The ability to secure communications using SWITCHWARE’s support for SSL/TLS provides an essential layer of security for ATM networks. This commonly used encryption protocol is the same technology that powers the majority of internet and web encryption for all major web browsers. The security and power of a hardened encryption solution along with a highly adopted and well-known version makes SSL/TLS 1.2 the perfect solution for ATM communication encryption.
The most important aspect of securing the communications channel for an ATM is to maintain high levels of availability, which banks expect in their ATM network. Using SSL/TLS 1.2 provides a secure means to satisfy PCI requirements for encrypting transmission of cardholder data across open, public networks.
The Demand for Encrypted Communications
There are many reasons financial institutions should use encrypted communications:
- Mandated by PCI DSS for ATMs in use in open, public networks
- Protect against several logical in-network attacks, such as Man-in-the-Middle Attack, Network Cable Skimming Attack, Host Emulation Attack, Replay Attack and a Truncation Attack
A type of active eavesdropping where the attacker is able to make separate connections with the victim’s systems and relays messages between them, making both parties believe they are talking directly to each other over a private connection when in fact the whole conversation is intercepted (and possibly manipulated) by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones.
A man-in-the-middle attack is only successful when the attacker is able to impersonate each endpoint to the satisfaction of the other. Most encryption protocols, including TLS 1.2, provide endpoint authentication and can prevent these types of attacks.
Network Cable Skimming Attack
This is where a special device is attached directly to the ATM network cables in order to capture card data. By encrypting the full network communications package before it leaves the ATM, using TLS 1.2, the captured information is rendered useless.
Host Emulation Attack
Where an emulated server or box is connected to the ATM network connection. Messages sent to the host during this type of attack are received by the host emulator and then a fraudulent response is sent back containing commands that allow unauthorized actions, such as cash dispensing.
This attack uses a re-transmitted data stream to trick the system into unauthorized operations. For example a false identification or authentication or a duplicate transaction can be sent, which allows the attacker to gain unauthorized access to the network.
This attack involves the attacker causing the TCP session to be closed (via a TCP FIN) before the sender is finished sending data, forcing the receiver to think that all data has been received. As a consequence, the receiver can never be sure that more data was not forthcoming.
Encrypting All Endpoints is the Key
Using SWITCHWARE® support for SSL/TLS provides a way to encrypt communications between the ATM and the host. This security measure is essential to meeting the mandated standards set by PCI DSS, specifically for ATMs located in open, public networks. CSFi strongly recommends that customers begin to make the move to TLS 1.2 as soon as possible. NCR and Diebold’s Secure TLS Communications products can be used in conjunction with CSFi’s SSL/TLS feature to provide total encryption for your ATM network.
Contact CSFi to arrange for a review of your ATM data security protocols. Ensure that they conform to industry best practices for secure communications.