IBM announced on Aug. 6 that it is expanding its X-Force Red security testing business with four new physical lab locations and a new service for testing the security of ATM banking systems.
The locations of the four new X-Force Red Labs are Austin, Texas; Hursley, England; Melbourne, Australia; and Atlanta. The new labs will be used to test the security of multiple types of devices and services, including ATM banking systems.
“One of the biggest problems is that a lot of financial institutions assumed that the manufacturers were doing the testing and the manufacturers assumed the financial institutions were doing security, so we got a mature industry in terms of rollout, without a lot of testing,” Charles Henderson, global managing partner of IBM X-Force Red, told eWEEK.
After joining IBM in October 2015, Henderson created the X-Force Red business unit to bring a dedicated penetration testing and offensive security practice to IBM. X-Force Red has been adding formal practice areas and services over the last two years, including the addition of IoT and Connected Car Security Services to its testing portfolio in July 2017.
X-Force Red had been testing ATMs for some time and recently has seen an increase in interest from financial institutions, and so decided to create a formal practice area, according to Henderson. Multiple factors are driving demand for ATM research, including large global sporting events, which are sponsored by various financial institutions. IBM gets requests from the financial institutions years before events to help them make sure that ATMs are secured, he said.
IBM X-Force Red has found ATMs to have multiple risks, including what is known as “jackpotting,” where an ATM is hacked to shoot out cash to an attacker. ATM attacks are not a new phenomenon, with researchers demonstrating ATM jackpotting attacks at the Black Hat security conference in 2009 and again in 2016.
“Remember, we’re talking about criminals, and criminals are looking to monetize stuff, and it turns out that cash is easily monetized,” Henderson said.
There are multiple types of risks associated with ATMs, including the physical security of where the ATM is located. Henderson said X-Force Red does not visit every ATM location and as such doesn’t validate the physical security of every deployment.
What X-Force Red does is validates the security of a default deployment to identify potential areas of weakness. For example, Henderson said X-Force Red will consider what the risk and impact is if an attacker is able to physically intercept a cable to an ATM to attempt a man-in-the-middle (MiTM) attack.
“We evaluate everything we can,” he said.
While ATMs typically include security controls, Henderson said X-Force Red has seen circumstances where the security controls were not properly implemented. One such example is with full disk encryption, which is supposed to keep financial details protected on an ATM.
Another risk to ATM security comes from running older operating systems. There was a time when most of the world’s ATMs were running Microsoft’s Windows XP operating system, which in 2018 is no longer supported and has multiple known vulnerabilities. When X-Force Red comes across financial institutions that are still running ATMs with Windows XP, Henderson said they usually recommend that they change operating systems. That said, he noted that whether an organization is running Windows XP or a more modern operating system, X-Force Red is still finding vulnerabilities that can either be software, implementation or infrastructure flaws.
“We’re very careful to make recommendations not just solely based on operating system, but also because of actual vulnerabilities,” Henderson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.