Jul 29 , 2010

ATM industry statement on Black Hat Briefing

Sioux Falls---The ATM Industry Association (ATMIA) (www.atmia.com), a global non-profit trade association with over 1750 members in 50 countries, today expressed its confidence in the industry’s software and other critical systems, which are subject to robust governance, standards and industry best practices. The association reaffirmed this standpoint after a recent demonstration by ethical hacker and security professional Barnaby Jack, which indicated that certain ATMs can be “jackpotted”.

At a Black Hat briefing in Las Vegas this week, Jack, who is director of security research for IOActive™, gave an ATM security demonstration entitled “Jackpotting Automated Teller Machines Redux.” His briefing focused on apparent vulnerabilities in ATM security and whether they can be exploited via local and remote attacks. He outlined a multi-platform ATM rootkit – a type of software that can be deployed, once a hacker or “insider” has gained unauthorized access to the system, to allow them to maintain administrative privileges to the system without being detected.

“This type of research conducted by professionals like Jack should be leveraged by our industry to improve ATM security, “ said Mike Lee, CEO of ATMIA. “Even though we have produced a whole set of ATM lifecycle security best practices, including ATM software governance guidelines, we are always looking to raise awareness to continuously improve the security of the ATM channel in a global software environment that is faced with an evolving risk of fraud.”
Independent Black Hat security briefings remind industry practitioners to stay vigilant, especially in regard to new and emerging threats. And leading ATM vendors have urged financial institutions to proactively manage the security of their ATM networks. While ATM manufacturers have targeted substantial investments in the development of security solutions to make sure that the ATM’s IT systems are fully protected, it is necessary for ATM deployers to implement all relevant security initiatives to effectively combat fraud and cybercrime.

“ATM security is one of the most technically challenging areas of a financial institution’s operation,” Lee stated. “To ensure the most effective protection against a variety of threats – including internal, external, physical and logical threats – the industry advises financial institutions to implement and maintain a comprehensive, multi-layered security approach. In addition, ATM security programs should be regularly monitored, reviewed and updated to anticipate and mitigate changing threats.”

The criminal industry is constantly changing its business models to gain the maximum “Return on Investment”. Brian Nagel, Assistant Director, U.S. Secret Service, has recently stated: “Cybercrime has evolved significantly over the last two years, from dumpster diving and credit card skimming into a full-fledged online bazaar full of stolen personal and financial information.”

Multiple regulations, standards and best practices for ATM security include the Payment Card Industry (PCI) global security requirements (such as PCI DSS and PCI PA-DSS), ATMIA’s set of international best practices, Ansi X9, the European Central Banks’ ATM Best Practices Guides as well as guidelines and rules set by ATM networks and regulatory authorities across the world.

“Along with our vendors, we take on board recommendations from consultants such as Barnaby Jack and remind all our members to revisit the wealth of security information, standards and recommendations already available to protect the ATM’s trusted environment,” Lee added. “We need to maintain a total approach to security in order to retain the trust that consumers have put in self-service.”

Multiple regulations, standards and best practices for ATM security include the Payment Card Industry (PCI) global security requirements (such as PCI DSS and PCI PA- DSS), ATMIA’s set of international best practices, Ansi X9, the European Central Banks’ ATM Best Practices Guides as well as guidelines and rules set by ATM networks and regulatory authorities across the world.

Along with our vendors, we take on board recommendations from consultants such as Barnaby Jack and remind all our members to revisit the wealth of security information, standards and recommendations already available to protect the ATM’s trusted environment,” Lee added. “We need to maintain a total approach to security in order to retain the trust that consumers have put in self-service.”

Black Hat Briefings are leading industry events aimed at sharing practical insights and timely, actionable knowledge about logical security. Ethical hacking is a common practice in which experts attack a technology or network in a controlled environment to identify vulnerabilities a malicious hacker could potentially leverage. The goal is to deliver the intelligence needed to enable the mitigation of potential threats. Black Hat presenters typically notify manufacturers of their findings 90 days in advance of their demonstrations, providing affected companies with the opportunity to remediate issues before briefings are conducted. It is a responsible approach intended to benefit the entire financial services industry.

Extract from the “ DATA BREACHES: WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS”, Kimberly Kiefer Peretti,U.S. Department of Justice.

 

 

Home | Magazine | Market | Company | eNewsletter | News |Advertising | Subscriptions | Contact Us | Site Map

All material © Lloydmedia, Inc.
302-137 Main Street North
Markham, ON L3P 1Y2
905-201-6600 / 1-800-668-1838