Securing the ATM and POS networks

Unique solution adopted by Diebold Nixdorf for certificate lifecycle management allows a safe and secure operation of ATM and POS networks.

Using the CZERTAINLY product provided by 3Key Company allowed a high degree of automation and standardization of all certificates we use in our network. It has helped us to reduce the effort needed by the management of certificates by cca. 90%, our IT Security specialists can focus on other more relevant tasks, than monitoring and manually replacing certificates. Moreover, since we deployed the solution we have not experienced a single certificate related outage and never had a security issue related to inadequate use of certificates.

Certificates in ATM and POS networks

Certificates are an important layer of security in today’s network. Use of certificates is mandated for POS terminal by the card associations worldwide. Couple of years ago Diebold Nixdorf in Czech Republic created its own Certification Authority in the Prague data centers and secured the communication of all the ATMs operated from the Czech Republic.

This service provided an extra security layer for the ATM network and the communication from the data centers was secured. So even if somebody managed to get rid of the physical firewalls deployed by each ATM, no one could have foisted the communication to the ATMs from the host, read the transferred data or install this way some unauthorized SW package on the ATM.

This is very important, because the previously common physical attacks on the ATMs now give way to the more sophisticated logical attacks, which are orchestrated by organized groups across the world. Properly hardened ATM and POS secured by certificate with encrypted data storages make it close to impossible to retrieve the cardholder data or install some unauthorized SW packages. ATM are usually full of money and often located in remote locations and without a proper protection by certificates, it could be possible to install a SW component to make a jackpotting attack, which forces the ATM to churn out all of its cash or a possible installation of some ransomware, which compromises the stored data in the ATM or blocks the operation of the systems until a ransom is paid.

Problems related to certificates management

Certificates are a victim of its own success. They are so useful, that they have become ubiquitous in modern day IT infrastructures. Every device or server has its certificate, many applications have their certificates. Many types of information are signed or sealed by a certificate to make sure they are secured. Especially modern cloud environments are using many short-lived certificates, which are used only for a particular task or installation.

The complexity of the certificate management increases with the evolution and security improvements of the IT environment. Manual management of certificates, where specialist keep track of all the certificates and perform the tasks of certificate issuance, replacement or revocation can operate smoothly with a limited number of certificates, but in a large heterogenous environment the manual lifecycle management inevitably leads to costly mistakes. Certificate related outages happened even to renowned global companies such as Google, Ericsson, Equifax, or LinkedIn. Latest big outage with global impact happened on the September 30, 2021, an older root certificate – DST Root CA X3 – which was used to underpin HTTPS certs issued by Let’s Encrypt, expired as planned along with its R3 intermediate. These outages are not just embarrassing, but they also lead to a loss of revenue, reputation, credibility and even security risks.

Can be the ATM and POS networks kept secure and without outage? – CZERTAINLY!

Certificates control communication and authentication between machines and therefore are at the centerpiece of IT Security infrastructure. If a certificate expires, it causes great pain to resume the operation of the affected application. Expired critical certificate usually effectively blocks access to the affected system and fixing it – a critical security element of the system – usually requires having this very access, which was lost. Gaining the access usually requires some key loading operation in some dedicated key loading space in controlled environment or similar cumbersome operation, which is very complicated by design.

Having an inadequate certificate can happen easily, if a technician makes a mistake by manual certificate generation uploads the certificate to the system and the system operates “just fine”. The effect of such event can however be even worse. Using such certificate can compromise the security of your system and open doors for the intruders to penetrate the system. In worst case a skilled hacker can find the vulnerability and access the system, or some ransomware can be installed forcing the client to pay a ransom to end a deliberate outage in the operation of the affected company.

Get more information about the CZERTAINLY

Need Help

Do not hesitate to get in touch with us!