Dec 5, 2018
In this podcast, Scott Harroff and Dave Phister spend some time looking back on some security related topics that transpired throughout 2018. Also, they touch on a few things that you might want to think about as you're heading into 2019; how to best protect you from organized criminals attacking your ATM fleets and more so your gas pumps.
Scott Harroff: 00:00
Hello again, I'm Scott Harroff, Chief Information Security Architect for Diebold Nixdorf. I'm your host for this episode of COMMERCE NOW. Today I'm joined by Dave Phister, Director of Security Solutions for Diebold Nixdorf. I'd like to spend a little bit of time here today, walking through some of the things towards the end of the year that we thought you might find to be interesting. And a few things that you might want to think about as you're heading into your new year. Dave, what surprised you in 2018?
Dave Phister: 00:30
Well, I think the first thing that surprised me, Scott, is the emergence of you as the Diebold Nixdorf podcast hosts superstar. You splash on the scene here from an industry standpoint, and really take charge of the security topic, and help us talk through this very important topic for our industry. So that's first and foremost.
Second, realistically, nothing's really surprised, you or I, I don't think. We spend all our days focused on security anticipating forecasting. A couple of things do stand out certainly, as I think back through the year. We rang in the new year with a bang, certainly coming out of 2017, with the emergence of, of jackpotting and malware in the Americas. Certainly, not a new scenario to deal with, but in the Americas it was quite a surprise.
So certainly, the beginning of the year was focused on malware and specific to malware. Just a point to remind our listeners it really has exploded onto the scene as we've indicated in previous podcasts, the number of ATM malware variants is expanding almost on a daily basis.
As I indicated on our last podcast, this ATM malware, it's available for sale on the dark web. It's in the aisle right next to the stolen credit card information. So it's sold as a technology just like we're trying to sell technology to defend against it. So certainly, I think that's a key takeaway from this year, is really the explosion of ATM malware in this space.
Then secondly, Scott, I was pleased, very pleased to see a lot of collaboration this year between public and private industry. I know you have engagements with Secret Service, FBI and local law enforcement. But there were several communications that came out through the industry, the FBI warning. In August there was another warning and October, the fast cash hidden Cobra. I think you remember. I think it's a great example of what's happening not only in our industry, but other industries from an information security standpoint.
I think that type of collaboration, that type of awareness, that type of sharing a needs to continue because it's only going to help you and I. It's only going to help our customers, whether it's the banking of the retail space. So just a couple of things that I've taken away certainly from this year. What about you, Scott? Where do you see our industry struggling, let's say at this stage of 2018?
Scott Harroff: 03:16
Well, first I want to thank you for acknowledging me as the king of podcasts in 2018, Dave, I appreciate that very much.
Dave Phister: 03:24
It's my pleasure.
Scott Harroff: 03:24
I have to then therefore knowledge you as the best co-host of these podcasts, and the second most popular person in the world. Thanks to all the other folks that have joined us on the back podcasts. They've really made this more than just a speaking conversation, but have made it very interesting and very dynamic. So thank you very much for that.
Relative to 2018, I wasn't really surprised that the organized criminals kept becoming more and more sophisticated. I think our industry, Dave, is struggling around how to share information. If we look at some very large financial institutions, I won't even pull names out of the air, but individual, large financial institution A knows a lot about the fraud that they see in their environments. Large financial institution B knows about theirs, but they really haven't shared anything with A. So even though they could've quote/unquote help each other, that really wasn't in place.
What you referred to with private and federal coming together, is really, I think very enlightening and very well received. I've talked to handfuls of financial institutions about this new alliance. By the way, for those that don't know what Dave and I are referring to, we're talking about, the National Cyber Forensics and Training Alliance. That is kind of a amalgamation between FBI and Secret Service and really almost any large financial institution, medium or small financial institution, that can give them data about what they're seeing, so they can do two things.
One, respond more quickly to what's happening. The sooner they know about a bad guy being in a certain area, the quicker they can react to the bad guy. And, hopefully either capture them, or at least reduce the losses that could be going on out there.
Another thing that I think that we're struggling with is really understanding the dynamics of the fraud. For example, everybody who has an ATM is all focused in on ATM skimming and ATM security issues. They're thinking, Oh, I've got to do all these things at my ATM to keep from being skimmed," quote/ unquote. But one of the things that we've learned, working through the International Association of Financial Crime Investigators as well as the NCFTA, is that guess what, gas pumps have taken the lead over ATMs.
Now our average loss on an ATM is somewhere in the neighborhood of $60,000 per skimming event. But if you manage to get a skimmer onto a gas pump and you're effective, you can get $100,000 to $200,000. In watching the videos and these attacks on gas pumps, it's even quicker and easier to install a skimmer on a gas pump. So yep, skimming on ATMs is still an issue, but it's migrating over to the gas pump channel, because it is twice as profitable for the bad guys, and apparently less likely to get caught.
So I think that's one of the things is, our industry is looking at itself, and it's not looking into the other channels, like gas pump and point of sale, gift cards, and things of that nature. I think if you're a fraud investigator for your financial institution, I think adding in those other things would be a really important thing to look into.
I talked a little bit about where we saw some success, local law enforcement and federal law enforcement cooperating The new exchanges coming out to share information. Some new techniques are coming out. Where have you seen success, Dave?
Dave Phister: 07:02 Y
eah, that's a good question. I believe that, as you know, crisis creates opportunity. Unfortunately, many times it takes crisis to increase awareness, get the visibility, and the recognition that's necessary. So certainly we've seen the jackpotting and the malware attacks that were very familiar with here in the last several months, create an awareness with our customers. That security is certainly very important.
We talked about during the ZEro Trust webinar that endpoint security is certainly important. The cash is sitting there off the end of the network, but some of those FBI, the fast cash hidden Cobra attack situation was really an attack at the payment application switch ... Or, actually, that's a masquerading or spoofing attack. That is an indication of the fact that security applies not just to the end point, but it has to apply all the way back to the host.
Every touchpoint is potentially vulnerable. I think that customer's users are understanding this now. Unfortunately, we're way behind in the industry from a technology standpoint, because we haven't maintained the technology. But certainly we do see many customers migrating to Windows 10 already, which is a good thing. With this Windows 10 migration, we're seeing technology refreshes being a much larger part of the investment strategy for many of the customers.
So I think as they look to migrate to Windows 10, to maintain current operating systems, maintain PCI compliance, they're looking to update much of their hardware. And certainly, hardware and software technology refresh are keys to enabling security controls that would defend against some of the attacks that we're seeing in the marketplace with newer technology. So just an example there.
I think, Scott, one thing that I would ask you is your opinion on the number one thing that banks should do to lock down their security in 2019? What would you say to our listeners, the number one thing should be?
Scott Harroff: 09:41
We've been talking all year long about, there is no one silver bullet that you should have in your gun that you're going to pull out at the right time and stop the attack. It's all about layers. It's all about physical security. It's all about software updates, firmware updates, XFS updates, white listing, hard drive encryption, encryption of data in motion. There's all those different things that we've been talking about. But, if you said, "Scott, what's the one thing, if you only get to pick one thing out of the list?" I would say, "Get an incident response plan together."
Imagine that you've got your security controls in place, yet something goes wrong. Somehow a whole bunch of data got skimmed. Maybe it came off a gas pump, or maybe not an ATM, but all of a sudden you start getting all these fraudulent transactions coming back into your system. What are you going to do? Who are you going to call? What buttons are you going to push? What are you going to do to stop that incident now that you see it coming?
I think one of the reasons, Dave, I go there, is that there's attacks called, unlimited ATM cash out attacks. The FBI put out alerts earlier this year. It's really not about attacking an ATM in any way, shape, or form. It's really about the fact that some other system somewhere else was compromised. It could be like you were referring to, the host itself was compromised. Or the ATM transaction process was compromised. Or something somewhere in the middle was compromised.
But suddenly when dozens or hundreds or thousands of transactions all start flowing into your systems, can you see that huge spike and network activity coming into your core or your atm transaction processor? You might have a fantastic fraud system. You might have controls on the core. But just something as simple as you normally have this amount of network traffic coming in for approvals, and suddenly it doubles, triples, 10x increases. You ought to be able to see that, and you ought to be able to wrap very quickly.
For your response plan, what are you going to do? Are you going to immediately disable that account that's now handing out hundreds of thousands or millions of dollars? What happens if suddenly you start getting these transactions coming in from international locations? How many of our banks and credit unions suddenly have thousands of transactions coming in from outside of the United States against one, or a handful of accounts?
Think through all the different things that could go wrong, and start planning for who are you going to call? What are you going to do? So that if you happen to be unfortunate enough to be caught in one of these new attacks, you can react fast and limit damages. I think that would be my number one thing is, plan for incidents and make sure you know what to do so everybody's not in a panic when it actually starts to happen. That's Kinda what I would do. Looking ahead next year, Dave, what? What would you expect that we need to be looking out for?
Dave Phister: 13:00
Certainly, I echo some of the things that you just mentioned. We need to be vigilant. We need to certainly ensure that security is top of mind. We very much would like to see customers in this industry and the other industries consider security as a vital part of their brand. I think if you do make that commitment, then certainly you have the C Suite visibility. Then the investment security investment strategies should flow from there. You can put yourself on a path to migrate your fleet to the protection levels that are necessary.
With regard to emphasizing any given security control, you're right, layers are certainly important. We talked about that in the Zero Trust webinar. We have to assume that the top hat will be accessed in an unauthorized manner. If we encrypt information, then we devalue the data, so I'd simply like to emphasize that once more. We talked about it, encrypt, encrypt, encrypt. Whether it's encrypting the hard drive. Whether it's encrypting the internal USB communications to prevent unauthorized access.
Whether it's encrypting card reader data from the read head. I think it's very, very important. In addition to encrypting all the way back to the host so that to prevent the man in the middle of the attack. Or a message manipulation all the way back to the transaction processor. So I think looking forward, I do believe that we will see an emphasis on encryption. I think that we will see an emphasis on technology refresh, as we moved through Windows 10, as we move through some of the PCI milestones.
Scott, there's a significant movement right now to migrate remote key loading to SHA-256 Hash Algorithm, that requires significant investment, significant partnership. Then along those lines, what I'd like to see moving forward is certainly an emphasis on dispenser security and end dispenser security. Having said that, that's my thoughts, as we look forward. What do you expect from the year ahead, Scott?
Scott Harroff: 15:32
I'm with you, Dave. I think the word for 2019, is encryption. Whether it's encrypting the hard drive to make sure no one can add unapproved software to it by simply unplugging it. Hooking it up to a laptop, and changing it. Whether it's making sure that they can't just tap into the reed head of a card reader, and do what's called an eavesdropping attack. I think that was probably one of the biggest wake up calls to anybody that had a card reader that didn't use encrypted read heads.
These eavesdropping skimmers that you just cut a little hole through the front of the ATM. You add the skimmer inside the card reader, and you put a sticker over it, really caught a lot of people by surprise. People that thought, "Well, I have a card protection plate in there. I'm good to go. Or I have some kind of jamming. I'm good to go. Or I have some other technology to look for devices around the front of the ATM. I'm good to go."
Now, suddenly, all this data is coming right off of the read head, or right off the circuit board, and you're kind of a deer in the headlights. Relative to now what do I do next? Of course, anybody who has Active Edge doesn't have to worry about that But, encryption of data, whether it's in motion or at rest, is of very, very old concept in the IT security space. We all worried about data in motion at rest, but it's just now becoming that important in the US market space, so I absolutely agree with you there.
But what all I look forward to? I look forward to folks taking their Windows 10 migration and their terminal software migration, as a point to really sit back, to really evaluate what they did for the last five years. And really use this as an opportunity to say, "Well, maybe I didn't change my [inaudible 00:17:22] password. Maybe I didn't change my Windows password. Maybe my security wasn't as good as it should have been." Really use this as a point in time to say, "Hey, I'm going to be making an investment here in one way, shape, or form, or another in the next one, two or three years just because of the what's going on in the industry."
Let's do it better this time. Let's make sure we have more of our security boxes ticked off. I think that's really an important that I see coming down the road. Again. I also really, really hope that the private and public sector and law enforcement spend a lot more time collaborating with each other and identifying and removing these bad guys. I think that would be huge. The fact that we got, law enforcement, the federal, and local level working together.
Once we saw how things were unfolding in the summer of 2017, with jackpotting, it spiked if you will, in the winter of 2017. Everybody got engaged, started sharing techniques, started working together, sharing information. And sure enough, in the spring of 2018 FBI, local law enforcement, Secret Service all got together and just basically shut down the jackpotting ring that was operating. Knock on wood, we haven't seen them since.
So, again, folks between now and the time these bad guys come back, use it as your point in time to do some planning, and to proactively update the fleet. So that when this does come back, and I have to say when it will come back, make sure you're more ready or at least you're in a position where you've got your response planning, know what's going to happen. I think that, Dave, is the way I'd wrap it up. Is there anything else you'd like to add, sir?
Dave Phister: 19:01
No, I think the only thing I would say is certainly thanks to you. And echo your thanks earlier to all the other folks that engaged in these security conversations in the past year. A special thanks to the folks at Forrester and Merritt Maxim for the Zero Trust webinar. I think that was very well received. And wish everyone a happy holiday and happy new year and certainly, to you as well, Scott. Thanks for having me.
Scott Harroff: 19:29
Thank you very much, Dave. I'd like to send a special call out to John Campbell over First Data Star for doing a fantastic webinar with us at Tag Picks. As well as First Data putting on their own security webinars and inviting us to work with them. I very much appreciated that opportunity as well. Dave, thank you for all that you've done as a product manager for security, to give your input and your insight to our customers.
Thanks for all the other people that have helped make this podcasts successful, from the marketing teams and everywhere else. With that, this is Scott Harroff, Chief Information Security Architect, Diebold Nixdorf signing off for the year. Please do go back to the COMMERCE NOW podcast. Listen to them all. If you have any questions, please feel free to reach out to your client account executives, or service managers, and I wish you all happy holidays.