Diebold SolutionsCorporate and ATM security

Diebold Confidential 20092

Today’s Agenda

1) Consumer SensitiveInformation

2) PCI DSS

3) Attacks on assets

Diebold Confidential 20093

ATM Card Fraud

Skimming:n Small read head designed to fit into

ATM card reader.

n Skimming reader typically contain

storage capacity and time stamp.

n Equal number of attacks on motorized

and Dip style readers.

n Criminals very sophisticated in adjusting

designs.

n North American Bank spends $1 M USD

to change bezels.

n Criminal defeats in 6 months.

n Bank saves $10 M in losses.

Diebold Confidential 20094

ATM Card Fraud

PIN Spying:n Shoulder surfing

n Good Samaritan

n Hidden video camera

n Overhead cell phone camera

n Pin Pad Overlay

n RF transmission of information

n Time stamp recording

Spy Camera - $15036 Hour DVRWith Time StampAnd SD card.

Diebold Confidential 20095

Skimmer found in St. Petersburg

Diebold Confidential 20096

Would you recognize this as a threat?

Diebold Confidential 2009

Global Solutions to Consider

Anti Skimming ReduceRedemption

ReduceSkimming

DetectSkimming

DeterSkimming

EMV Smart Card x

Biometrics + Smart Card x

Magstripe Authentication (MagnaPrint) x

Mobile OTP or Authorization x

Enhanced PIN (Image/Sentence Knowledge) x

Contactless Card x x

Jitter on Motorized Card Readers x

CPK by TMD x

CPK+SDK by TMD x x

Fascia Video Analytics x

ASD - Optical x

Network Fraud Monitoring x

Bezel Design x

Surveillance – ATM DVR or IP NVR x

Pin Pad Shield x

7

Diebold Confidential 20098

Logical Attacks

n Viruses or worms intended to exploitan ATM’s software environment.

n Criminal hackers attempting to violatethe confidentiality, integrity, orauthenticity of transaction data.

n Logical attacks up 47% over 2007.n TJX Breach – 94 million accounts

n Hannaford Stores – 4.2 million accounts

n RBS WorldPay – Account numbers & PINsstolen from server

n Heartland Payment Systems

Diebold Confidential 2009

For Sale

Source: Symantec Internet Security Threat Report – Trends for 2008

Diebold Confidential 2009

Operational Fraud

Internal:n Ardent do-it-yourselfersn Collectorsn Middlemen who steal for othersn Disgruntled employeesn Debt-ridden employeesn Blackmail victimsn Professional thievesn Egotistsn Practical jokersn Irresponsible employees

Operational fraud is perpetrated from withinand account up to 30% ATM fraud.

Diebold Confidential 2009

Logical Attacks Hackers, viruses andworms

UnauthorizedExternal Connection

Unauthorized Sources/Commands

DataConfidentiality

Internal orOperational Fraud

Symantec Enterprise Protection ü ü ü ü

OS & software Max securitysettings

ü ü ü

Patch Managed Services ü ü ü ü

Intel Trusted Platform Module(TPM) and VeriSignCertificate Authority

ü ü ü

Point to Point EncryptionSSL Over IP

ü ü ü

Remote Key Management ü ü ü

Secure Service TokenStorage and Logon

ü

Hard Drive Encryption ü ü ü ü ü

Access Control (PACS & LACS)and Password Management ü ü ü ü ü

Reduce Losses and Mitigate Risk

11

Diebold Confidential 2009

PCI DSS for ATMs

Build and Maintain a Secure Networkn Requirement 1: Install and maintain a firewall configuration to protect cardholder data

n Sygate Firewall version 5 & Symantec Endpoint Protection version 11

n Diebold Professional Service can provide a Statement of Work (SOW) to provide Security Officethat will provide a centralized firewall management server for the customer

n Diebold Managed Services can manage and monitor the security events and security logs on theATM (per PCI requirements)

n Diebold can monitor the security events on your firewalls, routers, IDS, and internal servers thathave PCI cardholder data and manage the devices

n Requirement 2: Do not use vendor-supplied defaults for system passwords and other securityparametersn Customer Driven – Diebold Service will leave default Windows Passwords in place, unless

directed to otherwise by the owner of the ATM

n Diebold Professional Service can provide the financial institution with a SOW that will allow theATMs to join an Active Directory environment

n ValiTech

Diebold Confidential 2009

PCI DSS and ATMs

Protect Cardholder Datan Requirement 3: Protect stored cardholder data

n Key requirements are:n 3.2.1 - Do not store the full contents of any track from the magnetic stripe

n 3.2.3 - Do not store the personal identification number (PIN) or the encrypted PIN block

n Two primary areas of concernn Log and Trace files – Ensuring track data and PIN blocks are not recorded in any trace or log files

n EDC files – Information sent from the host must not have any proscribed data in it.

n Option to log captured card data to EDC

n Diebold can provide privileged user monitoring and can monitor all access to PCI cardholderdata in the environment.

Diebold Confidential 2009

PCI DSS and ATMs

Protect Cardholder Datan Requirement 4: Encrypt transmission of cardholder data across open, public networks

n Ipsec or SSL encrypted communications

n SSL part of ABC 4.4

n Part of Agilis 91x 2.4n In Agilis 91x 2.3 CSD 1, Agilis 91x 2.2 CSD 1

n Professional services can provide a statement of work to help customer implement SSL directlyto host or to Cisco network appliance

Diebold Confidential 2009

PCI DSS and ATMs

Maintain a Vulnerability Management Programn Requirement 5: Use and regularly update anti-virus software

n Updating of virus identification files, firewall/IDS signatures, and security software updatesavailable as a Diebold managed service

n Diebold Professional Services can present a financial institution with a SOW for Security Office.Security Office allows not only for a managed firewall but also, Anti Virus, Anti Spyware andProactive Network Threat protection

n Requirement 6: Develop and maintain secure systems and applications

n Operating System Patches available via DCIS service

n CSDs for Agilis applications available via Diebold Service contacts

n Diebold offers a managed service that will deploy the latest approved MS patches to the ATMfor a monthly fee.

n Diebold Professional Services can provide consulting for an institution to utilize their existingpatch management system

Diebold Confidential 2009

PCI DSS and ATMs

Implement Strong Access Control Measuresn Requirement 7: Restrict access to cardholder data by business need-to-know

n It is the financial institution’s responsibility to restrict access to system that contain cardholderdata based on their business practices and need-to-know requirements.

n Cardholder data not stored on ATM except:

n Data sent from host for EDC journal filen Check images stored on ATM for RSS Store and Forward capability. Future version of RSS

will encrypt this data

Diebold Confidential 2009

PCI DSS and ATMs

Implement Strong Access Control Measuresn Requirement 8: Assign a unique ID to each person with computer access

n Customer Driven – Diebold Service will leave default Windows Passwords in place, unlessdirected to otherwise by the owner of the ATM

n Diebold Professional Service can provide the financial institution with a SOW that will allow theATMs to join an Active Directory environment

n ValiTech

n Requirement 9: Restrict physical access to cardholder data

n Diebold can provide access control systems, video and DVR technologies to assistwith this requirement

Diebold Confidential 2009

PCI DSS and ATMs

Regularly Monitor and Test Networksn Requirement 10: Track and monitor all access to network resources and cardholder data

n The financial institution is responsible for tracking and monitoring all network access andcardholder data.

n Diebold does provide access control and video systems to aid in the tracking of the Physicalaccess to these systems.

n Requirement 11: Regularly test security systems and processes

n The financial institution is responsible for developing test process and procedures forperforming regular tests of their security systems.

Maintain an Information Security Policyn Requirement 12: Maintain a policy that addresses information security

n The financial institution is responsible for developing and maintaining policies and proceduresrelated to security for their associates and contractors.

Diebold Confidential 2009

Physical Attacks

n Ram-raid, Smash n Grab

n Explosive

n Torch

n Grinder

19

Diebold Confidential 200920

Diebold Confidential 2009

Physical Attacks BurglaryRam Raid or

Smash and GrabExplosives Cutting Torch

UL 291 level 1 rated safe ü ü

CEN rated safe ü ü ü

Anchoring system ü ü

Electronic locks-duress alarm ü

Ink Staining ü ü ü ü ü

Intelligent sensors ü ü ü ü ü

Basic thermal & door sensor ü ü ü ü

Seismic sensors ü ü ü ü

GPS ATM and/or Cassette Tracking

Universal camera mounts ü ü ü ü ü

Surveillance – DVR ü ü ü ü ü

Access Control & Monitoring ü ü ü ü ü

Reduce Losses and Mitigate Risk

21

Diebold Confidential 2009

1. Vestibule Access Reader2. ATM Vestibule Camera3. Transaction Camera through ATM

facia4. External Siren with Strobe5. Cellular Backup in Service Area6. Security Alarm Terminal7. Service Viewing Camera8. Passive Infrared Delectation Area9. Hold-up Button in Service Area10. Video Recorder in Service Area

(Digital or Analog)11. ATM Site Camera12. Light Level Monitoring13. Door Contact14. Seismic Detectors (2) – Chest Door,

Chest Wall15. Heat/Thermo Detector16. Main Door Contact

Layered Security Approach

22

Diebold Confidential 2009

Conclusion

ATM Fraud is repeatable, profitable and not likely to end. Evenso, consumer confidence in ATMs remains high and industryefforts to combat fraud, increase consumer awareness andpromote ATM security helps keeping the self-service industryat least one step ahead of the criminals.

"Fraud is like electricity; it is shocking andfollows the path of least resistance."

-Sriram Natarajan - Finextra, March 2008

Diebold Confidential 2009

Diebold ATM Security Web Site

n For further information, please visit;

n http://www.diebold.com/atmsecurity/

n http://www.diebold.com/atmsecurity/security/challenge/ATMSecurityChallenge.html

24

Thank You!