Diebold Nixdorf recommends a strategic, multi-layer approach in protecting Myanmar’s financial institutions

31 พฤษภาคม 2561

In its “Global ATM Market and Forecasts to 2022” report released in September 2017, the London-based consulting firm RBR pointed out Myanmar as the country owning the fastest growth of ATMs in the world over the next five years. The expansion, according to the firm’s finding, was primarily led by economic reform. 

 

Although Myanmar currently has one of the lowest ratios of ATMs per one million in population among all ASEAN countries, the report expects that, along with expansion in banking services, ATM deployments are predicted to double to 6,000 in Myanmar by 2022. 

 

Despite that being great news, with added numbers of ATMs comes additional risks. There have been reports of security breaches affecting ATMs – abroad and domestically in Myanmar – namely fraud attempts such as skimming, malware, and data security attacks. 

 

An April 2017 report by Symantec showed how ransomware attacks around the world have increased by more than 36 percent during the period from 2015 to 2016, with 463,841 cases detected in a single year. 

However, taking the lion’s share of the problem is skimming. It is believed that 97 percent of ATM card losses are due to skimming, making it the industry’s costliest problem. Similar to identity theft, thieves use hidden electronics to steal personal information stored on your card and record your PIN number to access the cash in your account. In some cases, it usually involves placing a card reader over an ATM’s real card slot, so when an ATM user slides his card, he unknowingly slides it through the counterfeit reader, which scans and stores all the information on the magnetic strip. 

 

The good news is, there are ways for financial institutions to outwit them, beginning with understanding the complexities of the self-service environment from a compliance-and-risk standpoint. Just as it’s important to find a strategy to holistically protect your network, so is teaming up with the right partner, tools, and strategy. 

Diebold Nixdorf recommends a strategic, multi-layered approach that provides back-up protection in the case of an attack as well as ensures that your network is protected regardless of the form of attack. This includes: 

 

1. Setting up lines of defense 

Multi-layered security calls for appropriate and continuous governance of the ATM security with applicable configuration, which means locking down the operating system (OS) from unnecessary components, and establishing permissions that only allow authorized programs to run. Moreover, an ATM network should be almost entirely locked down and restricted to its crucial connections. 

 

Europol recommends four layers of defense to protect ATMs from malware and logical attacks: physical access to the ATM, offline protection, online protection, and additional measures. In the first line of defense, only authorized personnel should be allowed to carry out work on an ATM, complemented with the placement of surveillance monitoring to detect and record suspicious activity around the ATM. 

 

Second, robust password management policies and protection of the USB/serial communication between the dispenser and the PC. 

 

Third, communication authentication and encryption protections should be applied to all ATM network traffic. 

And last but not least, it’s recommended to start with a clean install at the ATM or perform an antivirus check before the approved installation, establish a policy for secure and regular software updates, conduct a regular ethical hacking testing and vulnerability scanning on the ATM and the ATM network, as well as segregating duties of employees and limit access to the ATM for individual employees. 

 

2. Be prepared anywhere, anytime 

Big data analytics and the revolution in digital technology may bring with them new trends in consumer touch points and banking services, but they also come with new security pressures. In response to more diversified attacks, the countermeasures of financial institutions must also evolve as well as be more holistic [well rounded] and creative. That said, there are some indicators that can be used to help in determining whether or not a particular incident represents a logical or a malware attack, as suggested by Europol: unexpected reboots, unexpected “cash out” events, legitimate files in incorrect locations, lots of communication with security solutions running on the ATM, transaction records on host servers that don’t correlate with the value of cash apparently dispensed, and gaps in audit logs where there should be records of transaction activity. 

 

3. Share threat intelligence 

Tech Crunch had it right when it warned us how having access to timely information and intelligence can make a big difference in protecting organizations and firms against data breaches and security incidents. One feasible solution, it suggested, is the sharing of threat intelligence in order to raise awareness and sound the alarm about new attacks and data breaches as they happen. Be it collective sharing within the private sector or those led by the effort, such collaboration is useful for putting a heavier burden on attackers.

 

4. Consolidate and simplify 

Simplifying and consolidating your approach not only makes your security stronger, it frees up resources that can be devoted to other areas of your organization. It is important for financial institutions to be able to address both the technical and procedural requirements for compliance with existing cyber security framework and reporting without adding the cost or complexity of point solutions. Consolidation will also lead to less human error, as well as allow security teams in the banking, financial services and insurance industry to balance and better manage future changes to the framework with ease. 

Piers Leach is the Myanmar Country Manager for Diebold Nixdorf, the world leader in enabling connected commerce for millions of consumers each day across the financial and retail industries. 

 

 

(Myanmar Business Today: https://www.mmbiztoday.com/articles/protecting-myanmar-s-financial-institutions )