Key Considerations To Effectively Plan And Determine The Scope Of An ATM Security Audit Based On PCI DSS

Automated teller machines (ATMs) are primarily used for the secure storage and dispensing of bank notes or receiving deposits. However, ATMs have become more evolved self-service platforms, helping people pay bills, transfer funds, and exchange currencies. The increase in the number of services offered by ATMs also increases their risk. According to a European Payment Terminal Crime report, the number of malware and logical attacks on ATMs peaked in 2020 with EUR€1.24 million in reported losses.¹ On the other hand, terminal-related fraud attacks, which include skimming, cash trapping, and man-in-the middle (MiTM) and relay attacks, increased by 70 percent in 2022 and organizations lost EUR€200 million. In addition, due to physical attacks on ATMs, organizations lost EUR€11 million in 2022.

These losses amplify the importance of security risk coverage during ATM-focused audit engagements.

ATM Overview

A typical ATM fleet is usually comprised of ATMs from different manufacturers, such as Triton Systems LLC, Diebold Nixdorf and NCR Corporation. ATM maintenance and support services are often divided between the ATM service providers and the bank. Design properties of ATM components that cybercriminals would be interested in include:

• Automated controller (AC)—Incorporates the operating system (usually Windows² ) and the application software to protect and enable the ATM’s functionality, including the Extensions for Financial Services (XFS) system and antivirus solutions
• Network equipment—Typically includes a router placed inside the ATM and a virtual private network (VPN) concentrator located outside of the ATM, providing secure communication with the bank’s backend infrastructure and logical administrative access to the ATM’s network
• Main peripherals–Includes the card reader and cash dispenser

Successful attacks on these specific ATM components result in card data interception, transactional manipulation or jackpotting (cash dispensing). To perform an attack, threat actors gain access either physically (e.g., by inserting their own equipment) or logically (via the network). According to research by Positive Technologies in 2018, ATM vulnerabilities arise from weak network and peripheral security controls and improper configuration.³

Using PCI DSS for Audit Planning and Scope Definition

An ATM should be seen as a component of a larger banking system. While not specifically focusing on ATM risk, the Payment Card Industry Data Security Standard (PCI DSS) requirements and testing procedures comprehensively cover environments where sensitive account data is stored, processed or transmitted, including those environments that can impact the security of the cardholder data environment.

PCI DSS lists 12 principal requirements that are further broken down into defined requirements and testing procedures. Supporting information also exists, such as best practices, applicability notes and sampling considerations, which help the audit team plan, execute and formalize audit work.

ATM vulnerabilities arise from weak network and peripheral security controls and improper configuration.

It is helpful to review some of the PCI DSS main requirements with a focus on specific ATM risk and related security audit work.

Support Information Security With Organizational Policies and Programs
Potential risk that would stop the normal functioning of an ATM include:

• Cash-in-transit robbery (defended by limiting cash in transit, safeguards with global positioning system [GPS] tracking and secure communication channels)
• Attacks on customers (defended by placement of ATMs in secure areas, camera monitoring, sensors on ATMs, multifactor approvals of transactions)
• Cyberattacks on IT systems (defended by baseline security requirements, network security controls, detect and response capabilities)

Documentation should help prevent, identify, respond to and recover from such events.

An information security policy is a set of core documents that determines the responsibilities of management and employees, identifies risk and defines and implements controls to cover the risk. Auditors must obtain all relevant documentation from the audit client and review it. Applying this to ATM security, auditors should start by asking for documentation about the ATM fleet, data flow diagrams, involved parties including internal teams and external vendors, a risk assessment of the area and established controls. From an audit team’s perspective, sound documentation helps form an understanding of the scope and risk tolerance of an audit client and its material impacts. It also impacts the first impression of the overall management of ATM security, which may be formed by asking questions including:

• Are there any legacy operating systems?
• Are there technical and detailed clear security requirements?
• Is there evidence of broadly written standards?
• Has a responsibility matrix been assigned?

However, it is key to remember that an abundance of unread documentation is not necessary. Instead, documentation should help facilitate effective management and operational decisions.

When thinking about potential risk scenarios, the MITRE ATT&CK framework could help in viewing and comparing techniques that have been already used by different adversary groups.⁴ For example, using this framework, organizations can review multiple threat groups such as Carbanak or Cobalt Strike and analyze the tactics (e.g., defense evasion, lateral movement) and techniques they use to achieve their objectives (e.g., privilege escalation, protocol tunneling). The MITRE ATT&CK framework contains mitigations and detection mechanisms for each technique.

Install and Maintain Network Security Controls
Network equipment is integral to providing ATM services. Firewalls, routers and VPN concentrators should be identified and documented. The audit team should review network diagrams and data flows, entry points of administrator access, internal separation between ATMs, segmentation of the ATM fleet from other networks and firewall rules.

An ATM network should not be accessible to everyone, so it is necessary to review access controls, such as:

• Multifactor authentication
• Bastion hosts (hardened jump server/host accessed before connecting to other resources)
• VPN access controls
• The joiners-movers-leavers process

When inspecting an operating ATM, there should not be any network cables or network devices easily accessible from the outside.

Apply Secure Configurations to All System Components
In general, it is expected that the configuration of the network and ATM equipment will follow industry best practices. Many of these can be found either in the vendor’s administration standards or within standards such as PCI DSS, US National Institute of Standards and Technology (NIST) standards, Center for Internet Security (CIS) controls or Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs).

ATMs play a significant role in providing convenient access to financial services, but they also possess the potential for substantial financial losses and security breaches if not adequately protected.

Configuration review can be conducted in a variety of ways. For example, encryption can be inspected by packet capturing or by reviewing the device’s settings. Vulnerability scanners may help decrease the amount of time spent on configuration review, as they support both scanning for vulnerabilities and best practice compliance scans. The ATM network is not expected to have legacy or cleartext protocols (e.g., Microsoft Server Message Block [SMB1], Windows Server Update Services without secure sockets layer [SSL]/transport layer security [TLS]), open unused ports and services or default credentials. If Microsoft Active Directory is being used, ISACA’s Windows Active Directory Audit Program⁵ and tools such as PingCastle⁶ and Bloodhound⁷ may help with audit testing.

Audit tests should also include the review of the controls against ATM attacks, including:

• Setting a basic input/output system (BIOS) to block booting from external media
• Implementing a universal serial bus (USB) read/write policy block
• Not allowing the ability to exit the kiosk mode by standard key combinations
• Implementing user privileges and user account control
• Using AppLocker and software allowlisting

These controls help prevent not only initial access but also execution, persistence and privilege escalation tactics using MITRE ATT&CK framework terminology.

Protect Cardholder Data With Strong Cryptography During Transmission Over Open, Public Networks
It is necessary to use VPN and additional encryption rather than used protocols inside a VPN tunnel (e.g., TLS/SSL) with mutual verification of keys and message authentication code (MACing) when the ATM communicates with other systems (e.g., the systems at the bank) to make transactions.⁸ Proper data integrity and authenticity controls and certificate validation should be configured for ATM’s ingress and egress communications to prevent MiTM attacks when an attacker generates a legitimate certificate (e.g., using Let’s Encrypt⁹ ) and issues commands on behalf of the back end to an ATM. Otherwise, attackers may perform transaction tampering/interception and impersonate backend systems.

Restrict Physical Access to Cardholder Data
To restrict physical access to cardholder data, several strategies can be followed:

• Mutual authentication and encryption in dispenser-AC communication—These are required to prevent black box attacks. So-called black box attacks happen when threat actors gain physical access to an ATM. In fact, attackers do not need access to all ATM parts; it is enough to access only the top part with the AC. A typical attack scenario involves disconnecting a cash dispenser from the AC, connecting the cash dispenser to the attacker’s device and issuing commands to dispense cash.¹⁰
• Whole disk encryption—This should be configured on an ATM with secure key storage either on a Trusted Platform Module chip or a network server to prevent access while the ATM software is not running. It is important to pay attention to the encryption mechanism and protocol being used and compare it with current best practices, such as NIST requirements. Whole disk encryption is known to be a good defense mechanism against many physical jackpotting attacks (where criminals physically manipulate an ATM to make it dispense cash); however, it is seldom used.¹¹
• Physical locks on ATMs—Locks on an ATM’s front door (not a safe door) are usually easy to pick or bypass, or keys can be easily purchased online.¹² In addition, placing USB ports on top of the ATM’s monitor behind a plastic shield or in other areas with relatively easy access facilitates the initial access of an attacker. Different ATM sensors, camera monitoring, response time after alert and placement of ATMs in public places decrease the risk of a physical ATM attack.

Log and Monitor All Access to System Components and Cardholder Data
According to IBM’s research in 2019, many banks have the ability to monitor back-end systems but do not collect data from the ATMs themselves and do not monitor important events such as short-term ATM outages and reboots.¹³ As usual, log collection and use case scenarios, such as opening of the head compartment and loss of communication, should be in place and regularly tested (e.g., with penetration testing). The MITRE ATT&CK framework could also help with use case definition and event type selection for logging, as it contains detection mechanisms for each technique.¹⁴

Planning the Audit and Building the Scope

There are two key steps to plan an ATM security audit and determine its scope.

Step 1: Plan for the Audit (and Its Resources) Wisely
Auditors should spend time to better understand the governance and business processes surrounding ATM management, including:

• Involved parties and their responsibility allocations
• Performed, ongoing and planned projects impacting the scope of the audit
• Material impact of the services provided via ATMs
• Details about the ATM fleet (e.g., last patches, operating systems, antivirus solutions, physical protections and other established controls)

ATM management is a sensitive area and the workload should be approved and planned well in advance to avoid surprises. It is necessary to sign nondisclosure and other necessary agreements and organize the network and access (physical/logical) of the audit team. The audit sampling type (full or sample-based) should be decided for each audit test and the team should consider involving experienced ATM penetration testers and security professionals.

Step 2: Review the PCI DSS Requirements and Calibrate Audit Tests Based on ATM-Related Risk
For configuration reviews, it is essential to employ compliance and vulnerability scans to save time (although the results should be validated for false positives and risk acceptance), check the patching and configuration management processes (including firmware and software for last-installed patches) and review firewall placement and rules (including internal segmentation of ATMs). Audit tests should also include reviewing physical and logical access controls (e.g., response time after covering the ATM’s camera, alarms against drilling or opening the cabinet door) and checking data encryption and incident response (e.g., security information and event management [SIEM] rules, response time).

Although configuration and process-level reviews are relevant, conducting penetration testing (both physical and logical) would bring greater audit assurance.

Conclusion

ATMs play a significant role in providing convenient access to financial services, but they also possess the potential for substantial financial losses and security breaches if not adequately protected. It is essential for auditors to understand the main risk and security controls of an ATM when planning and testing ATM security.

Endnotes

¹ E.A.S.T., “ATM Explosive Attacks in Europe Rise Again,” 25 April 2023, http://www.association-secure-transactions.eu/atm-explosive-attacks-in-europe-rise-again/
² Forbes, A.; “Jackpotting ATMs (Automated Teller Machines)—Its Easier Than You Might Think,” Disobey, YouTube, 13 February 2019, http://youtu.be/ThPJrPf7O2s
³ Positive Technologies, “ATM Logic Attacks: Scenarios, 2018,” 14 November 2018, http://www.ptsecurity.com/ww-en/analytics/atm-vulnerabilities-2018/
⁴ MITRE ATT&CK, “Groups,” http://attack.mitre.org/groups/
⁵ ISACA^®, Windows Active Directory Audit Program, USA, http://store.yibangyi.net/s/store#/store/browse/detail/a2S4w000004KoF8EAK
⁶ Ping Castle, http://www.pingcastle.com/
⁷ BloodHound Enterprise, http://bloodhoundenterprise.io/
⁸ E.A.S.T., “Countermeasures Against ATM Malware and Black Box Attacks,” http://www.association-secure-transactions.eu/industry-information/countermeasures-against-atm-malware-and-black-box-attacks/
⁹ Let’s Encrypt, “About Let’s Encrypt,” http://letsencrypt.org/about/
¹⁰ Krebs, B.; “Thieves Jackpot ATMs With ‘Black Box’ Attack,” 6 January 2015, http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack/
¹¹ Op cit Forbes
¹² Ibid.; Davis, R.; “No Key? No PIN? No Combo? No Problem! P0wning ATMs for Fun and Profit,” DEFCON Conference, YouTube, 5 August 2021, http://youtu.be/9cG-JL0LHYwl; Osipov, A.; O. Kochetova; “Hack Your ATM With Friend’s Raspberry.Py,” Kaspersky Lab, Black Hat Europe 2014, 3 April 2015, http://youtu.be/ q5tQWe6YsLM
¹³ Op cit Forbes
¹⁴ Op cit MITRE ATT&CK

Aleksei Panov, CISA, CISSP

Is a senior technology auditor at a universal banking organization based in Prague, Czech Republic. With more than six years of experience in IT and cybersecurity audit, he is passionate about learning new technologies and hands-on technical reviews. Throughout his career, he successfully delivered numerous projects by evaluating the design and execution of established controls addressing key IT and business risk. He helps his audit clients in Europe improve their IT governance, strengthen their information security functions, improve their management of IT risk and achieve compliance with IT regulatory requirements.