ATM security – The dos and don’ts

An ATM is one of the common points of financial frauds. Our expert outlines ATM security aspects that banks and customers need to take care of.

Technological advancements have eased operations and transactions for banks. With the ease to deliver better services to customers, banks offer customers assistance in the form of net banking and automated teller machines (ATMs). But this also brings with it unfathomable security risks – a fact well known to banks and customers. As part of this tip, I will be focusing on ATM security from a physical as well as logical perspective.

Among the various facilities, banks are cautious of securing their customers interests from ATM frauds and incidents. However, customer awareness also contributes in ensuring ATM security. This is because the most common techniques are ATM card theft, ATM card skimming, card jamming, card swapping, shoulder surfing vandalism, physical attack, ATM take away, mugging, and ATM jackpotting.

Therefore, to deal with such a wide variety of attacks, ATM security measures could be of two types:

•        Physical security measures

•        Logical security measures

Physical security measures

Physical ATM security is of importance in cases where cipher keys reside in terminals. In the absence of physical security, an abuser may probe for a key or substitute its value. To avoid such abuses, banks should preserve the integrity of non-secret parameters as well as the confidentiality of secret parameters. ATM security should focus on protecting ATMs from physical attacks. Modern ATM security concentrates on denying access to money inside the machine to a thief, by means of techniques such as dye-markers and smoke canisters.

Other methods are:

1.      Perimeter surveillance

2.      Access control

3.      Intrusion detection

4.      Tested and approved ATM enclosures

5.      Security guards

6.      Central monitoring station

PCI perspective of physical ATM security: According to PCI PTS, the following factors must be considered for ATM security:

•        Installation of a physical shielding barrier. This means that you need a tamper-proof casing not only for the ATM but also the PIN pad.

•        Implementation of dual security mechanisms

•        Proper environmental and operational conditions

•        Controlled and monitored physical access

•        Quick incident response mechanism

Logical security measures

Network plays a key role in the functioning of ATMs since a customer swipes his card, enters the PIN and details are then sent to the RDBMS for validation. Attackers usually intercept this information to perform logical frauds. The following logical security measures can help prevent such incidents:

1.      Firewall (s)

2.      Effective tracking and monitoring system

3.      Encryption technologies

4.      Logical access control

5.      Fraud detection system

6.      Protection of communication

PCI perspective for logical ATM security: The following aspects come into play when you look at logical ATM security from a PCI standpoint.

• Acquirers, processors and other third-parties that have access to (store, process and/or transmit cardholder data) must comply with PCI DSS.

1.      All must currently comply with the PCI DSS requirements of “Do not store magnetic stripe data, pins or pin blocks”.

2.      Check ATM audit logs to ensure only required (or allowed) data are stored.

3.      Caution: If your organization or parties sponsored by your organization is compromised, you may be subject to the fines under PCI DSS, civil and statutory damages.

• Track all parties with access to cardholder data (excluding telephone and cable companies)

• Maintain inventory of all devices and applications

• ATM manufactures must ensure that their devices comply with PCI PIN and PTS requirements. In addition, the PA DSS may eventually impact all software installed on ATM devices as well.

On the PCI PIN front, it’s critical to implement, maintain and secure the PIN. The key items to note on this front are:

• Dual control and split knowledge: Prevents fraud and identify theft

• Periodic attestation

• Use of devices that are:

1. TDES/AES encrypted

2. Tamper Resistant Security Modules (TRSM) to prevent compromise of cryptographic security parameters

About the author: Nitin Bhatnagar works as consultant with SISA Information Security Pvt Ltd. He has been involved in several PCI-DSS, risk assessment and application security related projects. Bhatnagar has a master’s degree in information security from Indian Institute of Information Security –Allahabad.


Read more on IT risk management