Cyber-attacks on Banks: Q&A with Elida Policastro, Regional VP – Cybersecurity Division at Auriga

If you haven’t already heard the great news, back in April, Auriga successfully completed its acquisition of the award-winning ATM cybersecurity solution, Lookwise Device Manager (LDM).

LDM is a modular security platform developed by a cybersecurity business unit previously integrated in S21sec, a leading European managed security services player, part of corporate venture capital firm Sonae IM’s portfolio.

Following this exciting step in Auriga’s development, we sat down with our new colleague, Elida Policastro, Regional VP – Cybersecurity Division at Auriga, to discuss the current cybersecurity landscape for banks and ATMs.

1. How would you describe the current state of cybersecurity in banking and, in particular, ATMs?

Cyber-attacks against ATMs, and the systems that control ATMs, such as central servers, are clearly a very pressing and growing threat worldwide.

Some forms of cyber-attacks result in the theft of personal data, such as account numbers and pin codes. However, these types of attacks still require further efforts to convert the data into money, so a much more attractive proposition for ATM cyber-criminals is to obtain the cash directly from the ATM they have targeted.

‘Jackpotting’ ATM attacks, which are made possible via ATM malware such as Ploutus, involve exploiting physical and software-based vulnerabilities to trick the ATM into dispensing cash, and are popular as they provide an immediate reward. Financial institutions around the world have lost millions to jackpotting in the last five years alone.

In fact the Ploutus family of ATM malware first discovered in Mexico in 2013, has generated losses of over 450 million dollars (approximately 398 million Euros) globally.

2. In your opinion, why do you think cyber-attacks on banks and ATMs are on the rise?

Cyber-criminals have realised that ATM networks are often one of the weakest links in a bank’s security infrastructure. One of the main reasons is that there is a lot of legacy hardware and software in ATM networks because it is so expensive and difficult to update.

Unfortunately, this means these systems are likely to be insecure. Many ATMs are still on Windows 7 or are in the process of migrating to Windows 7, which Microsoft no longer supports, meaning Windows 7 users are vulnerable to attacks as they will no longer receive updates from Microsoft protecting them from new threats.

We estimate around 40% of ATMs around the world are running an even older operating system (OS) that hasn’t been supported by Microsoft since 2014, Windows XP, making those machines even more vulnerable to breach.

Apart from the OS vulnerabilities, one of the main attack vectors on ATMs is the XFS layer, the standard interface designed to allow multivendor software to run on manufacturers’ ATMs and other hardware. The XFS layer uses standard APIs to communicate with self-service applications.

However, there is no automatic authentication process that comes with it, so criminals are able to exploit this vulnerability.

Cyber-criminals deploy malware onto hardware devices such as ATM cash dispensers to prompt ‘cash out’ commands and dispense cash, the card reader to steal card numbers and the pinpad to learn pin numbers, making the XFS layer a very attractive target.

3. How can banks protect themselves against cyber-attacks?

When it comes to cash machines, generic endpoint protection technology, such as anti-malware solutions are not enough, as such technologies are designed to protect PCs and laptops. ATMs are critical infrastructure devices – they cannot really be taken offline for any amount of time to reboot them like with a mobile device.

ATM networks and systems need to be available 24/7, 365 days a year, and so require greater protection and a different approach.

Auriga’s solution, Lookwise Device Manager is specifically designed as a centralised security solution that protects, monitors and controls ATM networks. It’s a tool financial institutions could use to manage the whole ATM network in one place, preventing malware attempts or fraudulent activities on infected ATMs.

4. What are examples of protection that Auriga’s solution, Lookwise Device Manager, provides?

There are several layers of protection LDM offers in a single platform, fully covering all types of cyber-attacks which could appear.

Application whitelisting

One is application whitelisting, the layer that limits which software can be used in an ATM.

Not all are the same – you could have whitelisting designed to work on generic networks, and another form of whitelisting for critical systems like ATMs based on the creation of a minimum whitelist of applications to run. There are two reasons for this.

First, it will reduce the attack surface. Second, legitimate software can be used to perpetrate cyber-attacks and this offers a way to prevent that. Allowing software just because it is legitimate is not a good idea.

Full disk encryption

The second layer of protection LDM offers is full disk encryption of all hard disks and volumes, an absolute must for any bank to protect their ATM network, as without this, criminals can steal hardware and perform reverse engineering to introduce malware onto the hard disk and then replace it in another bank branch.

File integrity

Third is file integrity protection, important as all binary files on an ATM are critical. When an ATM is installed there is a master file deployed which is not modified unless there is a software update and this is done through the software distribution system.

There is no reason why anybody should modify any binary file, so LDM will block any attempt to modify any critical file for anybody unless the process of software updates which is pre-defined.

Hardware protection

Finally the hardware protection layer, which captures data like taking a picture of the ATM. What is there in that moment is the only hardware which is allowed to connect. Any attempts to connect anything on top of that will be blocked.

A process firewall protects the ATM network from a communication layer perspective. LDM offers all these protection layers in one integrated and modular solution.

5. How important will effective cybersecurity be in future and why?

Effective cybersecurity is only going to become more important.

Given that financial institutions are a constant target for criminals, they need to maximise efforts to keep up with this dynamic threat and avoid breaches of large databases leaving hundreds of thousands of people’s data at risk.

And while there is also a huge movement to the cloud considered its advantages for the organisations, it is important that cloud services comply with cybersecurity standards that guarantee the protection of the data of users, clients and customers.

6. What security advice would you give to financial organisations moving to the cloud?

Huge amounts of data can be managed and analysed efficiently in the cloud.

The volume of data is becoming ever larger and more complex, and this poses a challenge to those responsible in banks as to how these volumes can still be processed in a useful way.

With big data platforms, cloud computing makes the entire process easier and more accessible for small, medium and large companies. Cloud services enable banks to improve the data security and reliability of their systems and benefit from significantly better computing power.