Secure Connectivity for Off-premise and Remote Automated Teller Machines (ATM)

Overview

There is a growing need in the U.S. for secure communications between computers executing financial transactions or exchanging sensitive data. For example, transactions processed in an Automated Teller Machine (ATM) environment need to be as secure as a direct connection between two computers. The solutions presented here encompass the use of either public or private networks and contain only two security mechanisms: Arxceo’s Tag-UR-IT™ technology and any Virtual Private Network (VPN) solution using at least 128-bit encryption.

The Problem

In the U.S. banking system, off-premise or remote ATMs are expensive to operate, primarily because of the cost of the leased telecommunication lines that banks have assumed are needed to ensure the highest level of security between the ATM and its server (or transaction processor – a third-party device that links to bank databases and authorizes transactions). Leased lines are typically very expensive, especially relative to the cost of using a public network, which can be as little as 10 percent of the monthly cost of a leased line. The advent of wireless cellular networks has also made it possible to avoid provisioning and installing a wire line, which is also expensive and time-consuming.

The primary problem with using a public network has been security. Because all large companies’ and financial institutions’ corporate networks are connected to a public network (i.e., the Internet), and because organized crime has focused its criminal efforts on stealing personal identity information, financial information, money, and trade secrets, Internet connectivity has produced a new avenue to gain illegal access to confidential information. Consider the billions of dollars that are spent annually to maintain and improve security around enterprise networks. Because ATM systems need to be protected by at least the same level of security as other enterprise systems, leased lines have been used to make the ATM system a part of the corporate network, albeit a segregated part.

Unfortunately, connecting an ATM to a bank’s ATM server over the Internet compromises the enterprise’s security solutions, exposing ATM systems to attack. Banks, however, like all large enterprises, are constantly challenged to reduce operating costs in every segment of their businesses. The ability to reduce the primary operating cost of an ATM (the leased line connectivity charges) creates a very enticing return on investment. Bank enthusiasm for past market solutions has been limited because of the reduction in security and the corresponding possibility of a security breach that could damage the bank’s reputation and financial stability.

The final issue involved in converting from wired leased-line connectivity to wireless cellular connectivity is wireless carrier network architecture. Wireless carriers have generally catered to consumer markets and are concerned only about providing a reliable, cheap connection to the Internet. Unfortunately, cellular communications can be too easily “eavesdropped,” captured, or jammed. In essence, this violates the Gramm-Leach-Bliley Act, which states that financial transactions must be securely transmitted.

Since addition of security or re-architecture to privatize their networks adds a layer of complexity that raises equipment and support costs, carriers have not been willing to make those investments. Instead, they use routable, public addresses with insufficient segmentation, exposing their consumer and corporate customers to vulnerability scans and attacks that may compromise data or exploit compromised devices to attack other devices. Unfortunately, most carriers consider any new architecture that interferes with a simple “data-com pipe” business to be too specialized and outside their core business.

Due to the combination of carrier laissez-faire security attitudes and the significant return on investment for using the public Internet as a transport mechanism for ATM transactions, there exists an immediate need for a highly secure cellular architecture intended for financial transactions and services. To this end, JBM Electronics has partnered with Communications and Security Compliance Technologies (CSCT) to deliver a solution that fulfills this need without requiring the replacement of existing ATMs in the field – a major advantage over any solution currently being considered by the carriers themselves.

The Solution

JBM Electronics and CSCT have together designed a secure wireless cellular solution for off-premise or remote ATMs. This partnership also includes a CSCT “sister company,” Arxceo Corporation. (Both CSCT and Arxceo are owned by Japan Communications Inc, within a U.S.-based holding company called The JCI Group.) JBM Electronics has integrated a patented security technology from Arxceo that provides the additional security enhancements required to “lock down” wireless communications for financial transactions.

Fundamentally, JBM Electronics offers an integrated router solution that provides both protocol and physical network convergence to add cellular capability to existing ATMs. This solution also adds firewall and VPN encryption, intrusion prevention, packet-level address authentication, and anti-reconnaissance defenses to the ATM network architecture.

The JBM/Arxceo Integrated Solution, the C200 series router, has the ability to interface with older legacy ATMs using protocols such as SNA, bisync 3270, or VISA II. Additionally, the C200-AS router can connect to the ATM through a wide variety of interfaces including async serial, synchronous RS232c, Ethernet, and RJ11 dial. This range of flexibility allows the C200-AS to integrate with practically any ATM on the market today.

The JBM router is installed at the ATM using any of a variety of options available on the box. This router establishes a VPN upon the connection and assignment of a public, routable address. The bank (or its designated transaction processor) has a direct connection to the CSCT network with a private address through which all transactions pass. An Arxceo Ally™ 1000 is installed in front of the ATM servers.

Using the JBM router with cellular connectivity has demonstrated transaction turnaround times of less than 12 seconds, and in some cases, less than 2 seconds. Compare this response time to a dial-up phone-connected ATM with an average transaction time of 20 seconds or longer. This may not sound like a substantial difference, but operators know that those seconds significantly impact performance when a line of customers is waiting to use the ATM.

“JBM’s C200 is the only cellular router we would recommend or provide for ATM connectivity. Its advanced protocol support and range of available network interfaces provide us the greatest flexibility for integrating ATMs onto cellular,” stated Neil Clark of ATM Express, a national ATM transaction processor firm.

How does the combined JBM/Arxceo solution secure a wireless ATM network?

The JBM router is designed for establishing connectivity to the ATM server and providing certificate-based (SSL) VPN for securing the connection channel. The firewall that protects the ATM server and the JBM router that is protecting the ATM will both have public IP addresses, which are required to establish a secure VPN between these two “endpoints.” The JBM router provides authentication and identification of ATM endpoints and thus, the transactions conducted between them.

Is VPN alone not enough?

The problems with relying entirely on VPN technology are described below. Note that the JBM Electronics router is the “endpoint” for the VPN-encrypted traffic. It is important to understand that this traffic is then unencrypted by the router and forwarded onward to the ATM using a private network address scheme.

Issue #1: The private network address space must be protected from discovery and exploitation.

Solution: The integration of Arxceo’s technology into the JBM Electronics router solved this issue. Arxceo’s anti-reconnaissance defense prevents intruders from exploring, probing, and scanning the private IP addresses assigned on the ATM and the ATM server. These probes are used by cyber criminals to obtain valuable information they need to exploit a discovered vulnerability. By preventing network enumeration, cyber criminals are unable to proceed. They cannot attack a target they cannot detect.

Issue #2: VPNs are vulnerable to Man in the Middle (MitM) attacks and Denial of Service (DoS) floods during session establishment and sometimes during established sessions.

Solution: Arxceo’s anti-address spoofing defense (or address authentication layer) provides packet-level authentication to ensure that the endpoints are secure from localized attacks, such as MitM and DoS floods intended to insert authentic-looking traffic into a session. The integration of Arxceo’s technology into the SSL VPN endpoint within JBM Electronics’ integrated router provides carrier connection integrity. This provides the additional security needed for VPN connection initialization (key exchange) during the momentary vulnerable router boot-up time. In addition, Arxceo’s technology enhances a traditional firewall/VPN defense by eliminating data leaks from the protected ATM server network and the ATM client “network.” This is critical to ensure that intruders cannot gather information in order to exploit a known or just discovered vulnerability.

In essence, the Arxceo software will reject packets from any address not originating from the server ATM network, and the encrypted VPN will ensure that any device that would be capable of “sniffing” the connection (perhaps a cellular base station radio) is left with unreadable information. Any attempt at insertion attacks (i.e., during an existing communication session in which the TCP handshake has already taken place between ATM and ATM server) would be thwarted by Arxceo’s packet-level address authentication, which would drop any packet originating from a source other than the device with which it made the initial connection. The only option remaining for an intruder would be to find a way to force the router to reboot, which is not an easy task given the low-bandwidth connection available to launch the type of attack needed to accomplish this.

In addition, an attacker would need to know a great deal about and have emulated the exchange between ATM and ATM server, and would have to successfully spoof the Certificate Authority used for the VPN in order to establish a real connection. Having established a connection, the attacker would then need to determine how to hack the ATM and overcome the controls that limit the amount of a withdrawal during a single transaction, or spoof multiple customer accounts to gain substantial cash from that ATM. All of this “required information” needed to attempt such an attack is thwarted by Arxceo’s anti-reconnaissance defenses, which encompass the only industry solution designed to prevent such information gathering.

Overall, the combined JBM/Arxceo wireless ATM security solution makes it virtually impossible for a would-be cyber thief to gain access to the secure data traveling in the wireless ATM environment, and clearly satisfies the requirements of the Gramm-Leach-Bliley Act. More information is available at: www.jbmelectronics.com, www.csct.com, and www.arxceo.com and by contacting the companies’ respective marketing departments by selecting “contact us” at the appropriate website. For Direct Sales Information regarding the combined solution Contact: Henry Oat, Phone: 404-210-1865, Email: hoat@csctus.com