Both Diebold Nixdorf and NCR have issued security warnings that a logical ATM attack known as "jackpotting" has been reported as being executed in the US. This type of attack had previously been known to be implicated in ATM attacks in Europe, Asia, and Latin America but not in the USA.
This attack vector had been demonstrated at the 2010 Blackhat conference but up until now had not been seen in any US attacks. This is a serious development and should be taken seriously by ATM owners and operators.
There are a number of steps that can be taken to reduce the likelihood or eliminate this attack vector ranging from increasing the ATM physical access requirements to encrypting the ATM hard drive.
FICO has reported large increases in ATM attacks in the last few years and the range of threats continues to expand. It is important to consider a comprehensive risk mitigation plan that achieves both mandated logical, physical, and procedural controls as well as including industry best practices to keep your clients safe and your ATMs secure.
Cybersecurity remains a key supervisory focus. In 2018, the NCUA will begin implementing the Automated Cybersecurity Examination Tool (ACET) to improve and standardize supervision related to cybersecurity. The ACET incorporates appropriate standards and practices established for financial institutions and it also aligns with the Cybersecurity Assessment Tool developed by the FFIEC for voluntary use by banks and credit unions.
This focus includes the electronic delivery channels including ATM's. The CFR 748 regulation includes the development and implementation of a credit union's Information Security Program to provide administrative, technical, and physical safeguards appropriate to the nature and scope of its activities. It is important to note that subprovisions of Subtitle A of Title V of the Act states that a credit union must protect the security and confidentiality of the nonpublic personal information of its consumers. Furthermore, CFR 716.3 e 1 (ii) states that an individual who provides nonpublic personal information to you in connection with the use of your ATM is your consumer.
The Managing Director of BCG, Peter Trombley, was invited to present to the November meeting of the Houston Area Governance Roundtable Meeting. He presented on how Credit Unions can implement, monitor, and validate compliance with PIN and Key Management controls to meet their regulatory and contractual requirements and help keep their members safe. This presentation also reviewed the nature of the most common and emerging ATM attack vectors as well as the mandated controls and best practices to avoid or help mitigate these attacks.
The September 2016 issue of Credit Union Management magazine contains an article authored by Peter Trombley on Board responsibility for ATM and PIN Security control requirements . A copy of the article is available here.
As of July 2015, VISA® is now requiring that all financial institutions that acquire a VISA® PIN debit transaction perform appropriate due diligence to ensure compliance with all of the relevant PCI PIN v2.0 controls. Assessment results do not need to be submitted to VISA®, however, VISA® may request evidence of compliance or request an on-site PIN Security review of any organization, at any time, to ensure the security of their payment system. Individuals performing the assessment must have adequate knowledge on the PCI PIN Security requirements but do not have to be VISA® approved security assessors. Although VISA® does not explicitly mandate the completion of the PCI PIN v2.0 and associated SAQ, they readily admit that it would be hard for a financial institution to internally verify compliance without completing one.
The Managing Director of BCG, Peter Trombley, presented to the ACUIA national conference in Boston on 6/25/15. His presentation on PIN Security and Key Management updated the attendees on the increasing focus of regulators on payment system compliance risks. A copy of the presentation slides is available here.