Improving ATM security with Windows 10

Techniques for migrating to Windows 7 can also be used to migrate to Windows 10

Speaking at ATM Security 2015 in London, Pat Telford, principal consultant at Microsoft Canada, summarised the software threats to ATMs and the features to combat them when migrating to Windows 10.

ATM security is compromised by physical attacks on the cash, physical attacks on the card, replacement of the ATM computer (black box), and malware attack (where normally a person visits the ATM and adds malware).

According to Telford, there are certain immutable laws of ATM Security:

If a bad guy can alter the operating system on the ATM, it’s not your ATM any more
If a bad guy has unrestricted physical access to the ATM, it’s not your ATM any more
If you allow a bad guy to upload programs to the ATM, it’s not your ATM any more
If a bad guy can persuade you to run his programme on your ATM, it’s not your ATM any more.

So what can you do to prevent these situations? There are plenty of physical defences including ATM location planning, ink and anti-skimming. Trusted devices can help against computer replacement/black box, says Telford. There is also layered defence-in-depth software security (firewall, whitelisting, and reducing the number of administrators).

Why are ATMs moving away from Windows XP?

The answer is because they have to. Windows 10 offers in-box security enhancements, a long support lifecycle and a long-term servicing model, says Telford, and has the same hardware requirements as Windows 7.

The key defence in Windows 10 is Device Guard, which enables a computer to be locked down to only run trusted applications – a virtual “machine” oversees security. If a piece of code is not signed by Microsoft or the user, it will not run. It is also resistant to tampering by an administrator or by malware.

In a situation of malware against Device Guard, a trusted system is used to mediate whether apps can run and you cannot boot from an alternate OS. It’s a similar system to an iPhone, for which you can only get signed software from the Apple Store, says Telford.

In summary, Windows 10 is not available yet as an OS from the major ATM vendors, but it’s an appealing platform. The servicing model includes continuous releases but with long-term branches for ATMs. To take advantage of Device Guard, you may need new hardware features on the ATM PC. Finally, techniques for migrating to Windows 7 can also be used to migrate to Windows 10.

Download PDF version Download PDF version

Add as a preferred source on Google

Author profile

Ron Alalouff Contributing Editor, SourceSecurity.com

People mentioned in this article

Articles by Ron Alalouff

QinetiQ demonstrates new privacy-protecting body scanner for crowded places

The new scanner can quickly screen large groups of people without needing them to stop or slow down Most body scanners are designed to work one person at a time, checkpoint style. Q...

Why Hikvision is suddenly front-page news: The company responds to security concerns

Hikvision has been in the news in the United Kingdom recently, including a front page news story in The Times. SourceSecurity.com offered Keen Yao, Vice President at Hikvision’s In...

Cloud-based surveillance spearheads growth in security as a service

The global market for security as a service is set to grow from $921 million in 2016 to $1.49 billion by 2020 The global security as a service market is made up of video surveillanc...

Security companies embrace Corporate Social Responsibility to improve environmental & social impact

CSR applies to the security industry in many different ways and can be practised by small or large businesses What exactly is Corporate Social Responsibility (CSR) and how does it a...

Home automation: A growth area for the security industry?

It’s become a hot topic lately, but what are the real prospects for the smart home and home automation market? More specifically, what role can the security industry play in what is seen as a gr...

Surveillance cameras switched off amid budget cuts in England and Wales

Budget cuts are causing councils to scale down their systems, or decommission them altogether Budget cuts in England and Wales are leading to cameras being switched off to save mone...

IFSEC Day 1: H.265, apps and cybersecurity shine through other security innovations

H.265 compression, apps and the inherent security of security systems were some of the themes to be gleaned on the first day of IFSEC International. Almost every video exhibitor I saw on day one of t...

IFSEC Day 2: HD analogue, video compression and drones

H.265 compression continued to be a popular topic from exhibitors on the second day of IFSEC Video beyond security, compression, HD over analogue and integration were on the lips of...

UK Surveillance Camera Commissioner, Tony Porter, to highlight importance of Camera Code of Practice at IFSEC 2016

Porter will tell IFSEC attendees about an upcoming National Surveillance Camera Strategy The Surveillance Camera Commissioner for England and Wales, Tony Porter, will be speaking at...

Frank Cannon to educate IFSEC attendees on employee security awareness programme

Organisations have a duty of care to protect their employees wherever they work. But in the increasingly complex world that we all live in, the ability to deliver a risk-commensurate and...

New home automation zone at IFSEC 2016 to feature smart home replica

A “smart home” featuring networked security devices and other home automation products will be new to IFSEC International 2016 in June. This replica smart home will be at the heart of the...

Beyond basic upgrades – Phusion technology combines visible and thermal cameras to deliver detailed CCTV images

Research at the University of East Anglia in Norwich, England, is developing a technology that can provide clearer, more defined camera images by fusing RGB (red-green-blue) images with...

Lost for words? Automated lip reading technology deciphers speech in silent CCTV images

Automated CCTV lip reading is challenging due to low frame rates and smallimages, but the University of East Anglia is pushing the next stage of this technology Scientists at the Un...

The all-IP future of public transport surveillance networks shows a growing demand for video analytics for better incident management

The report says almost 50% of the public transport organisations are willingto broaden the type of video analytics used A detailed survey of public transport operators shows a growi...

CCTV budget cuts reduce video surveillance expenditures and camera counts across the UK, except in London

Nationally from 2012 - 2015, there has been a decrease in the money spent on theinstallation, monitoring and maintenance of CCTV compared to the period 2009-2012 The UK has often be...

Regulator highlights public safety risks due to lack of security officers' training in Australia

Poor quality training, poor literacy and numeracy skills and inadequatesupervision were some of the areas for concern highlighted by ASQA A lack of consistency in licensing, poo...

E-passport technologies address border security crisis and ease tourism

Led by European nations, there is a global shift to e-passports, with over 100 countries using these technologies With the number of global international tourist arrivals standing a...

Lone Worker Conference: Measures for personal safety and mental wellbeing

There are between 4 and 6.8 million lone workers in the UK, and many of us arelone workers at some point in our working lives The Suzy Lamplugh Trust was set up to highlight the ris...

Stratus Technologies’ everRun solution prevents downtime and data loss for critical physical security applications

Stratus Technologies is a provider of “always-on” technology, which helps to ensurethe running of mission-critical access control and video surveillance applications Bui...

650 ATM attacks annually in Italy call for physical security solutions that anticipate and curb heists

The proportion of failed ATM attacks is more than 50%, but the collateraldamage is high and growing ATM security providers and products can take various countermeasures to mitigate...