Aug 17, 2018
No other crime is more romanticized by pop culture than the bank robbery, and no type of criminal more than the thief. Think Bonnie and Clyde, John Dillinger, the Sundance Kid and Butch Cassidy. What comes to mind? Tunneling under the bank, cracking safes, elaborate escapes, and adrenaline-filled action. However you feel about them, one thing is certain; those type of heists, no matter how notorious and exciting, are slipping in to antiquity.
We’ll probably never have another fated criminal couple like Bonnie and Clyde, or another escape artist and thief like John Dillinger, for the simple fact that their methods are outdated. Today’s criminal is more apt to attack from their home computer than at the teller window. They crack codes, not safes, and the only mining they’re doing involves data. In this episode, Scott Harroff and Dave Phister talk about cyber security, cyber criminals, and how industries can protect their data, their software, and overall – their cash.
COMMERCE NOW website: www.commercenow.libsyn.com
No other crime is more romanticized by pop culture than the bank robbery, and no type of criminal, more than the thief. Think Bonnie and Clyde, John Dillinger, the Sundance Kid, and Butch Cassidy. What comes to mind? Tunneling under the bank, cracking safes, elaborate escapes, and adrenaline filled action. However you feel about them, one thing is certain: those types of heists, no matter how notorious and exciting, are slipping into antiquity. We'll probably never have another fated criminal couple like Bonnie and Clyde, or another escape artist and thief like John Dillinger, for the simple fact that their methods are outdated. Today's criminal is more apt to attack from their home computer than at the teller window. They crack codes, not safes, and the only mining they're doing involves data.
In this episode Scott Harroff and Dave Phister talk about cyber security, cyber criminals, and how industries can protect their data, their software, and overall, their cash. I'm Amy Lombardo, and this is COMMERCE NOW.
Hello again. This is Scott Harroff, your host for this episode of Commerce Now. The last time I was on this podcast I spoke with Bernd Redecker on what jackpotting could teach us. You'll find that episode on www.commercenow.libsyn.com iTunes or however else you listen to your podcasts. Today, I'm joined by Dave Phister, Director and product manager responsible for security at Diebold Nixdorf. Today we're going to talk about cyber security and touch on exactly what cyber security is from our perspective and how criminals are turning to digital means to acquire things like money and data.
Hello, Dave, and welcome. Thanks for joining today.
It's a pleasure, Scott. Thanks for having me. I've been honored here since you're becoming a bit of a podcast regular, for you.
Well, thank you very much. I never knew being a podcast star was in my history, but I'm happy to roll with it. As I said, today our focus is on cyber security, and when you and I hear this term, we have a pretty good understanding of what it means between you and I, but a lot of times people think that it's all about foreign hackers stealing secrets. Can you give a little bit of color around our definition of cyber security.
Yeah, I sure can. It's a great question, Scott, and a great point. I think simply stated, cyber is anything related to computers or computer networks. That could of course, include the internet, so then cyber security would be the measures taken to protect the computer or computer system against unauthorized access or attack. In our industry, that's typically been referred to as logical attacks, but they're really just attacks on the digital components of the ATM. As you know, the ATM contains a computer, a hard drive, uses a Windows operating system, has USB ports. It's a, amongst other things, a computer client hanging off of a network, much like a desktop computer at work. It just happens to be controlling a safe full of cash.
Strictly from a computing standpoint, the security controls required to defend the computing aspect are really no different than any other network, whether it's a national security system protecting those secrets, or essential server in a fortune 500 retail data center. The tools, tactics, techniques, and procedures to compromise, or hack, the components, are the same everywhere we look. So additional to a firewall, it needs other cyber security like encrypted hard drives, digital signatures, access controls, proper patch management.
I think this is where the industry has let down their defenses a bit. OEMs and financial institutions haven't taken enough care to maintain current technology and protect the software and computing assets of the ATM. In addition to protecting the cash, as you mentioned, data must be equally protected, specifically the computing components that process that data, else compromise is a matter of when, not if. I think one perception is that cyber security defends against a hack originating from cyber space, which would mean something remote. Though ATM networks are not connected to the internet, they still connect to a bank network somewhere, and I would remind our listeners that as recently as 2016, we witnessed an ATM attack. It was launched solely from a remote network, in this case the voice recording network was breached in Europe, the hackers navigated their way to the ATM segment, pushed malware down to the ATMs, and the mules were waiting for cash to dispense. Anything is possible as commerce, payments, and channels connect, Scott. More and more every day.
Great. Now that our listeners understand what cyber security is when we use that word, what sort of cyber security threats do our customers face, and what do you think the biggest risks are?
As you discussed, Scott, with our colleague Bernd Redecker in the previous podcast, the jackpotting attacks we've seen recently in the Americas, they can all be categorized as cyber attacks. The January jackpot attack where they removed the hard disk, loaded malware, and replaced it was possible because the customer didn't employ hard disk encryption. It's a fundamental cyber control. Earlier attack took advantage of a weakness in a very old USB security protocol and would have not have been possible had the customer deployed the latest AAES USB security encryption.
Then as I mentioned, 2016 attack in the AP regions clearly executed remotely. There was no behavioral monitoring software installed, like a McAfee or Symantec or Bit 9, Binamic, so finally, one point here, Scott, financial institutions are continuing to see cyber attacks in the internet and the mobile arena as well. The mobile device is now a connected component to the ATM and now we're seeing financial institutions have cyber attacks against the mobile wallets in the internet banking services. Though the fraud redemption's occurring at the ATM, there's nothing the ATM can do to prevent it. It looks like a valid mobile EMV NFC connection, but the transaction is actually fraudulent.
What are the risks? Systems mostly in unattended operating environments. Systems that don't improve their top hat security with better locks, intrusion sensors. Anything with outdated hardware and software, old unpatched operating systems are the biggest risks. The example I like to give is there are so many ATMs out there running Windows XP. That's a very old, outdated operating system. Systems with no sign or encrypted software, or hard disk encryption, or just encryption in general. Anything that lacks access control and authentication enabled to protect the internal computing system. Lastly, as Bernd mentioned in the previous conversation you had with him, Scott, behavioral monitoring software. If it's not on systems today, systems certainly can be at risk. I think, Scott, you'd agree that a branch lobby system that's mostly attended may not need the same protections as a lesser attended system at convenience store, but on average we're simply not making it hard enough on the criminals, regardless.
Yeah, I completely agree with you on the thought of a lobby ATM being different than an ATM on a remote location, and since financial institutions don't have unlimited funds, the idea of I have to do all my security the same everywhere on every ATM is probably not the right approach. There's probably ways to do a better job of allocating resources. You've talked a lot about ATMs and ATM security, but at the same time, I look at it more of an ecosystem where the ATM is interacting with other things, especially as we move into the world of ATMs connecting into not only the ATM transaction processing system, but now they're connecting into cores and they're connecting into web servers and interacting with databases on a customer's network, and just as recently as last week I saw an alert coming out from the FBI where they're talking about now there's cyber attacks against financial institutions where the hackers are not really attacking the ATM in any way, shape or form. They're going in, they're attacking the core system, they're changing account balances, they're changing daily withdraw limits, and they're just using the ATM as a mechanism to get the cash out.
That's a cyber attack against something completely different that impacts the ATM, so I'm kind of wondering about your thoughts on how do you protect the end to end channel?
Yeah. It's a great question. Certainly, as you indicated, there are many end points, or there are many attack points in the chain of the transaction sequence. You really have to identify the critical components, categorize those assets, and identify the risks, and then deploy the appropriate controls. Ideally, end to end security would protect the connection from the host all the way down to the ATM, as you know Scott, end to end security is certainly complex in itself. Requires additional support and resources from not only the ATM but from the host itself in the way of key management. I think ideally, in that world, we'll get to one day, but right now I think we have to focus on setting controls on the operating system, setting controls on the system software, setting application security software, setting the firewalls, and doing all the fundamental components at the ATM to protect the endpoint as we then focus on how the network now begins to converge into this world of connected commerce introducing mobile devices and other components in the ecosystem.
Completely agree with you, Dave. I think one of the other things that a lot of customers should look at, is not only their protective controls, and not only their detective controls, but what do I do when something does happen? What's my instant response plan. I've talked to a lot of customers in the last couple weeks where they're relying on something to protect them, but when they notice something bad going on, and I say, "Well, what's your instant response plan? How are you going to turn that account off? Who's going to do it at two in the morning? How quickly can you turn it off?"
All of a sudden I'm getting customers that are saying, "Wow, I really haven't thought about how we're going to handle everything after the event starts." I think having an instant response plan is also a really important part of this. Now that we now what the threats are facing our customers, let's touch on how FIs can combat those risks over all. Can you expand a little bit on this and talk about how FIs should be protecting them against physical, cyber, and fraud threats this year and next?
Yeah, absolutely. I think certainly the comments you just offered with regard to having an incident response plan in place is certainly critical, by every stretch of the imagination. FIs certainly need to be focusing on that in the ATM space. At it's highest level, I think it starts in the boardroom, Scott. Security is a foundational part of the customer's user experience, and the trust in the brand, so an investment strategy must include security [inaudible 00:10:59] component. On average, that hasn't necessarily been the strategy. Don't get me wrong. We have plenty of customers, as you know, that do have progressive security investment strategies, but they're the minority by far, so it has to become a recurring percentage of revenue operation.
Second, technology refresh, it must become a normal recurring commitment. It changes to rapidly. We have to do a better job of deploying the latest software and hardware, because it's this software and hardware that enables the latest security features with the latest technology that the hackers, as you know, are definitely taking advantage of the latest technology, so we have to put ourselves in a position to defend against that pace. I think we need to recognize that from a funding and a budget perspective, criminals do have access to the funds, so we can no longer make that argument. We have to provide the funds and we have to maintain configurations in a current fashion.
Third, customers need to embrace a zero trust model and deploy layers of security. Prevent physical access to the top hat with proper intrusion prevention. That's layer one. Then deploy access controls to reduce privileges and force authentication. Layer two. Then encrypt communications and data that's flowing within the system. Then finally, as Bernd suggested, start deploying behavioral based security software that could detect abnormal behavior and respond appropriately in the event that one of those three earlier layers was circumvented and malware may be running on the machine.
I think in the end, these three components are how we can get the customers to improve their protections in the future, Scott.
Yeah. I agree completely. That's a lot of great information on how the financial institutions can protect themselves from attack. To wrap up our conversation Dave, let's talk about what's next. What developments have you excited on the security front?
I believe there is an emphasis now on analytics in the industry. I think it's a long time coming. I think financial institutions can harness this ATM data sensing and respond to not only operational aspects of the ATM, but security risks as well. I think this working in accommodation with an ATM behavioral monitoring capability as an example, could certainly transform security at the ATM.
There's a movement on the mobile security front. We talk a lot about mobile interaction with the ATM. This is the next big user interface and the component to the ATM, certainly PCI has posted guidance, and deployments using mobile devices are happening today. We're seeing a lot of that usage increase, so we certainly need to focus on security around mobile devices. Then, the standards bodies are doing work as well, which I think is important. PCI is pressing for stronger cryptography to be used, like TLS instead of SSL, AES instead of Triple DES. I think maintaining current cryptography certainly will help defend the systems of the future, certainly when we consider that the attackers have access to the technology that could be used against it.
Biometrics is slowly making it's way to the conversation. I think we expect more in that space in the future, especially as it pertains to data privacy controls, so again, a lot of areas where I'm excited with regard to the industry, and then areas where security is a vital component in the industry as well.
Yeah, I agree, and I look forward to a time when the security controls and mechanisms are widely supported across all the platforms. Some of the networks that we work with are outstanding at security, and they have TLS implemented, and they have great fraud systems, and some of the others aren't quite there yet. I look forward to having a nice common platform where everybody's really on the same playing field and everybody's working together against fraud versus maybe institutions one, two, and three are doing their own thing, institutions four, five and six are doing something different. That's one of the things I look forward to seeing.
Is there anything else that our listeners should take away with today, regarding our conversation?
Yeah, a couple final thoughts, Scott. First and foremost is communicate and share. We're in a global fight against crime, whether it's communication with PCI, East, ATMIA, secret service or the FBI, certainly we can talk about the latest FBI alert that we've seen in the news here in the last week or so. I think that's just another indication of sharing from the government side to the private side. This information, if shared, can be used in the global fight against fraud.
Then, secondly, I'm a big fan of the National Institutes of Standards and Technology. Many believe work like the NIST risk management framework applies only to federal systems, but that's not true. This work translates into the critical infrastructure in the banking industry, and their cyber security framework is the policy framework of computer security guidance for how private sector can asses and improve their abilities to prevent, detect and respond to cyber attacks.
Again, there's a lot of great work being done that can be embraced in the private industry by financial institutions. Then, I also encourage our listeners to visit the East security page and take a look at the cyber attack mitigation link. Very insightful information and guidance on cyber security beyond just the firewalls.
Again, thank you Dave for being here today, and to our listeners for tuning in to this episode of COMMERCE NOW. To learn more about cyber security and how financial institutions can protect themselves against these types of attacks on digital systems, log into DieboldNixdorf.com.
Until next time, keep checking back on iTunes or your podcast listening channel, for new topics on COMMERCE NOW.