Understanding Zero Trust for Self-Service Banking

By Juan Ramon Aramendia, Head of Cyber Security Product Engineering at Auriga

Earlier this year, European banks received a renewed warning about increased cyber threats. This alert was issued by the European Banking Authority (EBA) to its risk dashboard, stating the exposure to Eastern European banks collapsing was less of a threat than “second- round” effects, like cyber-attacks that “may be more material from a financial stability perspective.”

Banks have been focusing on cybersecurity for many years now, but the fear is greater than ever before. Cybercriminal gangs are targeting banking services – particularly ATMs – to steal money and valuable financial information about customers and cause business continuity disruption and service interruptions. These attacks on financial services can generate lucrative cash returns, which encourages gangs to invest serious internal budgets into research and development to prepare attacks.

According to Zion, the global ATM market accounted for US$15.1 billion in 2020 and is expected to rise to US$21.2 billion by 2028, growing at a CAGR of around 4.8% between 2021 and 2028. The financial services industry is undergoing rapid digital transformation, banks cannot afford to neglect cybersecurity strategies, especially at a time of increased risks and threats.

The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM malware and logical attacks) in 2020; resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported, such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.  Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. Therefore, in their cybersecurity planning, business leaders need to consider innovative ways of both working and banking, without affecting the balance of risks.

It is mission critical for security teams to minimise the attack surface, obtain greater visibility of what is happening, and faster insight into anomalous activities that could be (or are) suspicious. A bank’s endpoint devices, from workstations to ATMs to ASSTs, are particularly vulnerable to attack.  Security leaders should hone into these for cybersecurity review and consider the Zero Trust model. It helps to secure critical endpoints and other parts of the banking service infrastructure.

Zero Trust is defined by a cybersecurity system that minimises the level of implicit trust so that a system is only accessing software and in use when stringent checks are done. This important concept can be successfully applied to ATMs and ASSTs as they comprise several software layers including an operating system, hardware vendor/software layer, the multi-vendor layer,  plus the different tools for operations, monitoring, security and so on. Unlike PCs, the software updating on these devices tends to be reactive, which means liabilities can slip into software inadvertently – making the concept of Zero Trust critical in isolating a layer that is unpatched.

Here is a useful checklist to consider when adopting a modern approach to protecting fleets of ATMs and ASSTs:

• Reduce the attack surface. Access will only be allowed when needed, and not just when it is legitimate, only if the user has been certified for proper operations.
• Control whoever is going to physically manipulate the ATM. Standard solutions like antiviruses have the same level of protection at any time, but when critical devices have a third party manipulating it, banks must be able to control the level of protection and activate specific policies in that specific moment. The bank should be able to monitor what the technician is doing at a time of highest exposure.
• Cybersecurity for banking made easier. Consolidate protection measures on a single platform such as application whitelisting, full encryption of all hard disks and media, file system integrity protection, hardware protection, and a firewall to stop network attacks.

The value of the Zero Trust strategy lies in its ability to allow financial institutions to secure digital self-service banking without trusting the assumed security of mainstream software. This distrust is important because cyber attackers will hijack legitimate tools and software to launch an attack. Zero Trust for banking endpoints should extend to third party tools and services that have permission to  access ATMs and ASSTs when servicing these devices. It adapts like a glove to critical, purpose-driven environments where changes are made in a fully controlled manner. Effective cybersecurity must interrogate access and verify it is correct or authorised at all times.