Countermeasures

These countermeasures to protect against Black Box and Malware (Jackpotting, Man-in-the-Middle, Software skimming) attacks on ATMs have been prepared by the EAST Expert Group on All Terminal Fraud (EGAF).

They are used in EAST Fraud Alerts to indicate which countermeasures (primary and secondary) are applicable to each reported attack type.  They apply to both online (onsite and remote) and offline attacks.

EAST also publishes Fraud TerminologyFraud Definitions, Central/Host Fraud Definitions, Terminal Fraud Definitions, Terminology for Locations of Card Data Compromise (CDC) Devices at Terminals,and Terminal Physical Attacks Definitions & Terminology.

Countermeasures TypeDescription
Physical Measures (1)Ensure physical protection of the ATM head compartment, suitable access control and conduct frequent visual inspections.
ATM Monitoring (2)ATM Monitoring regarding opening of the head compartment and loss of communication to security relevant devices.
Updated ATM Software Stack (3)Frequently update the whole ATM software stack and enable a process for fast track deployment of security updates.
File integritry management (4)Ensure integritry of the ATM software stack.
Secure Software Delivery (5)Establish a process to securely deploy software updates to prevent remote deployment of Malware.
Secure Device Communication (6)Protected communication with devices like the Card Reader, Cash Device and Encrypting Pin Pad (EPP).
Device blocking (7)Prevent usage of unwanted USB and similar devices.
Application control (8)Prevent execution of any unwanted software and its access to banking related interfaces.
OS hardening (9)Lockdown the operating system (OS) as much as possible and remove all unnecessary services, applications and priviledges.
Encrypted Hard Disk (10)Encrypt the hard disk to prevent access to files while the ATM software is not running.
Alternate boot protection (11)Prevent alternative boot within BIOS settings and manage BIOS passwords.
Authenticated boot process (12)Ensure authentication during the boot seqence to prevent usage of root kits or attacks with alternate boot environments.
Secure Network communication (13)Encrypt network traffic via Transport Layer Security (TLS), enable MACing for transaction and apply networking security best practises like network segmentation.
Firewall (14)Enable a firewall and only allow nesessary connections.
E2E Authentication (15)Use End-to-end (E2E) authentication to establish a protected connection directly between the host and the cash modules to mitigate attacks at the ATM PC.