ATM security is emerging as a major pain point for banks across the globe. Even as other IT systems continue to update with new levels of security controls, ATMs continue to operate on outdated operating systems such as WinXP. And although many ATMs carry a slew of compensatory controls, such as hardening, malware detection suites, whitelisting and others, these measures do not address the core issue of platform vulnerability. What is the limitation?
"The manufacturers and banks are aware of the risks they are running on the security side," says Prakash Joshi, Chief Operating Officer for Electronic Payment and Services, a third-party service providers that deploys and operates ATMs for banks in India. "It is a conscious call taken by the bankers, and the manufacturers sometimes; these decisions are subject to cost constraints."
The price of an ATM in India is the cheapest in the world - around 40 percent lower than the global average. Indian banks are known to opt for the bare minimum configuration for these devices, as security is often sold as an add-on solution by the OEMs due to margin pressure, he says.
The operating system conundrum is an old one, he explains. Historically the choice of Windows as the operating system of choice dates back to the 1980s, when ATMs used OS2 as the default operating system. With ATMs getting smarter, and OS2 going out of support, the common consensus in the industry was Windows as the platform of choice, since it was the most common OS available and also easy to use, Joshi says.
While this may have been an expedient choice back then, today the numerous issues such as malware plaguing ATMs on the Windows platform can be traced back to these beginnings. Moreover, increasing dependency and the hardware ecosystem that has evolved around this platform make breaking away from it onto more secure alternatives such as Linux and Android-based systems prohibitively expensive and operationally impractical, he says. [See: ATM Security: The Fundamental Flaws]
In this exclusive interview with Information Security Media Group, Joshi speaks about the cybersecurity threats facing ATMs today. Talking a close look at some developments in this space, he also shares his perspectives on:
- The state of security in the ATM landscape;
- Unique challenges and some interim recommendations;
- Developments in this space and banks' primary cybersecurity from ATMS.
Prakash Joshi is the COO at EPS. A renowned industry professional with over 25 years of experience in the information technology Industry, with a keen focus on the financial services sector, he also has experience in business development of ATM hardware, software and services product line across the country and has managed the western region as Profit Center Head for Diebold operations in India.