companies interested in leveraging X-Force expertise can request IoT, IIoT or OT testing.
To learn even more about X-Force Red’s new ATM testing practice, watch the video below:
Never miss a new episode of X-Force Red in Action! Subscribe to the SecurityIntelligence Podcast on iTunes or your favorite podcast platform.