ATM Architecture & Security

ATM machine has 3 main components. Hardware, OS and ATM Software. Hardware is made by OEMs like Diebold®, Interbold, Fujitsu, CR-Triton, WinCor-Nixdorf).

OS could be windows/Linux. Mostly they are outdated and poorly patched.

ATM software could be Java based mostly or based on vendor which is ‘pinned’ on screen of ATM.

ATM Switch:

ATM switch is not a network 'switch' as I thought when I went for my first engagement.
Its basically a software that runs on any operating system which takes in the signals or data from ATM devices from different OEMs or network and processes the same for complex works.

The ATM switch is used to manage ATMs using the unique identifiers. It is used to perform following operations:

• ATM details
• ATM connection details
• ATM status
• ATM port open, close
• ATM ping,
• ATM transaction logs access etc.

Money withdrawal Flow:

1. User enters the card into the ATM Machine or POS Machine
2. ATM number is validated by the switch software (store in local db in encrypted/hashed/tokenized format)
3. ATM PIN is then validated by switch software (Pins stored in HSM)
4. After successful step 2 and 3, to verify the balance, request is then validated with Bank's system whom card belongs.
5. After successful response from central banking system to switch, the money is then routed via channels. In India, it would be through VISA, Master Card or NPCI (Govt. body). These intermediaries take some fees to facilitate the transaction. NPCI is cheapest.

Connectivity/Architecture:
In general, there are two divisions of ATM architecture:

1. On Prem: These ATMs share common network as bank’s branch. Typically these ATMs are connected using ethernet cable pulled from branch switch.
2. Remote ATMs: Rural, non-connected regions are operated using V-SAT antenna. Its a satellite dish present on top of ATM cabin.

Simplified Architecture:

ATM <-> Bank Network <-> ATM Switch (Hosted in DC) <-> VISA/MasterCard/Rupay

Quick check-list to secure your bank from such attack.

1. Launch an IS audit on the bank's switch provider with following scope:
- Antivirus management on switch server
- Patch management on switch hosted server
- Access Management on switch hosted server
- Card details storage management on the switch infrastructure. How and where do they save the card details.
- Card details issue procedure and card number transfer process after successful issuance.
- Integration with NPCI, VISA or MasterCard channels.
2. Perform an ATM penetration testing on sampled ATM machines.
3. Check for the implementation of Network Access Controller on ATM machines
4. Shodan your IP addresses and assess all your public facing infrastructure for vulnerabilities.

5. Ensure all communication are secured with secure encrypted messages.