Some credit unions own their ATM machines, others lease them or have a service in place. But however credit unions handle ATMs at their locations, they should ensure that proper physical and logical security controls are in place, and that security maintenance is regularly performed on the machines and their back end systems. It is unfortunately true that ATM machine vulnerabilities are still being exploited to empty machines of cash or to corrupt their back end operating systems and servers with malware, which could lead to possible compromise of private member data. Threat sources for these compromises include both external attackers and insiders such as credit union employees or employees of third-party ATM service providers.
Not only is member trust at issue if there is an ATM security breach, the credit union has to consider their responsibilities under Regulation E of the Electronic Fund Transfer Act. According to this act, risks to electronic fund transfers (including ATM transfers) should be included in the risk awareness program, and both physical and logical security controls should be in place to address these risks. In addition, policies addressing these risks should be included in the credit union’s written information security program and approved by the Board of Directors.
Some of the control needs that should be addressed include:
- Dual controls for ATM access and maintenance, as well as dual controls for card stock and printer refills access.
- Security maintenance including updates and patches for ATMs and back end servers, applications, firmware and operating systems.
- Removal of default, easily guessed or dated passwords on ATM systems. Passwords should be changed often, and multi-factor authentication techniques should be implemented if at all possible.
- All the normal network security measures such as user access and account management, email security, internet access, change management, configuration control, malware protection and detection, logging and monitoring, etc.
- Fraud monitoring and protection.
- Control for electronic communications devices such as:
- Access time-outs and logon attempt limits.
- Anti-skimming software and hardware.
- Monitoring for physical tampering.
- Payment card security controls
- Consider implementing the highest level of endpoint security on ATM machines to prevent connection of devices or uploading of malware onto the machines.
- Ensure that autorun and boot features have been disabled on ATMs,
In addition to these controls, credit unions should have periodic security audits or risk assessments performed on ATMs and the policies and procedures surrounding them performed by qualified third-party information security firms. Another set of eyes and a different perspective are always beneficial to any information security program.