International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.

org/security/

122

A Risk Assessment of Logical Attacks

on a CEN/XFS-based ATM Platform

Johannes Braeuer Bernadette Gmeiner Johannes Sametinger

Dept. of Information Systems Banking Automation Dept. of Information Systems
Johannes Kepler University Linz KEBA AG Johannes Kepler University Linz
Linz, Austria Linz, Austria Linz, Austria
email: [email protected] email: [email protected] email: [email protected]

Abstract— Automated Teller Machines (ATMs) contain con- an attractive target for thieves and fraudsters [6]. Fraudulent
siderable amounts of cash and process sensitive customer data activities are not only attracted by cash, but also by data that
to perform cash transactions and banking operations. In the is required to conduct bank transactions. A further type of
past, criminals mainly focused on physical attacks to gain ac- ATM attacks addresses malicious activities that impair the
cess to cash inside an ATM’s safe. For example, they captured computer or the network of ATMs. Known as logical attacks,
customer data on the magnetic strip of an ATM card with there is the common opinion that they are becoming more
skimming devices during insertion of the card. These days, sophisticated and based on a well-organized execution. For
criminals increasingly use logical attacks to manipulate an example, representatives of malware, such as Skimer, Plou-
ATM’s software in order to withdraw cash or to capture cus-
tus, or Stuxnet are indicators that these attacks bring up new
tomer data. To understand the risks that arise from such logi-
challenges in securing ATMs and for providing secure bank-
cal attacks, we have conducted a risk assessment of an ATM
platform. This ATM platform is running in a real bank envi-
ing environments. Furthermore, the XFS specification – see
ronment and is built on the CEN/XFS specification. The result Section V – that represents the main reference for ATM en-
of this assessment has revealed the main issues that are respon- gineers, is out-of-date and missing two-factor authentication
sible for vulnerabilities of an ATM platform. The risk assess- for bank applications [7].
ment has identified effective countermeasures and has addi- We will show an approach for the above mentioned prob-
tionally provided a prioritization of activities for ATM manu- lems and present additional details for implementing a risk
facturers. assessment at an ATM. This risk assessment aims at provid-
Keywords— ATM security; logical ATM attacks; XFS;
ing information to select adequate countermeasures and con-
embedded system security; risk assessment. trols for mitigating the likelihood or impact of risks. We
have conducted the risk assessment concentrating on logical
risks of an existing ATM platform. While the scope of the
I. INTRODUCTION assessment is limited to logical risks, the used approach can
This paper represents an extended version of a previously easily be extended to physical risks and risks resulting from
published article [1]. It provides more details about the risk card and currency fraud. Early results of the risk assessment
assessment and discusses the findings in a broader sense. presented in this paper have been published previously at a
Automated Teller Machines (ATMs) have their roots conference [1]. Here, we provide a more detailed view on the
back in the late 1930s, but they began to revolutionize the conducted risk assessment including a broader discussion of
banking environment in the 1960s [2]. With the integration the identified countermeasures. Besides, we use more recent-
of real-time terminals, ATMs have been developed to data ly published information on problems of the specification
processing units that contained commercially available com- that is used by ATM manufactures.
puters. Today, almost all three million ATMs around the In this paper, we will first provide an overview of attacks
world are running on the operating system (OS) Windows to ATMs as well as their countermeasures. We will then
[3]. On top of Windows, an ATM platform controls all pe- evaluate the countermeasures for logical attacks by a risk
ripheral devices and uses the OS to communicate with device assessment. As a result, we can confirm that suggested coun-
drivers. The ATM platform also provides an interface to termeasures work for the identified risks. Additionally, we
multi-vendor ATM software, i.e., bank applications that uti- prioritize these countermeasures and provide a guideline for
lize the functionality of the platform. Besides Windows, those responsible for ATM security.
ATMs use the Internet Protocol (IP) for communication in The remainder of the paper is structured as follows: Sec-
the banking network [4]. Consequently, the ATM network is tion II provides an overview of criminal activities in context
part of the banking network, which in turn is part of the In- of ATMs and discusses traditional attacks and counter-
ternet. All in all, ATMs have developed from stand-alone measures. Section III concentrates on logical ATM security.
equipment with simple cash dispensing capabilities to a net- In Section IV, the used risk assessment approach is present-
work of connected devices for bank transactions. ed, which is then applied in Section V to determine the risks
ATMs contain a remarkable amount of cash for their dai- of an ATM platform. Findings are discussed in Section VI.
ly operation. Moreover, they are available around the clock Related work and a conclusion follow in Sections VII and
and often located off-premises [5]. They have always been VIII, respectively.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

123

II. AUTOMATED TELLER MACHINES B. Physical Attacks

An ATM is a cash dispensing machine with the capabil- Attacks that result in the physical damage of the entire
ity to credit or debit a customer account without human in- ATM or a component thereof primarily focus on stealing
tervention [2]. The term ATM has been used synonymously cash from the safe [11]. But, some of these attacks are also
for cash machines, cash dispensers or cash recyclers. How- conducted to prepare a further malicious activity on a single
ever, the designation ATM is inappropriate when a machine ATM. Vulnerable and easy targets for such attacks are off-
cannot perform a complete financial transaction initiated by site ATMs that are open to the public, less protected and
the customer. In other words, an ATM has to support syn- lighter compared to bank-located machines [14]. Physical
chronous or asynchronous electronic data processing opera- security guidelines recommend seismic detectors, magnetic
tions in an online and real-time manner [2]. With these capa- contacts, alarm control panels, access control and heat sen-
bilities in place, ATMs have revolutionized the way of bank- sors as alarm equipment [15]. Seismic detectors indicate
ing. Their widespread dissemination has grown to a world- abnormal vibrations and can cry havoc if an ATM is about to
wide use of around 2.8 million ATMs. This number is ex- be raided. Heat sensors detect any form of unnatural temper-
pected to reach 3.7 million by 2018 [8]. ature rise. Volumetric detectors on the wall can detect
ATMs have always been an attractive target for thieves. movements in the ATM's surrounding area. Intelligent bank
This problem is reinforced by the fact that ATMs are typical- note neutralization or degradation systems use bank note
ly available 24/7, often located off-premises, and vulnerable staining. A trigger becomes activated in case an inapprop-
to cash thefts [5]. However, ATM crime, including ATM riate movement of the cassettes takes place. As a result, sto-
fraud, goes beyond stealing cash inside the safe. Illegally len banknotes get marked with a degradation agent or a dye.
obtaining personal information of customers, such as bank
account data, card number, or PIN is an additional security III. LOGICAL ATM SECURITY
issue related to ATMs [5][7]. While these digital assets do Logical attacks have become more sophisticated and their
not provide an immediate profit, they can be sold on illegal execution has typically been well organized [5][7][8]. Recent
credit card data markets [10]. From a general viewpoint, examples, such as Skimer [16], Ploutus [17], Stuxnet [18]
there are three different types of attacks: card and currency and a logical attack demonstrated at the chaos computing
fraud, physical attacks and logical attacks [11]. Various In- club congress [19] are indicators that these attacks bring up
formation Technology (IT) security standards have been new methods and approaches to ATM crime.
developed and vendors have recommended security concepts ATM malware is designed to steal cardholder data and
pertaining to ATMs [12]. The goal is to secure an entire PINs or to withdraw cash [13][15]. Typically, malware hides
ATM and its environment. Similar to ATM crime, ATM in the system to remain undetected as long as possible. It
security can be divided into the three different core areas: impairs confidentiality, integrity and authenticity of transac-
namely, card and currency protection, physical security, and tion data for its particular intention [5][10]. ATM networks
logical security. The former two are briefly addressed in the are based on the Internet protocol and face the same attacks
next subsections. Logical ATM security is more important to as other IP-related networks, e.g., denial of service (DoS),
the context of our work and follows in Section III. sniffing, man-in-the-middle attacks, or eavesdropping
[3][10]. Communication between ATM and host can be used
A. Card and Currency Fraud
as entry point to launch remote attacks [5]. Even network
Card and currency frauds include direct attacks to steal devices like routers and switches can be targeted [4]. Logical
cash or cards as well as indirect attacks to steal sensitive security focuses on maintaining a secure network, protecting
cardholder data that is later used to create fake cards for the OS and designing a system so that intruders cannot
fraudulent withdrawals [10]. The target of these attacks is a threaten cardholder's data and software components [5][10].
single ATM, which may be physically manipulated for Subsequent subsections describe such measures.
skimming, card fishing and currency trapping. Skimming is
the approach to install an additional device, called a card A. Cardholder Data Protection
skimmer, to capture the card’s information on the magnetic Sensitive data is the main target of logical attacks [22].
strip. Lower tech card fishing and currency trapping focus on The Payment Card Industry (PCI) Data Security Standard
either card or cash capturing, typically using thin plates, thin (DSS) is for the protection of sensitive cardholder and au-
metallic stripes, transparent plastic film, wires and hooks [5]. thentication data. It proposes a set of twelve requirements
There are several security methods that deal with this threat divided into six areas [22]. Based on these requirements we
category. Jitters, for example, vary speed and movement of have identified four security controls, which are needed to
cards or introduce motion. In other words, it distorts the protect cardholder data:
magnetic stripe details and makes it difficult for the skimmer
to read data while the card reader pulls the card into the x Change control - to guarantee that necessary and
ATM [13]. A further approach of an anti-skimming module wanted changes are made only
is a jammer with the aim to disrupt a skimmer attached to the x Data masking - to disguise cardholder data
ATM dashboard. Instead of working on a mechanical level, a x User access control - to restrict permsissions
jammer uses an electromagnetic field to protect the cards’ x Password policy - to hamper password guessing
magnetic strips. Hence, the card reader can generate an error
code that can be traced by remote monitoring tools [5].

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

124

B. Host-based Firewall IV. RISK ASSESSMENT

To operate a secure ATM network, logical ATM security Risks must be controlled by countermeasures or safe-
systems must be in place [5]. A firewall and a monitoring guards [25]. Risk management is an important part of an
system to analyze and authenticate connection attempts are organization’s security program. It provides support in man-
recommended in order to build such a layer of defense [5]. aging information security risks associated with an
Instead of installing a central firewall, an integrated firewall organization's overall mission [26]. Risk management must
on the ATM is feasible, controlling network communications repeatedly be conducted in periodical time spans [27]. Each
on the processes, protocols and ports level [10]. iteration begins with risk assessment, which is initiated at a
predefined time, e.g., once a year or after a major IT
C. Application Control
transformation [28]. It results in the identification, estimation
Traditional security software like antivirus software is and prioritization of IT risks based on the security goals of
used on desktop PCs to prevent unauthorized software exe- confidentiality, integrity and availability [25]. The result
cution. But, antivirus software requires processing power represents a temporary view that will be used for further risk
that often goes beyond the capabilities of an ATM and relies management decisions [27].
on a signature database that needs periodic updates. These
updates can only provide protection against known malware. A. Risk Model
Consequently, malware prevention must operate within the The risk model specifies key terms and assessable risk
limited resources and with a minimal “footprint” to avoid factors including their relationships [25]. It defines all factors
complications with ATM software [10]. Whitelisting restricts that directly or indirectly determine the severity and level of
software running on an ATM to a known set of applications a particular risk, such as assets, threat source, threat event,
[10] that are tested and approved for execution. Unapproved likelihood, impact and countermeasure. Assets represent
software outside the list and malware are prohibited. resources of value that need to be protected [29]. A person,
physical object, organizational process or implemented tech-
D. Full Hard Disk Encryption
nology can represent an asset. A threat is the potential for a
Some logical attacks bypass security protection by boot- malicious or non-malicious event that will damage or com-
ing the ATM from an alternative medium, such as a USB promise an asset [29], e.g., unauthorized modification, dis-
stick or CD-ROM. This circumvention provides the possibil- closure or destruction of system components and infor-
ity to manipulate configurations or to put malware in place mation. Depending on the degree of detail and complexity, it
[23]. As a countermeasure, the ATM hard disk can be pro- is possible to specify a threat as a single event, action or cir-
tected with full hard disk encryption [23]. In addition, it is cumstance; or as a set of these entities [25]. A vulnerability
recommended to encrypt data on an ATM's hard disk to is a weakness in the defense mechanism that can be exploit-
make it unreadable in case of theft or unauthorized access ed by a threat to cause harm to an asset [27][29]. This weak-
[11]. Physically protecting the hard disk is an additional ness can be related to security controls that either are missing
safeguard, because data access becomes more difficult. or have been put in place but are somehow inefficient [25].
E. Patch Management The likelihood of a risk consists of two aspects, i.e., the
likelihood of occurrence (initiation of an attack) and the like-
Logical security includes the handling of software vul- lihood of success [25]. The likelihood of occurrence demon-
nerabilities by patch management to ensure the efficiency strates the probability of a threat to exploit a vulnerability or
and security of ATMs in a timely and efficient manner. Con- a set of vulnerabilities [25]. Factors that determine this like-
tinuous patch management provides protection against virus- lihood value are predisposing conditions, the presence and
es, worms and known vulnerabilities within an OS [24]. An effectiveness of deployed countermeasures and the consider-
example in this context is the Slammer virus, which was ation of how certain the threat event is to occur. The likeli-
responsible for network outages of different systems, such as hood of success expresses the chance that an initiated threat
ATMs with Windows [24]. The incident could have been event will cause an adverse impact without considering the
prevented because Microsoft had provided a patch covering magnitude of the harm [25].
the exploited vulnerability six month before the virus spread The impact describes the magnitude of expected harm on
out [24]. Needless to say, precautions have to be taken to an organization [29]. To determine the impact, it is important
avoid malicious misuse of update mechanisms. to understand the value of the asset and the value of an un-
F. Device-specific Requirements damaged system. Besides, it is advisable to consider an im-
pact not only as a one-time loss because it can have relation-
Depending on the actual installation of ATMs, additional
ships to other factors that cause consequential damage [25].
security controls are required for a higher level of defense.
A risk is a combination of the likelihood that an identified
Examples of countermeasures include secure test utilities and
threat will occur and the impact the threat will have on the
device controls. Test utilities that are built in an ATM plat-
assets under review [25]. Risk factors, such as threat, vulner-
form must be protected via access control mechanisms. Ex-
ability, likelihood and impact determine the overall risk. Im-
ternally available devices, especially USB ports, must be
pact and likelihood are used to define the risk level [28].
controlled on BIOS or on OS level.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

125

B. Risk Assessment Process 6) Determination of Risk

Different risk assessment processes, frameworks and The risk level is determined by combing impact and
methodologies build on the same underlying process overall likelihood [27]. It shows the degree to which an
structure, which may vary in abstraction level and granu- organization is threatened [25]. Formulas, matrices or meth-
larity [26]. These steps, which are listeted below, do not have ods that are used for merging likelihood and impact must be
to be strictly adhered to in sequential order. For example, it consistent and precisely defined.
is useful to perform threat and vulnerability identification V. CASE STUDY
side by side to cover all risk possibilities. Also, some step
iterations are necessary to get representative results [25]. The aim of this case study is a risk assessment to
1) Definition of Assets establish a baseline of risks faced by an ATM platform of a
specific manufacturer. The applied approach identifies all
No action can be taken unless it is clarified what the as- threats, vulnerabilities and impacts that cause a potential risk
sets are. Asset definition seeks to identify the processes, to an ATM asset. The focus on the ATM platform limits our
applications and systems that are highly important and investigation to software aspects only. This is why the case
critical to the daily operation of an organization [29]. study mainly concentrates on logical risks. We have to
2) Identification of Threat Sources and Events mention at this point that we refrain from describing attacks
Threat sources can be characterized based on their in too much detail because this would provide valuable
capability, intent and target to perform a malicious activity information to potential attackers. However, the given
[25]. Once the list of sources is complete, threat events must information is sufficient for readers to follow the
be identified that can be initiated by a threat source. conclusions.
Predefined checklists are an easy way to verify whether the
A. System Characterization
listed threat events can occur in the context of the
assessment. But, an exclusive use of checklists can From a general point of view, the logical system structure
negatively influence the outcome because it may impair the of an ATM consists of three layers as shown in Figure 1. On
free flow of creative thinking and discussing. An important the bottom end of the structure is the operating system,
step is the determination of the relevance of each threat which builds the base of all layers above. Hence, the ATM
event. If considered relevant, an event will be paired with all platform uses the functionalities of the operating system in
possible threat sources that can initiate it. order to communicate with the hardware components. To
utilize the features that are implemented in the ATM
3) Identification of Vulnerabilities and Predisposing
platform, the ATM platform provides a public interface to
Conditions multi-vendor ATM software and bank applications.
Next, we have to identify vulnerabilities that can be For providing a standardized interface to the layer above,
exploited as well as the conditions that may increase or the platform implements the eXtension for Financial
mitigate susceptibility. Tool support is feasible for this task. Services (XFS) interface specification defined in CEN [31].
For example, vulnerability scanners automatically test inter- This programming specification has been published by the
nal and external system interfaces in order to find known and European Committee for Standardization (CEN) and is
obvious weaknesses. designed to control all peripheral devices of an ATM. XFS
4) Determination of Overall Likelihood does not differ between a multi-vendor ATM software and a
The overall likelihood represents the probability that the bank application, but considers both forms of an ATM
threat exploits vulnerabilities against an asset [29]. To get an software as a Windows-based XFS application.
adequate value and to keep focused on specific aspects, the Figure 2 shows the XFS architecture that builds the
overall value is divided into likelihood of initiation/oc- foundation of the ATM platform. With reference to this
currence and likelihood of success. These are an assessment illustration, the key element of XFS is the definition of a set
of the probability that a non-adversarial threat happens or an of Application Programming Interfaces (APIs) and a
adversarial threat source launches an attack [25]. In contrast,
the likelihood of success is the probability that an initiated
threat event results in an adverse impact [25].
5) Determination of Magnitude of Impact
It is necessary to determine the impact the event will
have on the organization [29]. For this task, the values of
reviewed assets are an important input because they show the
potential harm and the severity of the impact in case of a full
or partial loss. The harm can be expressed in terms of
monetary, technical, operational or human impact criteria
[28].
Figure 1. Logical System Structures of an ATM.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

126

without changing the underlying implementation. While it

would be desirable to not touch the ATM platform when
changing the XFS application on the top, customizations are
usually required due to some vague definitions in the XFS
standard and different interpretations thereof.
B. Logical Risk Assessment
The risk assessment conducted in this case study is based
on the risk assessment published in [25]. As defined in this
document, the frst step focuses on the preparation of the
assessment in order to establish the context. This includes the
identification and definition of the purpose, scope,
assumptions and the risk assessment methodology mentioned
below.
1) Purpose
The purpose of this risk assessment is an implementation
of an initial assessment to establish a baseline assessment of
Figure 2. CEN/XFS Architecture. risks for the ATM platform. At the moment, the ATM
manufacturer faces no security issues. This work is
corresponding set of Service Provider Interfaces (SPIs). The considered as preventive measure. In view of ensuring
API provides access to financial services for Windows-based confidentiality, integrity and availability, the risk assessment
XFS applications. The SPI is similar to the API, even though identifies all logical threats, vulnerabilities and impacts to
it is utilized for the direct communication of vendor-specific organizational operations, products and assets. This
service providers. Each of the service providers represents a guarantees that the ATM manufacturer can offer a high level
peripheral device of the ATM. of software security. Additionally, the risk assessment must
1) XFS Manager be reproducible, repeatable and extensible.
The heart of the XFS architecture is the XFS manager 2) Scope
that handles the overall management of the XFS subsystem. The ATM manufacturer sells its banking products in a
This component is responsible for establishing and mapping business area that underlies different regulations designed to
the communication between API and SPI. In addition, the protect cash and sensitive data. Equivalent to these
XFS manager is concerned about synchronously or regulations, the scope of this risk assessment focuses on the
asynchronously calling the appropriate service provider. For protection of the same assets including the reputation of the
this task, a service provider is identified by a logical name company. Latter is part of the risk assessment because
parameter, which is unique within each workstation. As security issues are highly correlated to the public image of
support, the XFS manager uses the configuration information the ATM manufacturer and its products.
component. This component stores the logical name
parameter and defines the relationships between the 3) Assumptions and Constraints
Windows-based XFS application and service providers. The risk assessment ignores countermeasures, security
solutions and security processes a financial institute or an
2) Service Providers independent ATM deployer has in place. Moreover, when
Either a vendor of a peripheral device or the ATM evaluating risk factors such as threat sources, threat events,
manufacturer has to implement the service provider in order likelihood or impact, decisions are based on the worst case
to translate the device features into XFS services. Due to the scenario.
fact that the peripheral devices differ in their capabilities and
applications, service providers are grouped according to 4) Information Sources
device classes. For example, the two service providers, Card Within the scope of the risk assessment, the ATM
Reader and Cash Dispenser represented in Figure 2, belong manufacturer provides security-related documents. These
to the device class Identification Card Device (IDC) and documents describe the platform architecture, planned and
Cash Dispenser Module (CDM). Regardless of the device already implemented security mechanisms and possible
class, a service provider is responsible for the functionality threat scenarios. We use additional sources like ATM
of translating the generic XFS request to commands that are security guidelines [12] and best practice approaches for
native to the used device. ATM security [30]. Besides this kind of explicit knowledge,
The main benefit of the XFS architecture is the fact that the risk assessment is supported by expert interviews. The
the XFS manager and the XFS applications are isolated from experts are employed at the ATM manufacturer and are
the communication between service providers and peripheral divided into two groups. The first group contains technical
devices. As a result, vendors can individually develop their staff with knowledge in developing the ATM platform. The
service providers, which are tailored to the devices and second group has a deep understanding in operating the
accessible through the XFS-API. Conversely, the XFS ATM platform for a financial institute or an independent
application that is using the ATM platform can be exchanged ATM deployer.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

127

5) Risk Assessment Process ration files, focusing on the change of the user ac-
The utilized risk assessment process takes its cue from cess control model to gain more privileges.
the process recommended by NIST. A difference to the x Software Component Modification, modifying an
proposed process is that the definition of assets is in front of executable or an assembly of the ATM platform,
the threat source and threat event identification. Although assuming the adversary can decompile the target
NIST defines asset identification as part of the preparation, file.
this task is added as an additional step in order to point out x Test Utility Exploitation, exploiting test utilities
the assets that are worthy to protect. Consequently, the used by service technicians, IT specialists and ATM
applied risk assessment process consists of the following six platform engineers for maintenance.
steps:
a) Definition of Assets Eventually, the events were connected to threat sources
The main assets are sensitive data, cash and the compa- and logically ordered to create entire scenarios. As a result,
ny's reputation. Cash can be more precisely defined as real we have designed a directed graph for each threat group. For
cash represented by bills and coins as well as book money the graphical representation of the threat events, CORAS, a
transferred from one bank account to another. The general model-based method for security risk analysis [31], is used.
term of sensitive data summarizes data and information that By using this graphical approach, the risk assessment bene-
refers to an individual or is required to secure the system. For fits from several advantages.
instance, card data, personal identification number (PIN), For instance, CORAS improves the communication and
account data or secret keys belong to this category. interaction between the involved parties. Therefore, it pro-
vides a precise description of the system including its securi-
b) Identification of Threat Sources and Events ty features in a simple format. Additionally, CORAS pro-
We have derived threat sources by interviewing ATM vides a tool to support the risk assessment team in document-
platform engineers and customer solutions employees. The ing, maintaining and reporting the assessment result and as-
resulting sources are: attacker (or hacker), thief, cash in sumptions [31]. Figure 3 shows a snippet of the graph re-
transit (CIT) employee, IT specialist (in data center), bank garding the disclosure of sensitive data. With this graphical
clerk, helpdesk employee, service technician and employee visualization on the table, the relevance of all threat scenari-
of ATM manufacturer. Threat events were identified in form os was assessed and classified as either confirmed, likely,
of brainstorming sessions. Threats were grouped to catego- unlikely or not applicable. This is shown in Figure 3 by a
ries, which were derived from the primary objective of the label next to the threat source.
threat events or an important key passage in an entire sce- c) Identification of Vulnerabilities
nario:
In order to disclose vulnerabilities in the ATM platform,
x Denial of Service, making the ATM platform una-
we have analyzed the threat scenarios based on countermea-
vailable to a customer by dominating some of its
sures recommended in Section III. For instance, as is shown
resources.
in Figure 3 by the second of the two lock symbols, missing
x Malicious Software Injection, injecting malicious hard disk encryption may allow a thief or service technician
software, such as Trojan horses, viruses or worms to access and read data on an ATM’s hard disk.
at the OS level or the ATM platform level. d) e) Determination of Overall Likelihood and Magni-
x Sensitive Data Disclosure, gathering unprotected tude of Impact
cardholder data.
x Configuration File Modification, changing configu- We have derived the likelihood of occurrence from the
ration files of the ATM platform. characteristics of particular threat sources. These characteris-
tics had been determined in discussions with employees from
x Privilege Settings Modification, modifying configu-

Figure 3. Snippet from Threat Diagram: Sensitive Data Disclosure.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

128

Therefore, we have used a likelihood impact combination

matrix as proposed by NIST; see in [25] on page I-1 of the
appendix. According to this matrix the level of impact is
heavier weighted than the likelihood. This idea is also ap-
plied in this case study because interview partners considered
the impact as dominant determinant of the risk level.
Based on the previous assessments of the overall likeli-
hood and magnitude of impact for each threat scenario, both
determinants have been combined according to the matrix.
As a result, a likelihood impact diagram illustrates the risks
of each category, as shown by the example in Figure 4. The
coloring of the diagram is based on the likelihood impact
combination matrix and represents the five areas in which a
risk can fall. For clarification, the ten-step scale on both axes
is divided by five with the consequence that two steps count
for one qualitative value. In the diagram a risk (caused by a
single threat scenario) is indicated through a dot. The posi-
Figure 4. Likelihood Impact Diagram. tion of this dot is horizontally defined by the estimation of its
likelihood and vertically by its impact.
The determination of the risk has been conducted for all
the ATM manufacturer and included capabilities of threat
seven threat groups by simply combining likelihood and im-
sources as well as intent and targeting, see (24). The likeli-
pact. As a result, Table I shows the distribution of risks
hood of success has been determined by the vulnerabilities of
across the seven threat groups. The numbers do not represent
the ATM platform. After the identification of both likelihood
individual scenarios, but threat sources of such scenarios. For
aspects (i.e., occurrence and success) they were combined to
example, in Figure 3 we have one threat scenario with two
the overall likelihood of the threat scenario.
different threat sources, i.e., thief and service technician.
The magnitude of impact is expressed by the final result
Table II changes the perspective and shows how counter-
of a threat scenario. Scenarios that were linked to the three
measures affect risks of different risk levels. The letters A to
assets of the ATM have been assessed as very high (10) or
F on the left correspond to Sections III.A through III.F as
high (8) since they caused an immediate loss when they get
well as to Sections VI.A through VI.F. This table helps in
stolen or damaged. Harm to the ATM manufacturer is evalu-
identifying security controls that are useful to mitigate multi-
ated as high (8) and the impact of indirect harm is considered
ple risks at once. Similar to Table I, the numbers do not rep-
as moderate (5). The latter is weighted as moderate because a
resent single threat scenarios but threat sources.
further threat scenario is necessary to actually cause damage.
f) Determination of Risk
TABLE II. DISTRIBUTION OF COUNTERMEASURES.
Finally, the last step of the risk assessment is the risk de-
termination. The risk determination has the aim to aggregate Risk Level
all assessed aspects of the risk factors to a single value. Countermeasure very mod- very
high low
high erate low
TABLE I. DISTRIBUTION OF RISKS.
Change Control 1 7 13 7 -
Risk Level
Threat Group very mod- very Data Masking - 1 3 - -
high low A
high erate low User Access Con-
- 1 15 14 -
trol
Denial of Service - - - 2 -
Password Policy - 1 3 - -
Malicious Software
- 7 40 19 - Host-based Fire-
Injection B 2 6 4 1 -
wall
Sensitive Data Disclosure 2 8 13 - - Application Con-
C 1 9 38 - -
Configuration File trol
1 7 13 7 - Full Hard Disk
Modification D - 9 55 19 -
Encryption
Privilege Settings
- 1 15 14 - E Patch Management - 2 9 7 -
Modification
Software Component Securing Test
1 7 37 - - - 4 8 - -
Modification Utilities
F
Device Control
Test Utility Exploitation - 6 12 - - - 2 1 6 -
(for USB Port)

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

129

VI. DISCUSSION utilized for this purpose. At these endpoints normally an

The discussion about countermeasures in the literature Internet connection is available for regularly updating the
reflects the result of the assessment in our case study. The signature database or transferring behavior-based malware
case study additionally highlights security approaches and data to an Internet service for further investigation. However,
technologies, which were identified as most appropriate for at an ATM the concept of a blacklist is inappropriate as
dealing with logical ATM risks. mentioned in Section III. Consequently, the protection
against unauthorized software on an ATM must change the
A. Cardholder Data Protection perspective and should focus on whitelisting.
We have identified change control and efficient user When establishing a whitelisting solution on an ATM,
access control as most appropriate for protecting cardholder the execution of applications and executables is limited to a
data and also for threat scenarios that focus on settings known set. This set includes files that are required to run the
changes or software components of a running ATM plat- operating system and ATM platform. All other executable
form. The main purpose is to guarantee that neither unneces- files that are not within the whitelist, even though they are
sary nor unwanted changes are made. A change control sys- not malicious, cannot be started. As a consequence, threat
tem also supports the documentation of modifications, en- scenarios that install known or tailored malware on the ATM
sures that resources are used efficiently and services are not platform fail in the execution of the malicious software. In
unnecessarily disrupted. With reference to ATMs, it can be more detail, an adversary can apply different approaches to
additionally applied for ensuring PCI compliance because store the malicious file on the system without facing a
the change control system provides an overview of software restriction from the control of a whitelisting solution.
that is deployed within the ATM environment. Although data However, the security protection raises an alert and stops the
masking is activated by default by the investigated ATM execution process when calling the executable.
platform, there are threat sources capable to disable this fea- Additionally, threat scenarios with the attempt to use a
ture. Consequently, the approach of obfuscating data be- modified software component of the ATM platform fail to
comes inadequate if user access control is not in place. The execute the prepared file. The reason is that almost all
most efficient way of implementing a user access control whitelisting solutions calculate and store the hash value of a
mechanism is by applying the user management that comes whitelisted executable in order to ensure integrity of the file.
with the OS. Not a technical but an organizational counter- Hence, a slight modification can be detected because the
measure is the implementation of a password policy, which difference in one bit results in another hash value. In case the
enforces a periodical change of passwords that are either hash values do not match, the executable is considered as
used for locking user accounts or for switching to the untrusted and is prevented from running on the system. As
maintenance mode of the ATM platform. an add-on to hash values, solutions make use of software
certificates, trusted publisher or trusted directories. Latter can
B. Host-based Firewall be a security weakness when a user has write permission on
Malicious use of the network interface can be mitigated the directory.
through a host-based firewall. Such a firewall should work
D. Full Hard Disk Encryption
on the level of protocols, ports and processes. In other words,
the configuration of the firewall must specify the protocol Hard disk encryption is a powerful countermeasure
and port that can be used by a particular process for estab- against alternatively booting the system for malicious activi-
lishing an outgoing connection. The same applies for pro- ties. Several threat events require access to an ATM's com-
cesses that are receiving incoming traffic. All ports and pro- puter to boot the system from an alternative medium. Al-
tocols that are not in use must be blocked by default. though launching an alternative OS would work because the
By configuring the firewall for each process and closing environment is running in the RAM, access to the encrypted
all other connections, it is unlikely that an adversary can dis- hard disk fails. As a result, an adversary is not able to search
cover an unauthorized port or protocol. Moreover, it is not for sensitive data, to drop malicious files, to collect executa-
possible to open a connection to transmit sensitive data over bles and dynamic link libraries from the ATM platform or to
the network. So, malware that collects data on an ATM plat- change the privileges of restricted objects.
form cannot communicate with a receiving service due to the Furthermore, hard disk encryption tones down threat sce-
exclusive utilization of open ports and protocols. narios that concentrate on stealing or exchanging a hard disk
inasmuch as an encrypted hard disk is linked to the computer
C. Application Control and cannot be used on another system. A Trusted Platform
Other threat events are focused on installing malicious Module (TPM) chip, which is mounted on the main board of
code on the ATM platform. After the infection of the target, the computer, can be used to establish this connection. Other
this malware hides in the system and can be activated approaches do not require additional hardware, but can com-
through an adversary. Examples of such malware are pute the encryption key based on unique characteristics of
discussed in Section III. In order to deal with this type of installed hardware components or network location of the
threat, a countermeasure must be in place that detects and ATM. Consequently, exchanging the hard disk is useless as
avoids the execution of unauthorized software. In a long as the surrounding environment cannot be made availa-
workstation environment an antivirus solution should be ble.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

130

E. Patch Management By conducting an additional survey about ATM security

A fundamental base for an effective patch management is in Nigeria, Adesuyi et al. derive a similar result like Adepoju
appropriate hardening of a system. Compared to a firewall and Alhassan [34]. They highlight that some of the security
that works at the network side, system hardening focuses on measures of an ATM are obsolete and inadequate. Fraudu-
the OS level and removes or disables all unnecessary appli- lent activities on can be easily performed on an ATM. In
cations, users, logins and services. For instance, non- order to overcome this problem, the work proposes im-
essential applications, which may offer useful features to a provements in the authentication process by installing a fin-
user at a workstation, must be removed because they could ger vein technology or a facial recognition system.
provide a backdoor to an ATM environment. Next to harden- B. Logical ATM Attacks
ing, a rule policy with defined user privileges must be in
place. The reason is that managing a distributed system like A work that investigates the security of ATMs from a
an ATM network still provides a vector for the installation of logical viewpoint has been conducted by Bradbury in 2010
malware by maintenance staff. Based on that groundwork, a [21]. According to this study, logical fraud activities on
continuous patch management allows a financial institute to ATMs are increasing and executed as organized and highly
provide protection against known viruses, worms and vul- sophisticated attack. Besides, adversaries are capable to ma-
nerabilities within an OS. nipulate the software inside of ATM to directly withdraw
money. The severity of this issue is underlined by the fact
F. Device-specific Requirements that both banks and customers are facing heavy losses.
For dealing with the potential danger arising from test C. ATM Risk Management
tools used by ATM platform engineers, service technicians
and IT specialists, it is important that these tools function In the article titled ATM Risk Management and Controls,
only under certain circumstances. Especially, when the ATM Rasiah discusses the topic of an ATM risk assessment like
is in maintenance mode, the tools should support the activi- this paper. But in contrast to our technical perspective, Ra-
ties on the ATM. But, in all other cases they must be disa- siah adapts a non-technical approach and investigates the risk
bled. Device control comes into play when the USB ports of management and controls by defining general ATM security
an ATM represent possible entry points for a malicious ac- goals [35]. At the beginning, the work highlights the main
tivity. Similar to the concept of application control, device points of ATM crime and ATM security as mentioned in
control can be implemented by whitelisting solutions too. Sections II and III, respectively. Without going into details,
Instead of blocking an application, a whitelisting solution the work provides a general overview on ATM risk related
topics. For instance, it provides recommendations for han-
can block the USB driver resulting in disabled USB ports.
dling stolen cards and for mailing the PIN to the customer.
VII. RELATED WORK As a conclusion, the author points out that these issues have
become a nationwide problem and banks must meet certain
This section highlights related work in the area of ATM standards to guarantee a secure banking environment.
security. Financial institutions argue that releasing any tech-
nical information about the implementation of an ATM VIII. CONCLUSION AND FUTURE WORK
would threaten the security of the devices. Consequently, it
Automated teller machines have become indispensable in
is difficult to find work that deals with the risk assessment of
ATMs. Notwithstanding, some publications discuss security today's banking environment. Although customers primarily
challenges in operating an ATM. use ATMs for withdrawing money, the further development
in this area has integrated additional features for other bank-
A. Card and Currency Fraud ing activities. This further development is the reason that an
In the summary of an ATM risk assessment, DeSomer ATM is widely accepted and considered secure. However, it
demonstrates card skimming as the highest ATM risk [32]. is also an attractive target for criminals especially because it
In order to detect a card skimming device or the installation processes financial customer transactions and contains real
of a camera for PIN capturing, the author highlights risk mit- cash. In order to protect the money and customer data inside
igation measures, such as jitter devices, lighting improve- an ATM, it is essential to understand the threats and their
ments or fraudulent device inhibitors. Furthermore, the arti- risks.
cle provides recommendations for choosing a nonmanipulat- In this paper, we have discussed various aspects of ATM
ed ATM and for using the ATM card in a secure manner. security, i.e., card and currency fraud, physical attacks as
With focus on installed ATMs in Minna, Nigeria, well as logical attacks. Logical risks of a specific ATM have
Adepoju and Alhassan show the result of their empirical been assessed in a case study to evaluate and prioritize ap-
research, which analyzes the ATM usage in combination propriate countermeasures. The risk assessment has provided
with fraudulent activities in this area [33]. The authors come information about countermeasures in general and their im-
to the conclusion that most of the fraudulent activities are portance in particular. This allows the ATM manufacturer to
skimming attacks and PIN thefts by various means. Moreo- better plan resources for security and concentrate on the most
ver, they point out that fraudsters are able to keep on track important countermeasures first. Also, we have found out
with the further development of ATMs, but banks do not that countermeasures suggested in the literature are effective
install adequate countermeasures to deal with these types of for the identified risks. By multiplying risk levels and the
threats. number of threat sources of Table II, we have identified ap-

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

131

plication control, full hard disk encryption, and user access 5_ATM%20Fraud%20and%20Security.pdf.
control to be most effective, as they provide protection to [Accessed: 14-Nov-2016].
most identified risks. A host-based firewall is also a must for [6] R. T. Guerette and R. V. Clarke, “Product Life Cycles
ATM security, as it protects against very high risks. and Crime: Automated Teller Machines and Rob-
Future work should focus on the consideration of addi- bery,” Secur. J., vol. 16, no. 1, pp. 7–18, 2003.
tional adversarial threat sources, such as cyber criminals or [7] Kasperksy Lab, “Jackpot am Geldautomaten: Wie
cyber terrorists. Compared to the threat sources discussed in man mit oder ohne Malware zu Bargeld kommen
this work, these groups represent structured organizations kann - Securelist,” SecureList, 07-Feb-2016. Availa-
with advanced skills for conducting sophisticated attacks. In
ble: https://de.securelist.com/analysis/veroffentlich
the subject area of ATM security it is commonly accepted
ungen/71316/malware-and-non-malware-ways-for-
that these groups are gaining power. Another category of
threat sources, which we did not consider in this paper, is the atm-jackpotting-extended-cut/. [Accessed: 14-Nov-
group of competitors in the field of ATM development. 2016].
Threats outgoing from competitors are interesting for inves- [8] RBR, “Global ATM Market and Forecasts to 2018,”
tigation because they would primarily focus on disturbing Retail Bank. Res., vol. 2013.
the availability of the targeted ATM in order to damage the [9] ENISA, “ATM Crime: Overview of the European
manufacturer's reputation. Furthermore, this risk assessment situation and golden rules on how to avoid it,” 2009.
is limited to the operating system and ATM platform. Con- [10] GMV, “Protect your automatic teller machines
sequently, future work could consider the entire software against logical fraud,” 2011. Available: http://www.
stack including multi-vendor ATM software or a bank appli- gmv.com/export/sites/gmv/DocumentosPDF/checker/
cation on the top of the ATM platform. When a risk assess- WhitePaper_checker.pdf. [Accessed: 14-Nov-2016].
ment contains multi-vendor ATM software, the main atten- [11] S. Chafai, “Bank Fraud & ATM Security,” InfoSec
tion should concentrate on the interface to the ATM plat- Institute, 2012. Available: http://resources.infosec
form. The reason is that the interface can contain an unclosed institute.com/bank-fraud-atm-security/. [Accessed:
entry point for malicious software. This vulnerability can be 14-Nov-2016].
unknowingly exploited, even though both the ATM platform [12] PCI, “Information Supplement PCI PTS ATM Securi-
and multi-vendor ATM software are functioning correctly. ty Guidelines,” PCI Security Standards Council,
ATM frauds not only cause financial loss to financial in- 2013. Available: https://www.pcisecuritystandards.
stitutes or independent ATM providers, but they also under- org/pdfs/PCI_ATM_Security_Guidelines_Info_Suppl
mine customers' confidence in the use of ATMs. In order to
ement.pdf. [Accessed: 14-Nov-2016].
deal with this issue and to provide a secure environment for
the installed ATMs, it is important to understand the associ- [13] F. Lowe, “ATM community promotes jitter technolo-
ated risks. A contribution to this challenge is made by this gy to combat ATM skimming,” ATMMarketplace,
work, which emphasizes the consideration of ATM fraud 2010. Available: http://www.atmmarketplace.com/
from a logical perspective. This should help to integrate ade- article/178496/ATMcommunity-promotes-jitter-tech
quate countermeasures in order to make it difficult to con- nology-to-combat-ATM-skimming. [Accessed: 14-
duct and successfully complete an attack. Nov-2016].
[14] T. Kitten, “ATM Attacks Buck the Trend,” BankIn-
REFERENCE foSecurity, 2010. Available: http://www.bankinfo
[1] J. Braeuer, B. Gmeiner, and J. Sametinger, “ATM security.com/atm-attacks-buck-trend-a-2786. [Ac-
Security: A Case Study of a Logical Risk Assess- cessed: 14-Nov-2016].
ment,” ICSEA 2015, Tenth International Conference [15] ATMSWG, “Best Practice For Physical ATM Securi-
on Software Engineering Advances, 2015, pp. 355– ty,” ATM Security Working Group, 2009. Available:
362. http://www.link.co.uk/SiteCollectionDocuments/Best
[2] B. Batiz-Lazo and R. Reid, “The Development of _practice_for_physical_ATM_security.pdf. [Ac-
Cash-Dispensing Technology in the UK,” IEEE Ann. cessed: 14-Nov-2016].
Hist. Comput., vol. 33, no. 3, pp. 32–45, 2011. [16] DrWeb, “Trojan.Skimer.18 infects ATMs,” Doctor
[3] T. Kaltschmid, “95 Prozent aller Geldautomaten lau- Web. Available: http://news.drweb.com/?i=4167.
fen mit Windows XP,” heise online. Available: [Accessed: 14-Nov-2016].
http://www.heise.de/newsticker/meldung/95-Prozent- [17] J. Leyden, “Easily picked CD-ROM drive locks let
aller-Geldautomaten-laufen-mit-Windows-XP- Mexican banditos nick ATM cash,” BusinessWeek:
2088583.html. [Accessed: 14-Nov-2016]. Technology. Available: http://www.theregister.co.uk/
[4] C. Benecke and U. Ellermann, "Securing Classical IP 2013/10/11/mexico_atm_malware_scam/. [Accessed:
over ATM Networks," in Proceedings of the 7th con- 14-Nov-2016].
ference on usenix security symposium (SSYM ’98), [18] Metro, “Stuxnet worm ‘could be used to hit ATMs
Berkeley, CA, US, 1998, pp. 1–11. and power plants,’” Metro. Available:
[5] Diebold, “ATM Fraud and Security,” Diebold, 2012. http://metro.co.uk/2010/11/25/stuxnet-worm-could-
Available: http://securens.in/pdfs/KnowledgeCenter/

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org

International Journal on Advances in Security, vol 9 no 3 & 4, year 2016, http://www.iariajournals.org/security/

132

be-used-to-hit-atms-and-power-plants-591077/. [27] R. K. Rainer, C. A. Snyder, and H. H. Carr, “Risk

[Accessed: 14-Nov-2016]. Analysis for Information Technology,” J. Manag. Inf.
[19] 30C3, “Electronic Bank Robberies - Stealing Money Syst., vol. 8, no. 1, pp. 129–147, 1991.
from ATMs with Malware,” presented at the 30th [28] ENISA, “Risk Management: Implementation princi-
Chaos Communication Congress (30C3), 2013. ples and Inventories for Risk Management/Risk As-
[20] R. Munro, “Malware steals ATM accounts and PIN sessment methods and tools.,” 2006. Available:
codes,” theInquirer, 2009. Available: http://www. http://www.enisa.europa.eu/activities/risk-manageme
theinquirer.net/inquirer/news/1184568/malware- nt/current-risk/risk-management-inventory/files/deli
steals-atm-accounts-pin-codes. [Accessed: 14-Nov- verables/risk-management-principles-and-inventories-
2016]. for-risk-management-risk-assessment-methods-and-
[21] D. Bradbury, “A hole in the security wall: ATM hack- tools. [Accessed: 14-Nov-2016].
ing,” Netw. Secur., vol. 2010, no. 6, pp. 12–15, 2010. [29] T. R. Peltier, Information Security Fundamentals, Se-
[22] PCI, “PCI DSS - Requirements and Security Assess- cond Edition. Boca Raton, FL, US: CRC Press, 2013.
ment Procedures,” PCI Security Standards Council, [30] “Best Practices for ATM Security,” GRGBanking,
2013. Available: http://de.pcisecuritystandards.org/ May 2011.
_onelink_/pcisecurity/en2de/minisite/en/docs/PCI_DS [31] F. Braber, I. Hogganvik, M. S. Lund, K. Stølen, and
S_v3.pdf. [Accessed: 14-Nov-2016]. F. Vraalsen, “Model-based Security Analysis in Sev-
[23] J. J. Leon, “The case of ATM Hard Disk Encryption,” en Steps — a Guided Tour to the CORAS Method,”
RBR Bank. Autom. Bull., vol. 318, pp. 11–11, 2013. BT Technol. J., vol. 25, no. 1, pp. 101–117, Jan. 2007.
[24] H. Cavusoglu, H. Cavusoglu, and J. Zhang, “Econom- [32] F. DeSomer, “ATM Threat and Risk Mitigation,”
ics Of Security Patch Management,” in Proceedings Thai-American Business, vol. 2, pp. 28–29, 2008.
of the The Fifth Workshop on the Economics of In- [33] A. S. Adepoju and M. E. Alhassan, “Challenges of
formation Security (WEIS 2006), Cambridge, UK, Automated Teller Machine (ATM) Usage and Fraud
2006. Occurrences in Nigeria - A Case Study of Selected
[25] “NIST Special Publication 800-30 Revision 1, Guide Banks in Minna Metropolis,” J. Internet Bank. Com-
for Conducting Risk Assessments,” National Institute mer., vol. 15, no. 2, 2010.
of Standards and Technology, 2012. Available: [34] F. A. Adesuyi, A. A. Solomon, Y. D. Robert, and O.
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial I. Alabi, “A Survey of ATM Security Implementation
publication800-30r1.pdf. [Accessed: 14-Nov-2016]. within the Nigerian Banking Environment,” J. Inter-
[26] G. Stoneburner, A. Y. Goguen, and A. Feringa, “SP net Bank. Commer., vol. 18, no. 1, pp. 1–16.
800-30. Risk Management Guide for Information [35] D. Rasiah, “ATM Risk Management and Controls,”
Technology Systems,” National Institute of Standards Eur. J. Econ. Finance Adm. Sci., vol. 21, pp. 161–
& Technology, Gaithersburg, MD, US, 2002. 171.

2016, © Copyright by authors, Published under agreement with IARIA - www.iaria.org