Diebold Solutions Corporate and ATM security Todays Agenda - - PowerPoint PPT Presentation

Diebold Solutions Corporate and ATM security

Diebold Confidential 2009

2

Today’s Agenda

1)

Consumer Sensitive Information

2)

PCI DSS

3)

Attacks on assets

Diebold Confidential 2009

3

ATM Card Fraud

Skimming:

n Small read head designed to fit into ATM card reader. n Skimming reader typically contain storage capacity and time stamp. n Equal number of attacks on motorized and Dip style readers. n Criminals very sophisticated in adjusting designs. n North American Bank spends $1 M USD to change bezels. n Criminal defeats in 6 months. n Bank saves $10 M in losses.

Diebold Confidential 2009

4

ATM Card Fraud

PIN Spying:

n Shoulder surfing n Good Samaritan n Hidden video camera n Overhead cell phone camera n Pin Pad Overlay n RF transmission of information n Time stamp recording

Spy Camera - $150 36 Hour DVR With Time Stamp And SD card.

Diebold Confidential 2009

5

Skimmer found in St. Petersburg

Diebold Confidential 2009

6

Would you recognize this as a threat?

Diebold Confidential 2009

Global Solutions to Consider

Anti Skimming

Reduce Redemption Reduce Skimming Detect Skimming Deter Skimming EM V Smart Card x Biometrics + Smart Card x M agstripe Authentication (M agnaPrint) x M obile OTP or Authorization x Enhanced PIN (Image/ Sentence Knowledge) x Contactless Card x x J itter on M otorized Card Readers x CPK by TM D x CPK+SDK by TM D x x Fascia Video Analytics x ASD - Optical x Network Fraud M onitoring x Bezel Design x Surveillance – ATM DVR or IP NVR x Pin Pad Shield x

7

Diebold Confidential 2009

8

Logical Attacks

n Viruses or worms intended to exploit an ATM ’s software environment. n Criminal hackers attempting to violate the confidentiality, integrity, or authenticity of transaction data. n Logical attacks up 47% over 2007.

n TJX Breach – 94 million accounts n Hannaford Stores – 4.2 million accounts n RBS WorldPay – Account numbers & PINs stolen from server n Heartland Payment Systems

Diebold Confidential 2009

For Sale

Source: Symantec Internet Security Threat Report – Trends for 2008

Diebold Confidential 2009

Operational Fraud

Internal:

n Ardent do-it-yourselfers n Collectors n M iddlemen who steal for others n Disgruntled employees n Debt-ridden employees n Blackmail victims n Professional thieves n Egotists n Practical jokers n Irresponsible employees

Operational fraud is perpetrated from within and account up to 30% ATM fraud.

Diebold Confidential 2009

Logical Attacks

Hackers, viruses and worms Unauthorized External Connection Unauthorized Sources/ Commands Data Confidentiality Internal or Operational Fraud Symantec Enterprise Protection

ü ü ü ü

OS & software M ax security settings

ü ü ü

Patch M anaged Services

ü ü ü ü

Intel Trusted Platform M odule (TPM ) and VeriSign Certificate Authority

ü ü ü

Point to Point Encryption SSL Over IP

ü ü ü

Remote Key M anagement

ü ü ü

Secure Service Token Storage and Logon

ü

Hard Drive Encryption

ü ü ü ü ü

Access Control (PACS & LACS) and Password M anagement

ü ü ü ü ü

Reduce Losses and M itigate Risk

11

Diebold Confidential 2009

PCI DSS for ATM s

Build and M aintain a Secure Network

n Requirement 1: Install and maintain a firewall configuration to protect cardholder data n Sygate Firewall version 5 & Symantec Endpoint Protection version 11 n Diebold Professional Service can provide a Statement of Work (SOW) to provide Security Office that will provide a centralized firewall management server for the customer n Diebold M anaged Services can manage and monitor the security events and security logs on the ATM (per PCI requirements) n Diebold can monitor the security events on your firewalls, routers, IDS, and internal servers that have PCI cardholder data and manage the devices n Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters n Customer Driven – Diebold Service will leave default Windows Passwords in place, unless directed to otherwise by the owner of the ATM n Diebold Professional Service can provide the financial institution with a SOW that will allow the ATM s to join an Active Directory environment n ValiTech

Diebold Confidential 2009

PCI DSS and ATM s

Protect Cardholder Data

n Requirement 3: Protect stored cardholder data n Key requirements are:

n 3.2.1 - Do not store the full contents of any track from the magnetic stripe n 3.2.3 - Do not store the personal identification number (PIN) or the encrypted PIN block

n Two primary areas of concern

n Log and Trace files – Ensuring track data and PIN blocks are not recorded in any trace or log files n EDC files – Information sent from the host must not have any proscribed data in it. n Option to log captured card data to EDC

n Diebold can provide privileged user monitoring and can monitor all access to PCI cardholder data in the environment.

Diebold Confidential 2009

PCI DSS and ATM s

Protect Cardholder Data

n Requirement 4: Encrypt transmission of cardholder data across open, public networks n Ipsec or SSL encrypted communications n SSL part of ABC 4.4 n Part of Agilis 91x 2.4 n In Agilis 91x 2.3 CSD 1, Agilis 91x 2.2 CSD 1 n Professional services can provide a statement of work to help customer implement SSL directly to host or to Cisco network appliance

Diebold Confidential 2009

PCI DSS and ATM s

M aintain a Vulnerability M anagement Program

n Requirement 5: Use and regularly update anti-virus software n Updating of virus identification files, firewall/ IDS signatures, and security software updates available as a Diebold managed service n Diebold Professional Services can present a financial institution with a SOW for Security Office. Security Office allows not only for a managed firewall but also, Anti Virus, Anti Spyware and Proactive Network Threat protection n Requirement 6: Develop and maintain secure systems and applications n Operating System Patches available via DCIS service n CSDs for Agilis applications available via Diebold Service contacts n Diebold offers a managed service that will deploy the latest approved MS patches to the ATM for a monthly fee. n Diebold Professional Services can provide consulting for an institution to utilize their existing patch management system

Diebold Confidential 2009

PCI DSS and ATM s

Implement Strong Access Control M easures

n Requirement 7: Restrict access to cardholder data by business need-to-know n It is the financial institution’s responsibility to restrict access to system that contain cardholder data based on their business practices and need-to-know requirements. n Cardholder data not stored on ATM except: n Data sent from host for EDC journal file n Check images stored on ATM for RSS Store and Forward capability. Future version of RSS will encrypt this data

Diebold Confidential 2009

PCI DSS and ATM s

Implement Strong Access Control M easures

n Requirement 8: Assign a unique ID to each person with computer access n Customer Driven – Diebold Service will leave default Windows Passwords in place, unless directed to otherwise by the owner of the ATM n Diebold Professional Service can provide the financial institution with a SOW that will allow the ATM s to join an Active Directory environment n ValiTech

n Requirement 9: Restrict physical access to cardholder data n Diebold can provide access control systems, video and DVR technologies to assist with this requirement

Diebold Confidential 2009

PCI DSS and ATM s

Regularly M onitor and Test Networks

n Requirement 10: Track and monitor all access to network resources and cardholder data n The financial institution is responsible for tracking and monitoring all network access and cardholder data. n Diebold does provide access control and video systems to aid in the tracking of the Physical access to these systems. n Requirement 11: Regularly test security systems and processes n The financial institution is responsible for developing test process and procedures for performing regular tests of their security systems.

M aintain an Information Security Policy

n Requirement 12: M aintain a policy that addresses information security n The financial institution is responsible for developing and maintaining policies and procedures related to security for their associates and contractors.

Diebold Confidential 2009

Physical Attacks

n Ram-raid, Smash n Grab n Explosive n Torch n Grinder

19

Diebold Confidential 2009

20

Diebold Confidential 2009

Physical Attacks

Burglary Ram Raid or Smash and Grab Explosives Cutting Torch

UL 291 level 1 rated safe

ü ü

CEN rated safe

ü ü ü

Anchoring system

ü ü

Electronic locks-duress alarm

ü

Ink Staining

ü ü ü ü ü

Intelligent sensors

ü ü ü ü ü

Basic thermal & door sensor

ü ü ü ü

Seismic sensors

ü ü ü ü

GPS ATM and/ or Cassette Tracking Universal camera mounts

ü ü ü ü ü

Surveillance – DVR

ü ü ü ü ü

Access Control & M onitoring

ü ü ü ü ü

Reduce Losses and M itigate Risk

21

Diebold Confidential 2009

1. Vestibule Access Reader 2. ATM Vestibule Camera 3. Transaction Camera through ATM facia 4. External Siren with Strobe 5. Cellular Backup in Service Area 6. Security Alarm Terminal 7. Service Viewing Camera 8. Passive Infrared Delectation Area 9. Hold-up Button in Service Area

• 10. Video Recorder in Service Area

(Digital or Analog)

• 11. ATM Site Camera
• 12. Light Level Monitoring
• 13. Door Contact
• 14. Seismic Detectors (2) – Chest Door,

Chest Wall

• 15. Heat/Thermo Detector
• 16. Main Door Contact

Layered Security Approach

22

Diebold Confidential 2009

Conclusion

ATM Fraud is repeatable, profitable and not likely to end. Even so, consumer confidence in ATM s remains high and industry efforts to combat fraud, increase consumer awareness and promote ATM security helps keeping the self-service industry at least one step ahead of the criminals.

"Fraud is like electricity; it is shocking and follows the path of least resistance."

• Sriram Natarajan - Finextra, March 2008

Diebold Confidential 2009

Diebold ATM Security Web Site

n For further information, please visit;

n http:/ / www.diebold.com/ atmsecurity/ n http:/ / www.diebold.com/ atmsecurity/ security/ challenge/ ATM Security Challenge.html

24

Thank You!