Diebold Solutions Corporate and ATM security
Today’s Agenda Consumer Sensitive 1) Information PCI DSS 2) Attacks on assets 3) 2 Diebold Confidential 2009
ATM Card Fraud Skimming: n Small read head designed to fit into ATM card reader. n Skimming reader typically contain storage capacity and time stamp. n Equal number of attacks on motorized and Dip style readers. n Criminals very sophisticated in adjusting designs. n North American Bank spends $1 M USD to change bezels. n Criminal defeats in 6 months. n Bank saves $10 M in losses. 3 Diebold Confidential 2009
ATM Card Fraud PIN Spying : n Shoulder surfing n Good Samaritan n Hidden video camera n Overhead cell phone camera n Pin Pad Overlay n RF transmission of information n Time stamp recording Spy Camera - $150 36 Hour DVR With Time Stamp And SD card. 4 Diebold Confidential 2009
Skimmer found in St. Petersburg 5 Diebold Confidential 2009
Would you recognize this as a threat? 6 Diebold Confidential 2009
Global Solutions to Consider Reduce Reduce Detect Deter Anti Skimming Redemption Skimming Skimming Skimming EM V Smart Card x Biometrics + Smart Card x M agstripe Authentication (M agnaPrint) x M obile OTP or Authorization x Enhanced PIN (Image/ Sentence Knowledge) x Contactless Card x x J itter on M otorized Card Readers x CPK by TM D x CPK+SDK by TM D x x Fascia Video Analytics x ASD - Optical x Network Fraud M onitoring x Bezel Design x Surveillance – ATM DVR or IP NVR x Pin Pad Shield x 7 Diebold Confidential 2009
Logical Attacks n Viruses or worms intended to exploit an ATM ’s software environment. n Criminal hackers attempting to violate the confidentiality, integrity, or authenticity of transaction data. n Logical attacks up 47% over 2007. n TJX Breach – 94 million accounts n Hannaford Stores – 4.2 million accounts n RBS WorldPay – Account numbers & PINs stolen from server n Heartland Payment Systems 8 Diebold Confidential 2009
For Sale Source: Symantec Internet Security Threat Report – Trends for 2008 Diebold Confidential 2009
Operational Fraud Internal: n Ardent do-it-yourselfers n Collectors n M iddlemen who steal for others n Disgruntled employees n Debt-ridden employees n Blackmail victims n Professional thieves n Egotists n Practical jokers n Irresponsible employees Operational fraud is perpetrated from within and account up to 30% ATM fraud. Diebold Confidential 2009
Reduce Losses and M itigate Risk Hackers, viruses and Unauthorized Unauthorized Sources/ Data Internal or Logical Attacks worms External Connection Commands Confidentiality Operational Fraud ü ü ü ü Symantec Enterprise Protection OS & software M ax security ü ü ü settings ü ü ü ü Patch M anaged Services Intel Trusted Platform M odule ü ü ü (TPM ) and VeriSign Certificate Authority Point to Point Encryption ü ü ü SSL Over IP ü ü ü Remote Key M anagement Secure Service Token ü Storage and Logon ü ü ü ü ü Hard Drive Encryption Access Control (PACS & LACS) ü ü ü ü ü and Password M anagement 11 Diebold Confidential 2009
PCI DSS for ATM s Build and M aintain a Secure Network n Requirement 1: Install and maintain a firewall configuration to protect cardholder data n Sygate Firewall version 5 & Symantec Endpoint Protection version 11 n Diebold Professional Service can provide a Statement of Work (SOW) to provide Security Office that will provide a centralized firewall management server for the customer n Diebold M anaged Services can manage and monitor the security events and security logs on the ATM (per PCI requirements) n Diebold can monitor the security events on your firewalls, routers, IDS, and internal servers that have PCI cardholder data and manage the devices n Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters n Customer Driven – Diebold Service will leave default Windows Passwords in place, unless directed to otherwise by the owner of the ATM n Diebold Professional Service can provide the financial institution with a SOW that will allow the ATM s to join an Active Directory environment n ValiTech Diebold Confidential 2009
PCI DSS and ATM s Protect Cardholder Data n Requirement 3: Protect stored cardholder data n Key requirements are: n 3.2.1 - Do not store the full contents of any track from the magnetic stripe n 3.2.3 - Do not store the personal identification number (PIN) or the encrypted PIN block n Two primary areas of concern n Log and Trace files – Ensuring track data and PIN blocks are not recorded in any trace or log files n EDC files – Information sent from the host must not have any proscribed data in it. n Option to log captured card data to EDC n Diebold can provide privileged user monitoring and can monitor all access to PCI cardholder data in the environment. Diebold Confidential 2009
PCI DSS and ATM s Protect Cardholder Data n Requirement 4: Encrypt transmission of cardholder data across open, public networks n Ipsec or SSL encrypted communications n SSL part of ABC 4.4 n Part of Agilis 91x 2.4 n In Agilis 91x 2.3 CSD 1, Agilis 91x 2.2 CSD 1 n Professional services can provide a statement of work to help customer implement SSL directly to host or to Cisco network appliance Diebold Confidential 2009
PCI DSS and ATM s M aintain a Vulnerability M anagement Program n Requirement 5: Use and regularly update anti-virus software n Updating of virus identification files, firewall/ IDS signatures, and security software updates available as a Diebold managed service n Diebold Professional Services can present a financial institution with a SOW for Security Office. Security Office allows not only for a managed firewall but also, Anti Virus, Anti Spyware and Proactive Network Threat protection n Requirement 6: Develop and maintain secure systems and applications n Operating System Patches available via DCIS service n CSDs for Agilis applications available via Diebold Service contacts n Diebold offers a managed service that will deploy the latest approved MS patches to the ATM for a monthly fee. n Diebold Professional Services can provide consulting for an institution to utilize their existing patch management system Diebold Confidential 2009
PCI DSS and ATM s Implement Strong Access Control M easures n Requirement 7: Restrict access to cardholder data by business need-to-know n It is the financial institution’s responsibility to restrict access to system that contain cardholder data based on their business practices and need-to-know requirements. n Cardholder data not stored on ATM except: n Data sent from host for EDC journal file n Check images stored on ATM for RSS Store and Forward capability. Future version of RSS will encrypt this data Diebold Confidential 2009
PCI DSS and ATM s Implement Strong Access Control M easures n Requirement 8: Assign a unique ID to each person with computer access n Customer Driven – Diebold Service will leave default Windows Passwords in place, unless directed to otherwise by the owner of the ATM n Diebold Professional Service can provide the financial institution with a SOW that will allow the ATM s to join an Active Directory environment n ValiTech n Requirement 9: Restrict physical access to cardholder data n Diebold can provide access control systems, video and DVR technologies to assist with this requirement Diebold Confidential 2009
PCI DSS and ATM s Regularly M onitor and Test Networks n Requirement 10: Track and monitor all access to network resources and cardholder data n The financial institution is responsible for tracking and monitoring all network access and cardholder data. n Diebold does provide access control and video systems to aid in the tracking of the Physical access to these systems. n Requirement 11: Regularly test security systems and processes n The financial institution is responsible for developing test process and procedures for performing regular tests of their security systems. M aintain an Information Security Policy n Requirement 12: M aintain a policy that addresses information security n The financial institution is responsible for developing and maintaining policies and procedures related to security for their associates and contractors. Diebold Confidential 2009
Physical Attacks n Ram-raid, Smash n Grab n Explosive n Torch n Grinder 19 Diebold Confidential 2009
20 Diebold Confidential 2009
Reduce Losses and M itigate Risk Ram Raid or Physical Attacks Burglary Explosives Cutting Torch Smash and Grab ü ü UL 291 level 1 rated safe ü ü ü CEN rated safe ü ü Anchoring system ü Electronic locks-duress alarm ü ü ü ü ü Ink Staining ü ü ü ü ü Intelligent sensors ü ü ü ü Basic thermal & door sensor ü ü ü ü Seismic sensors GPS ATM and/ or Cassette Tracking ü ü ü ü ü Universal camera mounts ü ü ü ü ü Surveillance – DVR ü ü ü ü ü Access Control & M onitoring 21 Diebold Confidential 2009
Recommend
More recommend
