Aug 17, 2018
Podcast Summary:
No other crime is more romanticized by pop culture than the bank robbery, and no type of criminal more than the thief. Think Bonnie and Clyde, John Dillinger, the Sundance Kid and Butch Cassidy. What comes to mind? Tunneling under the bank, cracking safes, elaborate escapes, and adrenaline-filled action. However you feel about them, one thing is certain; those type of heists, no matter how notorious and exciting, are slipping in to antiquity.
We’ll probably never have another fated criminal couple like Bonnie and Clyde, or another escape artist and thief like John Dillinger, for the simple fact that their methods are outdated. Today’s criminal is more apt to attack from their home computer than at the teller window. They crack codes, not safes, and the only mining they’re doing involves data. In this episode, Scott Harroff and Dave Phister talk about cyber security, cyber criminals, and how industries can protect their data, their software, and overall – their cash.
Resources:
Blog: https://blog.dieboldnixdorf.com/our-commitment-to-you-as-your-security-partner/.
DN website: www.dieboldnixdorf.com
COMMERCE NOW website: www.commercenow.libsyn.com
Transcription:
Amy
Lombardo:
00:00
No other crime is more romanticized by pop culture than the bank
robbery, and no type of criminal, more than the thief. Think Bonnie
and Clyde, John Dillinger, the Sundance Kid, and Butch Cassidy.
What comes to mind? Tunneling under the bank, cracking safes,
elaborate escapes, and adrenaline filled action. However you feel
about them, one thing is certain: those types of heists, no matter
how notorious and exciting, are slipping into antiquity. We'll
probably never have another fated criminal couple like Bonnie and
Clyde, or another escape artist and thief like John Dillinger, for
the simple fact that their methods are outdated. Today's criminal
is more apt to attack from their home computer than at the teller
window. They crack codes, not safes, and the only mining they're
doing involves data.
In this episode Scott Harroff and Dave Phister talk about cyber
security, cyber criminals, and how industries can protect their
data, their software, and overall, their cash. I'm Amy Lombardo,
and this is COMMERCE NOW.
Scott
Harroff:
01:19
Hello again. This is Scott Harroff, your host for this episode of
Commerce Now. The last time I was on this podcast I spoke with
Bernd Redecker on what jackpotting could teach us. You'll find that
episode on www.commercenow.libsyn.com iTunes or however else you
listen to your podcasts. Today, I'm joined by Dave Phister,
Director and product manager responsible for security at Diebold
Nixdorf. Today we're going to talk about cyber security and touch
on exactly what cyber security is from our perspective and how
criminals are turning to digital means to acquire things like money
and data.
Hello, Dave, and welcome. Thanks for joining today.
Dave
Phister:
01:56
It's a pleasure, Scott. Thanks for having me. I've been honored
here since you're becoming a bit of a podcast regular, for you.
Scott
Harroff:
02:04
Well, thank you very much. I never knew being a podcast star was in
my history, but I'm happy to roll with it. As I said, today our
focus is on cyber security, and when you and I hear this term, we
have a pretty good understanding of what it means between you and
I, but a lot of times people think that it's all about foreign
hackers stealing secrets. Can you give a little bit of color around
our definition of cyber security.
Dave
Phister:
02:29
Yeah, I sure can. It's a great question, Scott, and a great point.
I think simply stated, cyber is anything related to computers or
computer networks. That could of course, include the internet, so
then cyber security would be the measures taken to protect the
computer or computer system against unauthorized access or attack.
In our industry, that's typically been referred to as logical
attacks, but they're really just attacks on the digital components
of the ATM. As you know, the ATM contains a computer, a hard drive,
uses a Windows operating system, has USB ports. It's a, amongst
other things, a computer client hanging off of a network, much like
a desktop computer at work. It just happens to be controlling a
safe full of cash.
Strictly from a computing standpoint, the security controls
required to defend the computing aspect are really no different
than any other network, whether it's a national security system
protecting those secrets, or essential server in a fortune 500
retail data center. The tools, tactics, techniques, and procedures
to compromise, or hack, the components, are the same everywhere we
look. So additional to a firewall, it needs other cyber security
like encrypted hard drives, digital signatures, access controls,
proper patch management.
I think this is where the industry has let down their defenses a
bit. OEMs and financial institutions haven't taken enough care to
maintain current technology and protect the software and computing
assets of the ATM. In addition to protecting the cash, as you
mentioned, data must be equally protected, specifically the
computing components that process that data, else compromise is a
matter of when, not if. I think one perception is that cyber
security defends against a hack originating from cyber space, which
would mean something remote. Though ATM networks are not connected
to the internet, they still connect to a bank network somewhere,
and I would remind our listeners that as recently as 2016, we
witnessed an ATM attack. It was launched solely from a remote
network, in this case the voice recording network was breached in
Europe, the hackers navigated their way to the ATM segment, pushed
malware down to the ATMs, and the mules were waiting for cash to
dispense. Anything is possible as commerce, payments, and channels
connect, Scott. More and more every day.
Scott
Harroff:
04:40
Great. Now that our listeners understand what cyber security is
when we use that word, what sort of cyber security threats do our
customers face, and what do you think the biggest risks are?
Dave
Phister:
04:50
As you discussed, Scott, with our colleague Bernd Redecker in the
previous podcast, the jackpotting attacks we've seen recently in
the Americas, they can all be categorized as cyber attacks. The
January jackpot attack where they removed the hard disk, loaded
malware, and replaced it was possible because the customer didn't
employ hard disk encryption. It's a fundamental cyber control.
Earlier attack took advantage of a weakness in a very old USB
security protocol and would have not have been possible had the
customer deployed the latest AAES USB security encryption.
Then as I mentioned, 2016 attack in the AP regions clearly executed
remotely. There was no behavioral monitoring software installed,
like a McAfee or Symantec or Bit 9, Binamic, so finally, one point
here, Scott, financial institutions are continuing to see cyber
attacks in the internet and the mobile arena as well. The mobile
device is now a connected component to the ATM and now we're seeing
financial institutions have cyber attacks against the mobile
wallets in the internet banking services. Though the fraud
redemption's occurring at the ATM, there's nothing the ATM can do
to prevent it. It looks like a valid mobile EMV NFC connection, but
the transaction is actually fraudulent.
What are the risks? Systems mostly in unattended operating
environments. Systems that don't improve their top hat security
with better locks, intrusion sensors. Anything with outdated
hardware and software, old unpatched operating systems are the
biggest risks. The example I like to give is there are so many ATMs
out there running Windows XP. That's a very old, outdated operating
system. Systems with no sign or encrypted software, or hard disk
encryption, or just encryption in general. Anything that lacks
access control and authentication enabled to protect the internal
computing system. Lastly, as Bernd mentioned in the previous
conversation you had with him, Scott, behavioral monitoring
software. If it's not on systems today, systems certainly can be at
risk. I think, Scott, you'd agree that a branch lobby system that's
mostly attended may not need the same protections as a lesser
attended system at convenience store, but on average we're simply
not making it hard enough on the criminals, regardless.
Scott
Harroff:
06:59
Yeah, I completely agree with you on the thought of a lobby ATM
being different than an ATM on a remote location, and since
financial institutions don't have unlimited funds, the idea of I
have to do all my security the same everywhere on every ATM is
probably not the right approach. There's probably ways to do a
better job of allocating resources. You've talked a lot about ATMs
and ATM security, but at the same time, I look at it more of an
ecosystem where the ATM is interacting with other things,
especially as we move into the world of ATMs connecting into not
only the ATM transaction processing system, but now they're
connecting into cores and they're connecting into web servers and
interacting with databases on a customer's network, and just as
recently as last week I saw an alert coming out from the FBI where
they're talking about now there's cyber attacks against financial
institutions where the hackers are not really attacking the ATM in
any way, shape or form. They're going in, they're attacking the
core system, they're changing account balances, they're changing
daily withdraw limits, and they're just using the ATM as a
mechanism to get the cash out.
That's a cyber attack against something completely different that
impacts the ATM, so I'm kind of wondering about your thoughts on
how do you protect the end to end channel?
Dave
Phister:
08:18
Yeah. It's a great question. Certainly, as you indicated, there are
many end points, or there are many attack points in the chain of
the transaction sequence. You really have to identify the critical
components, categorize those assets, and identify the risks, and
then deploy the appropriate controls. Ideally, end to end security
would protect the connection from the host all the way down to the
ATM, as you know Scott, end to end security is certainly complex in
itself. Requires additional support and resources from not only the
ATM but from the host itself in the way of key management. I think
ideally, in that world, we'll get to one day, but right now I think
we have to focus on setting controls on the operating system,
setting controls on the system software, setting application
security software, setting the firewalls, and doing all the
fundamental components at the ATM to protect the endpoint as we
then focus on how the network now begins to converge into this
world of connected commerce introducing mobile devices and other
components in the ecosystem.
Scott
Harroff:
09:32
Completely agree with you, Dave. I think one of the other things
that a lot of customers should look at, is not only their
protective controls, and not only their detective controls, but
what do I do when something does happen? What's my instant response
plan. I've talked to a lot of customers in the last couple weeks
where they're relying on something to protect them, but when they
notice something bad going on, and I say, "Well, what's your
instant response plan? How are you going to turn that account off?
Who's going to do it at two in the morning? How quickly can you
turn it off?"
All of a sudden I'm getting customers that are saying, "Wow, I
really haven't thought about how we're going to handle everything
after the event starts." I think having an instant response plan is
also a really important part of this. Now that we now what the
threats are facing our customers, let's touch on how FIs can combat
those risks over all. Can you expand a little bit on this and talk
about how FIs should be protecting them against physical, cyber,
and fraud threats this year and next?
Dave
Phister:
10:29
Yeah, absolutely. I think certainly the comments you just offered
with regard to having an incident response plan in place is
certainly critical, by every stretch of the imagination. FIs
certainly need to be focusing on that in the ATM space. At it's
highest level, I think it starts in the boardroom, Scott. Security
is a foundational part of the customer's user experience, and the
trust in the brand, so an investment strategy must include security
[inaudible 00:10:59] component. On average, that hasn't necessarily
been the strategy. Don't get me wrong. We have plenty of customers,
as you know, that do have progressive security investment
strategies, but they're the minority by far, so it has to become a
recurring percentage of revenue operation.
Second, technology refresh, it must become a normal recurring
commitment. It changes to rapidly. We have to do a better job of
deploying the latest software and hardware, because it's this
software and hardware that enables the latest security features
with the latest technology that the hackers, as you know, are
definitely taking advantage of the latest technology, so we have to
put ourselves in a position to defend against that pace. I think we
need to recognize that from a funding and a budget perspective,
criminals do have access to the funds, so we can no longer make
that argument. We have to provide the funds and we have to maintain
configurations in a current fashion.
Third, customers need to embrace a zero trust model and deploy
layers of security. Prevent physical access to the top hat with
proper intrusion prevention. That's layer one. Then deploy access
controls to reduce privileges and force authentication. Layer two.
Then encrypt communications and data that's flowing within the
system. Then finally, as Bernd suggested, start deploying
behavioral based security software that could detect abnormal
behavior and respond appropriately in the event that one of those
three earlier layers was circumvented and malware may be running on
the machine.
I think in the end, these three components are how we can get the
customers to improve their protections in the future, Scott.
Scott
Harroff:
12:50
Yeah. I agree completely. That's a lot of great information on how
the financial institutions can protect themselves from attack. To
wrap up our conversation Dave, let's talk about what's next. What
developments have you excited on the security front?
Dave
Phister:
13:05
I believe there is an emphasis now on analytics in the industry. I
think it's a long time coming. I think financial institutions can
harness this ATM data sensing and respond to not only operational
aspects of the ATM, but security risks as well. I think this
working in accommodation with an ATM behavioral monitoring
capability as an example, could certainly transform security at the
ATM.
There's a movement on the mobile security front. We talk a lot
about mobile interaction with the ATM. This is the next big user
interface and the component to the ATM, certainly PCI has posted
guidance, and deployments using mobile devices are happening today.
We're seeing a lot of that usage increase, so we certainly need to
focus on security around mobile devices. Then, the standards bodies
are doing work as well, which I think is important. PCI is pressing
for stronger cryptography to be used, like TLS instead of SSL, AES
instead of Triple DES. I think maintaining current cryptography
certainly will help defend the systems of the future, certainly
when we consider that the attackers have access to the technology
that could be used against it.
Biometrics is slowly making it's way to the conversation. I think
we expect more in that space in the future, especially as it
pertains to data privacy controls, so again, a lot of areas where
I'm excited with regard to the industry, and then areas where
security is a vital component in the industry as well.
Scott
Harroff:
14:47
Yeah, I agree, and I look forward to a time when the security
controls and mechanisms are widely supported across all the
platforms. Some of the networks that we work with are outstanding
at security, and they have TLS implemented, and they have great
fraud systems, and some of the others aren't quite there yet. I
look forward to having a nice common platform where everybody's
really on the same playing field and everybody's working together
against fraud versus maybe institutions one, two, and three are
doing their own thing, institutions four, five and six are doing
something different. That's one of the things I look forward to
seeing.
Is there anything else that our listeners should take away with
today, regarding our conversation?
Dave
Phister:
15:28
Yeah, a couple final thoughts, Scott. First and foremost is
communicate and share. We're in a global fight against crime,
whether it's communication with PCI, East, ATMIA, secret service or
the FBI, certainly we can talk about the latest FBI alert that
we've seen in the news here in the last week or so. I think that's
just another indication of sharing from the government side to the
private side. This information, if shared, can be used in the
global fight against fraud.
Then, secondly, I'm a big fan of the National Institutes of
Standards and Technology. Many believe work like the NIST risk
management framework applies only to federal systems, but that's
not true. This work translates into the critical infrastructure in
the banking industry, and their cyber security framework is the
policy framework of computer security guidance for how private
sector can asses and improve their abilities to prevent, detect and
respond to cyber attacks.
Again, there's a lot of great work being done that can be embraced
in the private industry by financial institutions. Then, I also
encourage our listeners to visit the East security page and take a
look at the cyber attack mitigation link. Very insightful
information and guidance on cyber security beyond just the
firewalls.
Scott
Harroff:
16:51
Again, thank you Dave for being here today, and to our listeners
for tuning in to this episode of COMMERCE NOW. To learn more about
cyber security and how financial institutions can protect
themselves against these types of attacks on digital systems, log
into DieboldNixdorf.com.
Until next time, keep checking back on iTunes or your podcast
listening channel, for new topics on COMMERCE NOW.