" class="no-js "lang="en-US"> EXCLUSIVE: "Ground Zero" - Juan Ramon Aramendia, Auriga in 'The Fintech Magazine'
Thursday, March 28, 2024

EXCLUSIVE: “Ground Zero” – Juan Ramon Aramendia, Auriga in ‘The Fintech Magazine’

ATMs and assisted self-service machines are among the most vulnerable assets of a bank’s estate and the most difficult to protect, says Juan Ramon Aramendia, Head of Cybersecurity Product Engineering at Auriga. But there is a solution

Every 39 seconds there is a cyber attack on a computer or a network somewhere in the world, according to the University of Maryland Cyber Security Center in Washington. And among the devices most vulnerable to those attacks are bank ATMs and the growing network of assisted self-service terminals (ASSTs), of which industry body RBR estimates there are now more than 340,000.Every one of them is, potentially, a point of vulnerability in the security armour of a bank, and it’s a threat for which omnichannel banking technology solutions provider Auriga believes a new defence is needed– not a technical fix but a paradigm shift in the security methodology used to protect these devices.

According to Juan Ramon Aramendia, head of cybersecurity product engineering at Auriga, this solution needs to recognise that ATMs and ASSTs are part of the critical infrastructure of a bank while, at the same time, they occupy a uniquely exposed position within it.That’s because the technology on which automated tellers are based has evolved from powering simple, standalone conduits for cash (still a vital payment method worldwide) to a complex, multi-layered system, running financial portals that allow deep access into not just one, but multiple banks’ critical infrastructure via a single, public interface.

“The computer architecture they are based on (Von Neumann) was designed in 1945,” says Aramendia. “On top of this, we built different software layers to simplify things, such as the operating system that hides the complexity of the lower levels.

“This allows somebody to create applications using high-level programming languages, and even in that, we have multiple layers and reuse of code, etc.

“The other critical point is the dependency on network communications. The TCP/IP protocol was designed in the early 70s when they were not thinking about security; they were thinking about reliability. Two computers could connect to each other in a reliable way. Nobody thought somebody would impersonate one end to connect to the other.”

The complexity of the computer systems and the networking protocols and their vulnerabilities are not new, then, but they were considered to be mere technical issues up until the late 1990s or early 2000s, when threat actors started to show a sustained interest in them. Exploiting technical vulnerabilities can give access to the most valued assets of a company, whether it is information (confidential data, intellectual property) or physical assets (think of manufacturing robots or ATMs holding cash). The increasing profitability and low risk of the cyberattacks have made them very attractive to organised crime, and the financial industry is one a top target.

“The [fundamental] architecture isn’t going to change, so you have to look at security in a different way,” says Aramendia And that’s where zero trust comes in.”He argues that traditional endpoint security models are no longer rigorous enough since, in those, trust is typically based either on the legitimacy of the software or known malicious behaviours.

“But this trust model should not be considered robust when dealing with inherently vulnerable systems [such as ATMs] where attacks are highly targeted, and where third-party actors can have uncontrolled physical and privileged access to the devices (as in the case of technical maintenance),” he says.While for years criminal gangs’ preferred, albeit hazardous, modus operandi was to pump ATMs full of explosive chemicals and blast them out of the wall (and such heists still occur on a daily basis in some countries) – figures compiled by the ATM Security Association in 2022 showed that about 70 per cent of more than 10,000 global ATM crimes are now fraud related. Auriga’s own research puts the bad actors into three distinct categories.

And it identifies these categories of bad actors as being:

  • Lone riders’ who commonly use black market malware to infect an ATM, triggering it to pump out cash
  • Organised crime groups, who will often tap insiders and have capabilities to develop their own malware or modify and adapt existing malware, which can be used for large-scale attacks
  • Nation state actors, backed by huge resources to coordinate intelligence and carry out external ‘black hat’ hacks, targeting critical infrastructure like ATMs to disrupt a population’s access to cash

The most common attacks on ATMs fall into the second category in which criminals target a machine’s two most valuable assets – cash or the card data used to access it. Tactics include using malware to abuse the XFS layer, blackbox devices to send illegitimate commands to the dispenser, and man-in-the-middle network attacks to manipulate transaction authorisations.

It’s a common tactic to first perform a hard disk robbery or ‘cold-boot’ attack in order to gather privileged information, which is reverse-engineered for targeted breaches.Auriga says it’s also seeing increased supply chain compromise – such as software image manipulation in the ATM deployment process – which relies on people with physical access to the ATMs. Rogue hardware devices are also deployed to fool the OS and gain access to the system.

Against that backdrop, Aramendia says: “Cybersecurity management needs to complement and coexist with digitisation of the programmes, especially on the deployment of the most advanced ATMs and ASSTs. Security leaders can take preventative measures to reduce the likelihood of attacks and mitigate the damage. Banks and financial services providers should look to embrace the concept of Zero Trust across their entire infrastructure to secure self-service devices, especially those that were previously vulnerable to cyberattacks.”

Zero Trust emerged as an IT methodology when it became clear that the perimetral security approach – in which people were confident that everything on the outside could not be trusted and everything inside could – was compromised by evolving networks and information transfer.

“The Zero Trust security model is based on the assumption that any infrastructure can already be compromised by the mere fact of existing”

“As data (Cloud, hybrid infrastructures) and workers (hybrid, remote offices) are now more mobile than ever, the perimeter no longer exists – internal and external systems and users bring the same risks,” explains Aramendia. “The Zero Trust security model is based on the assumption that any infrastructure can already be compromised by the mere fact of existing. So, when we talk about operational technology environments that manage critical devices, such as ATMs or ASSTs, Zero Trust must be at the core. This model must make a series of suspicious assumptions about the vulnerability of the infrastructure that manages the devices, assuming that the remote access system can be manipulated, that the software distribution system can be used to deploy malware, that the maintenance technician or the end user themselves can be attackers, or that our hard drive can be stolen to carry out reverse engineering activities.”

Auriga’s solution is its Lookwise Device Manager (LDM), a centralised modular platform that can protect and monitor critical devices and perform customised reactions to threats.Among its customers is 5B, a leading ATM provider in Central America, which manages more than 2,600 in Guatemala alone and handles more than 30 million transactions a month. Only 25 per cent of its ATM network is based at banks with the rest at shopping malls, filling stations and pharmacies.

Among the features of the LDM platform developed for 5B are a secure software image deployment process together with software and hardware whitelisting to protect the integrity of the file system and prevent manipulation of critical files in software images as well as blocking unauthorised hardware devices from connecting to the ATM.

In addition, all maintenance is scheduled, authorised and monitored by the 5B cybersecurity team. And there is a 24/7 monitoring and response programme with automatic detection of any suspicious activity. It’s all made it possible for 5B to achieve 98.4 per cent up time for the entire ATM network and allows the business to maintain full control over the integrity of software and hardware deployed on its fleet. Aramendia concedes that undiluted Zero Trust is not always possible in reality but its significance in providing a starting point in developing cybersecurity safeguards should not be underestimated.

“There should always be a secure or ‘trusted core’, which must be based on always granting the minimum necessary privileges and thus drastically reduce the attack surface,” he says. “In the case of critical devices, the key to defining this ‘core of trust’ involves trusting only those resources (software and hardware) and accesses (local or remote) that are strictly necessary for the correct provision of the service, identifying them in a precise manner, and verifying them in each use.

“The criteria for adding elements to the ‘trust core’ must always be based on learning linked to the internal certification processes of the devices and never be based exclusively on reputation – remember that criminals often use legitimate tools to attack us. However, the security policy must still be aligned with the operating state of the device. When it’s in service, this policy must be as restrictive as possible, but when the device is subject to a planned technical maintenance process, it should be relaxed temporarily, monitoring all activity, and explicitly authorising any changes that affect that ‘secure core’.

“Finally, it is critical that all chosen security technologies are ready to adapt to the different needs of an entity that is, in itself, heterogeneous. They must be easy to use and allow security policies to be easily created, updated, and implemented.”

He acknowledges that there is no one cybersecurity model to suit every provider, which is why he says whatever strategy a bank adopts has to be ‘aligned with the operations model and sponsored by the board of directors’ if it’s to be successful. Aramendia would agree with computer security expert Prof Gene Spafford who was quoted in the1990s as saying:

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” But, given that the entire financial system would then grind to a halt, a Zero Trust approach might be the best option.


 

This article was published in The Fintech Magazine Issue 27, Page 49-50

People In This Post

Companies In This Post

  1. allpay Appointed as Official Supplier on Crown Commercial Service’s Open Banking and Fund Administration & Disbursement Services Dynamic Purchasing Systems Read more
  2. Oliver Wyman Announces Mariya Rosberg as Americas Head of Banking and Financial Services Practice Read more
  3. Alchemy Pay Invests in UK Fintech LaPay and Secures API License as Part of Global Web3 Expansion Read more
  4. QNB Introduces FAWRAN for Fast Payments Within Qatar Read more
  5. The Paytech Show #79: What’s next for US banks in the FedNow era? Read more