Automated Teller Machines (ATMs) were introduced over five decades ago. To expand the ATM network, banks made heavy investments in procuring hardware and the maintenance that followed. Back then, ATMs were closed systems which meant they had a very restricted attack surface. To keep up with dynamic business needs, more widely accepted operating systems such as Win XP (Embedded), and commercially available antivirus solutions were deployed to safeguard ATMs.
However, when Microsoft stopped supporting Win XP in 2014, ATMs were put in a vulnerable position. Lack of OS security updates coupled with the reactive defense approach of antivirus made ATMs an easy target for cyber attacks. Threat actors began using advanced techniques of reconnaissance to expand their foothold on critical infrastructure. Hackers were tunneling to extract critical information from the bank’s network without being detected. Their presence went undetected for weeks and months by traditional security measures. Causing huge financial and reputational loss.
Why Antivirus Can No Longer Defend ATMs
Antivirus is heavily dependent on a directory of signatures to detect threats. With the steep rise in cyber threats, the signature directory is becoming bigger and demanding greater bandwidth from already crunched ATM networks. The consequence is an increase in the update cycle which leaves ATM machines vulnerable to attacks. This reactive approach makes antivirus ineffective against modern malware and Advanced Persistent Threats (APTs). To add to this challenge, commercially available antivirus allows the hacker to test the malware effectiveness before deploying it in the banks’ environment, therefore increasing its rate of success.
Here are 5 reasons why an antivirus can’t safeguard ATMs.
1 Software Patching
When a vulnerability is reported, the antivirus OEM will write a fix which would be deployed as a ‘patch’. But creating a patch, testing and deploying it could take months and sometimes even years. This is a reactive approach which is simply not practical for large enterprises. When the threat is immediate, waiting for patches just does not make sense.
2 Static Signature
Traditional antivirus solutions are heavily dependent on static signatures to identify malware. But in the real world, malware is not static. Morphing malware like oligomorphic, polymorphic, or metamorphic malware can encrypt or disguise itself to evade virus signature match. With advanced malware threats, relying on a static signature is not a dependable solution anymore.
3 Heuristic Signature
Using the Heuristic approach, a single generic signature for a family of viruses is created. These signatures often contain non-contiguous code, using wildcard characters that allow the scanner to detect viruses even if they are padded with meaningless code. However, clever morphing malware that uses encryption can evade heuristic scans.
4 Real-Time Detection
Some antivirus programs monitor computer systems for suspicious activity such as computer viruses, spyware, adware, and other malicious objects in ‘real-time’. They usually fail unless the bad behavior is previously seen and defined, as in the case of zero-day attacks.
5 Endpoint Detection and Response
These antivirus programs leverage behavioral detection, AI, ML, and cloud-based file detonation to identify bad behavior. They act in a detection and response method. However, this method is heavily dependent on human interaction for response/mitigation.
The bottom line is that traditional antivirus is not a practical solution for protecting ATMs. Malware today have evolved to work around defense mechanisms that are programmed into most antivirus solutions. The reactive approach used by antivirus has proven to fail and cause major security breaches around the world. To safeguard their ATMs, banks need to shift to a proactive security approach that can secure ATMs from advanced malware and APTs.
How ATMs Can Be Made Tamper-Proof
Instead of scanning and detection based on signatures, adopt a simpler yet robust signature-less approach that works at the kernel level to prevent unauthorized processes from running. This prevents authorized processes from misbehaving in ATMs and critical servers.
ColorTokens RADAR360 features intelligent algorithms for in-depth analyses of every running process and file present in the machines. The system processes are analyzed with the known good, that is, the whitelisted processes, and compared with contextual profiles to prevent suspicious or unauthorized activities.
Radar360 protects end-points and servers, including legacy and unpatched systems, against known and unknown cyber threats.
To protect your ATMs, read more on ColorTokens RADAR360