Proactive defence against digital crime

By Paul Race, Director of Financial Industry Communications, NCR

Today the payments industry is under global attack on two fronts. International payment card fraud and identity theft is at an all time high and there is an increasing number of data breaches being perpetrated by sophisticated digital criminals who then use personal information they have stolen to open new accounts or to make changes to existing non-card accounts.

Over 11 million people are affected globally and the total cost of this fraud is $54 billion according to recent research from Javelin Strategy & Research. As well as the hard cash losses associated with this level of fraud in the financial and retail sectors, there is also the impact of these crimes on consumer confidence.

As a consequence of all this, two major challenges threaten to undermine the trusted self-service channel. These are the unprecedented increase in card skimming activity globally and the potential for digital crime and insider attacks. Industry collaboration is called for to apply best practices in terms of technology, people and processes with a multi-layered approach to risk mitigation. 

Skimming at the ATM, whereby criminals copy information stored on a card's magnetic stripe using devices attached to the ATM card reader, remains a global problem despite the introduction of EMV in many countries. The introduction of chip and PIN technology does not necessarily result in an overall reduction of such fraud because of the universal acceptance of the magnetic stripe. For example, account details captured in the UK can be used to withdraw funds in countries without chip and PIN technology, such as the US.

Magnitude of the threat

Though the prevention of card skimming at the ATM remains a challenge, the threat it poses is dwarfed by the potential damage that could be caused by a growing trend towards 'inside skimming' software attacks and insider threats. Whereas a skimming attack might affect ten customers, malware, such as a Trojan or root-kit, sitting on an ATM unnoticed for days and weeks, could extract, or 'skim', data relating to hundreds of thousands of cardholders.

Publicity following Trojan malware attacks in Russia in early 2009 provides proof of organized criminals operating in this space. At the Black Hat event in Las Vegas in July this year, there was a demonstration on how malware could be introduced to an ATM via a USB device or disc as well as via remote configuration. Though this demonstration exploited specific physical and logical weaknesses, notably in proprietary management software that bypasses normal authentication, and involved extensive specialized knowledge, it serves to highlight the potential for exploitation from the fastest growing threat - insider attacks. 

What the self-service industry needs is a tailored approach to software and network security that addresses all potential risks, not just traditional threats such as viruses, worms and Trojans. Typical anti-virus products do not address the emerging threat from sophisticated digital criminals. 

A global ecosystem to protect cardholder data

The payment card industry has responded to the cross-industry risk to cardholder data from organized crime by introducing a new worldwide Data Security Standard (DSS) to protect sensitive cardholder data from the risk of compromise. Overall PCI DSS requirements include security management, policies and procedures, network architecture and software design.

Any financial institution, retailer or service provider that processes, stores or transmits credit or debit card data must be able to demonstrate PCI DSS compliance to a PCI DSS Qualified Security Assessor. Failure to demonstrate compliance could result in loss of the ability to process payments

The other two standards that apply to device manufacturers and software application providers are requirements for Payment Card Industry PIN Transaction Security (PTS) and a Payment Application Data Security Standard (PA-DSS).  

For ATM deployers, investment in achieving compliance not only reaps rewards in terms of improved security but is also dwarfed by the costs of not complying, particularly when it comes to a fraudulent incident damaging reputation.

A globally proven multi-layered approach to security

NCR's total security approach includes a PCI PTS approved Encrypting PIN Pad and NCR is the industry's first ATM vendor to have PA-DSS validated software. Its multi-layered approach to security is based on secure software lifecycle management and features of APTRA^TM software. This includes in-built security as well as best practice guidelines that combine technology, people and processes.

Another layer of this approach has involved NCR actively partnering with Microsoft^® to develop and deploy an Active Directory solution for ATMs whereby the same group policy settings and security of APTRA are combined with the powerful centralized management capabilities of Active Directory. Within Active Directory, supervisor and administrator rules can be created as necessary when ATM access is required and disabled afterwards. Separate user accounts for people authorized to access the ATM in administrator mode ensures full accountability.

NCR offers a centralized approach to software security, control and compliance through Software Suite for APTRA. It not only helps reduce the risk of fraud but also eases your audit and PCI DSS compliance burden.

One of the key features of the PCI DSS standard is the requirement to retain a vulnerability management programme - a defence against malware threats of any type.

Solidcore Suite for APTRA provides proactive defence against any malware, including insider attacks, in that it only allows authorized code to run. This is achieved by automatically creating and updating the inventory of good code and protecting the system's memory so that authorized code cannot be modified, deleted or hijacked - the process in which malicious code replaces authorized code with itself. Therefore, even before a new threat emerges, the ATM is protected. 

From a security perspective, the solution provides zero day protection. This also means that the deployer regains control of when to patch systems, avoiding the insider threat that by rushing, a patch applied with good intentions might bring the system down. Patches can be introduced in a measured, efficient way.

In terms of compliance, Solidcore Suite for APTRA provides centralized management controls with real-time automated reporting of all changes - authorized as well as unauthorized. Any change must be done via an authorized download process, within a specified time period. Alerts can be generated by any attempt to load software, providing instant awareness of any unauthorized change, together with a complete audit trail of changes. This results in it being incredibly unlikely for an insider attack to go unnoticed and USB ports can also be closed down.

These capabilities dramatically reduce the overheads associated with achieving compliance in a manual environment. Compliance can be achieved and demonstrated in an automated way with easy report generation.

"Many of our customers globally are using Solidcore Suite for APTRA because it's multi-vendor, it has a unique approach of actively protecting the ATM from any unauthorized change and the centralized management with automated reporting and alerts delivers the most cost-effective and manageable way of not only achieving but demonstrating compliance" said Bob Tramontano, Vice President of Financial Industry Marketing at NCR. "It is a critical element of NCR's multi-layered approach to risk management that defends against ATM fraud at all points of potential compromise."