Since 1884, NCR Corporation has been at the forefront of the transactions that run the world around us. They are the #1 global POS software provider for retail and hospitality, and the #1 provider of multi-vendor ATM software. Team MalaysiaSAFE had the opportunity of speaking to Mr Jack Mannion, who is the Global Product Management Director and Leader of the NCR Banking Security Council within NCR’s Banking line of business. Mr Mannion also leads the NCR Security Council, that is constantly working towards product security strategy, defining product security environments with a clear objective to be the first responders to new and emerging ATM attack vectors. An extract of his interview is shared below:

Kindly give a brief background about your company’s presence within the region.
Jack Mannion (JM):The company is headquartered in Atlanta, Georgia in the US but we have many offices around the world. We recently opened a new office in Kuala Lumpur back in August 2019, to consolidate all our Malaysian offices which were initially dispersed. Now, the new office will house our sales and services team. We also have a professional services team which will work with customers in terms of creating the correct software outlines; making sure that all systems are integrated properly. On the whole, we have a significant number of around 400 employees working in our Malaysian branch and that gives us a real foot-hold in this country. So, we are very proud of that.
MalaysiaSAFE: What are your company’s key products & services?
JM: We are the leading provider of self-service banking across digital, ATM and branch, providing multi-vendor software and ATM hardware with services. That is a major part of NCR’s business. NCR is quite a big company with over 34,000 employees and we do business in 180 countries. As such, we have different divisions that are based around the verticals which we operate in. We have always provided products and services for the financial industry up until about a year ago.
Now, we also have our retail and commercial products such as self-check-out and POS (Point of Sale) systems. That includes hospitality products which focuses on restaurants as such. Whilst it might use a POS system, it involves the hand-held devices for staff to take orders. In that space, some of the products may overlap.
MalaysiaSAFE: What are the key verticals which you operate in?
JM: In Malaysia, 98% of our customers are in banking. We also provide services for the retail and hospitality industries. And we do a bit of telecommunications technology support services as well.
MalaysiaSAFE: Have the threats to ATM security evolved from being a physical issue rather than a cyber one over the last few years?
JM: An ATM is a box with cash inside. If you are a criminal, cash is a good thing to steal because it is not traceable. I think that is one of the reasons why you would still see physical attacks to an ATM because criminals are directly accessing cash.
Whereas in the sort of cyber-attacks, I would look at it as something which will happen at the bank’s data centre level. But for malware attacks, I would consider it as a local physical attack because the primary aim is getting all the cash out from the ATMs. Whatever types of malware used in the attack will infect the ATM, and ultimately the criminal will control and instruct the ATM to dispense cash
MalaysiaSAFE: What are the latest trends of ATM attacks in this region?
JM: There are different types of threats globally, but the subset of what happens around the world usually paints the picture of regional threats; there is not really a place with a threat that is unique to them.
From my experience, skimming is probably the number one threat in terms of global activity, and that is certainly having presence in Malaysia. Interestingly, what I see less of in Malaysia but are trending globally, is where the criminals are exploding ATMs. They would blow off the ATM safe doors with either gas or explosive materials. That form of attack originally started in Brazil and in South Africa because there was easy access to mining explosive materials.
What we have seen in the last few years is that these types of attacks have spread and are now very prevalent in Europe. There have also been robberies involving explosives in Australia, but I rarely see it happening in Malaysia, so that is good.

"The one thing our security team at NCR is doing is look into the future. We ask ourselves how do we take the opportunities away from criminals altogether, rather than finding ways to defend against threats."

MalaysiaSAFE: How do you provide support to your customers?
JM: We would support businesses in different ways depending on the attack vectors that we need to defend against. Let us take, for example, a typical physical attack like forcefully tearing the ATM off its mounting. What we can do is ensure that the ATM is anchored properly to the ground. That can be done traditionally with really big bolts, but there is also a method using concrete and steel plinth to reinforce the anchoring load.
If we are talking about a software type attack, then there are different software protections which include the deployment of whitelisting solutions, hard disk encryption as well as other measures to protect the BIOS and dispensers. These are needed so that if anybody tries to perform an offline malware attack or tries to put a fraudulent drive in, it would not work. If it is someone tapping into the communications channel to send criminal messages, we can encrypt the communication line that goes between the ATMs and the network.
So, we would discuss with the customers of the criminal environment, and make recommendations on best practices. Every customer is different. We have customers that really understand the security and have all the protection, and therefore do not need help in this area as much. But we also have customers that are smaller and do not have a big security team. That is when we would talk about all the threats and the products which could help. At the end of the day, as long as the customers have the protection needed, it does not matter if customers decide on NCR’s products or from other vendors.
MalaysiaSAFE: Please tell us about your efforts in educating the market regarding ATM security.
JM: Every year, we hold the NCR Security Summit. It has been in London for the last six years, and for that, we would get global attendance. But, we felt that having it in London and expecting all out customers to come to us yearly was not the best way to do it. So, we would participate in regional conferences such as the recently held Asia ATM Innovation & Security Congress in Kuala Lumpur. There, we held a closed-door NCR event specifically for our customers, to discuss much more openly about ATM security. We plan to do the same in North America in 2020, and then the year after probably back to Europe.
MalaysiaSAFE: How do you anticipate the next big threat to ATMs?
JM: We talk to our customers and learn a lot from their experiences. We also do a lot of other things like participating in ATM association events, and participate in discussions with bodies that set industry standards for ATMs. All of these regular meetings give us the opportunity to bring our knowledge to the table, and it also gives us a great insight at what sort of threats that could unfold next.
The other people that we engage with are law enforcement agencies. For example, we work with Europol in Europe and other law enforcement agencies in America. So, there is really no one place that we could get a good insight of what is coming next. We have to be involved in different avenues to get a wholistic view of future threats.
MalaysiaSAFE: What is the most critical element in ATM security?
JM: It is hard for me to choose one as there are many areas of attack on ATMs. We have a series of public white paper to help our customers understand the attack trends and landscape. Recently we have provided an update to our public white paper that evinces the fifteen rules to lock down your ATMs to protect from logical attacks which can “jackpot” the ATM. Each of these rules is not product biased to NCR. It includes policies and recommendations on how best to protect ATMs. We have also published a new white paper on the evolving trends in card skimming and the methods of protection available.
Most crimes that we see does not involve cracking encryption. Rather, it involves the criminal finding a hole in the system. It is because in our industry, customers keep their ATMs working for several years. Now if you look at the technology today, if an ATM is twelve years old, the actual design work was probably done seven years earlier. So, what we have is a system that is manufactured in early year 2000, still operating in 2020. What criminals often do is pick on the old technology and the missing security features. And that is why we make recommendations on how best to protect earlier technologies from current threats.
MalaysiaSAFE: Is there a disruptive technology that could be worth investing in to improve ATM security?
JM: NCR has been working with ATMIA (ATM Industry Association) and other organisations on what we call the Next-Gen Architecture. It is an API (application programming interface) based architecture that is very flexible in terms of what banks can deploy and change in ATMs. And it is all being done with heavy security in mind.
As I mentioned earlier, one of the most common threats to ATMs are card skimming. This is predicated by having a magnetic stripe on the card. We believe that all magnetic stripes should be removed from cards, and replace them with a smart chip and PIN, or mobile transactions with multi-factor authentication. The way skimming works is that there is a magnetic stripe on the card that will always go into the same spot in the ATMs. So, criminals would plant their skimming devices there. If we take that opportunity away, and introduce a contactless transaction or even a smart chip, that form of skimming is eliminated overnight.
Another technology which we think should be considered is biometric authentication. We have seen where deploying this technology has been successful in other industries. If you look at airports like London Heathrow, there is already facial biometric authentication at security checkpoints. It works very well and it is seamless. Why can’t the same be done for our industry? So, we believe that there is a future for its use in the ATM industry.
MalaysiaSAFE: What can the industry do as a whole to improve ATM security in the long run?
JM: One of the ways is companies like us should work with PCI Security Standards Council and the CEN/XFS (European Committee for Standardisation for financial services) to develop and adopt security standards for the devices which drive financial institutions. This allows for a multi-vendor interaction between different machines with the same security standards.
For example, right now, when a financial transaction takes place at an ATM, the host of the system at the bank would instruct the machine to dispense cash. But for that message to get from the host to the cash dispenser, it involves various communications and handoffs down the chain. These communications have points of vulnerability.
What we would like to see is a command that is encrypted, and the only place that command is accessed is when it is decoded at the cash dispenser level. So, to try and make that real, we need organisations like the CEN/XFS committee to agree to forge it as a standard for financial transactions.
MalaysiaSAFE: Can there be a global standard of ATM security since it involves a common interest?
JM: To some degree, most banks in the world are already PCI standard compliant. However, I think a single standard could be taken too far at times. Because the bad guy only has to break in once, and he has broken into everyone. So, there needs to be a balance with having a common standard which minimises cost and the vulnerability in ATM networks, versus having just one door to break in.
I think where the market is today, with the CEN/XFS for that platform connection, and PCI for how the ATM environments run, it is already quite good. But we need to add things like the direct authentication in command at the cash dispenser level.
MalaysiaSAFE: What initiatives will your company charter for in 2020?
JM: We have six strategic growth platforms which goes across banking, commerce and hospitality industries. Things like software as a service is an example of what we want to do to expand our business portfolio into retail and hospitality.
From a geographical point of view, we see Malaysia as a very good place because it is at the center of Southeast Asia. NCR has the technology that makes it simple for banks and credit unions of all sizes to offer connected experiences anytime, anywhere. So, the consolidation of our offices in Kuala Lumpur will definitely bolster our presence within this region and allow us to target new growth opportunities in retail and hospitality business beyond banking.