Automated Cash Handling and Payment Processing Systems

The cash & payment systems security audit target, here for example ATM and POS, consists of complex applications that function as electronic banking systems. Detack GmbH has built specialized IT security audit modules for ATM and POS systems and their interfaces and applications, based on previous projects performed for clients active in the banking, cash and payment processing environments.

The audit targets all the components used to build the ATM / POS infrastructure. The perspective assumed by all the tests is the local bank employee or opportunistic attacker, having access to the local network or the perspective of an anonymous, external attacker, targeting the communications system. As the bank terminal cannot be analyzed independently of the central authorization, especially regarding the communication protocols and messaging system, further testing procedures will complete the auditing.

The bank terminals security and the customers´ site (the DMZ services responsible for the cash management and operator functions) are also in the scope of this audit module. These procedures are necessary for determining any communication protocols related flaws, system or application flaws affecting the customer.

The test structure is built around a customization of the Detack e-Banking Services Audit, Internal Security Audit and the Standard Security Audit modules. Elements from all the mentioned modules are combined together to provide the most effective coverage of the specific type of environment under scrutiny. The resulting modules are:

Detack Security Audit for ATM / POS – Infrastructure and Security Design
Detack Security Audit for ATM / POS – Bank Communication End / Central Authorization
Detack Security Audit for Payment Terminals (POS)
Detack Security Audit for Cash and Multifunctional Terminals (ATM)

These modules will be adapted to the customer’s requirements for each specific test environment. For example the audit of a multi-bank environment is significantly different from a single-bank system.


The security audit is designed to answer the following abstract questions:

 Is it possible to take over or otherwise compromise a running terminal by exploiting various O/S deployment and configuration vulnerabilities?

 Is it possible to take over or otherwise compromise a running terminal by exploiting security vulnerabilities in the management interface
    (both standard and custom developed components)?

 Is it possible to take over or otherwise compromise a running terminal by exploiting security vulnerabilities in the operational software
    (either vendor provided or the customers own cash management applications)?

 Are there any hidden elements with potential security implications in either the vendor or the customer's applications running on the terminals?

 Are there any latent elements in any of the software components deployed on the terminals (not currently enabled, but implemented)
    with security implication in case of a future activation?

 Is the identity verification of the terminal by the customer's central authorization system securely implemented?

 Is the identity verification of the customers central authorization system by the terminal securely implemented?

 Is it possible to compromise the security of the cash management, including recycling, transactions and authorization system by exploiting
    flaws in the implementation of the communication between the terminal and the other participating systems (DMZ)?

 Is it possible to compromise the security of the cash management transactions and authorization system by exploiting flaws in the messaging
    protocols between the terminal and the other participating systems (DMZ)?

 Is it possible to impersonate any of the communication ends and to what effects?

 Is it possible to affect the reliability of the logging system and user accountability by exploiting any of the above potential flaws?

 Is it possible to compromise the safety of any terminal by performing side attacks against the operator consoles and taking over the operator
    access in any given bank?


The security audit answers the following questions, as needed for determining any central authorization systems related issues:

 Is it possible to exploit network, system and standard software flaws in the customer's central authorization system as seen by / from
    the bank terminals (not the entire system, but the DMZ systems available to the bank terminals)?

 Is it possible to exploit application layer flaws in the customer's central authorization system as seen by / from the bank terminals
    (not the entire system, but the DMZ services available to the bank terminals)?

 Is it possible to exploit standard and application layer flaws in the DMZ operator services present in the customers central authorization
    system as seen from / by the bank operator?

 Is it possible to transgress the DMZ layer protection for the connected banks and affect the other layers, either by exploiting network
    flaws or application layer vulnerabilities?

 Are there any undocumented systems available to the bank terminals via a VPN / PN which can be used for affecting the security
    of the cash management or payment framework?


Sample testing procedures:

Workflow / Data Flow Analysis / ATM/POS Administration
Analysis of the working processes and how they reflect into the data flow and processing; target specific workflow analysis - activation, customization and key management; identification of systems used for or auxiliary to the ATM / POS controlling and management; security analysis of the local and remote management procedures.

Terminal Security Test / Standard Layer
Performance of a full security audit, as detailed in the Detack Standard Security Audit procedures, against the ATM / POS and operator console systems, the customers DMZ systems, targeting the standard components and network security.

Middleware Security Test / Application Layer (Multi-Bank Environment)
Performance of a full security audit, as detailed in the Detack e-Banking Security Audit procedures, against the relevant / reachable customers DMZ services for both cash management functions and system operating; exploitation of application layer flaws for bypassing the DMZ / middle tier protection and targeting the backend systems.

ATM Security Test / Application Layer
Performance of a full security audit, as detailed in the Detack e-Banking Security Audit procedures, against the ATM / POS system and the services running on the hardware platform. This also covers the remote terminal management and monitoring.

Application Code Analysis
Full analysis of the application software running on the terminal systems, both vendor and customer´s / banks own applications; determination of any hidden or latent components with security implications.

Communications Security Analysis
Communication protocol security analysis, messaging system security and implementation of the transaction management; peer identity verification analysis and performance of impersonation attacks for both ends; additional coverage and research of the middleware to backend communication.

Specific Testing
Testing based on specific services, to be defined during the testing procedures based on gathered data; additional specific testing from the operator's perspective for assessing the misusage detection systems, data logging features and accountability data storage for logical or implementation faults; side attacks using the bank operator consoles.