|
URGENT FOLLOW UP INFORMATION ON RMS JACKPOTTING
ONGOING RMS JACKPOTTING ATTACKS AGAINST RETAIL ATMS ARE STILL UNFOLDING IN DIFFERENT PARTS OF THE COUNTRY.
IT IS IMPERATIVE FOR ALL U.S. ATM DEPLOYERS USING RMS ON THEIR ATM ROUTES NOT TO ALLOW YOUR RMS SYSTEM TO CONTINUE RUNNING – UNLESS AND UNTIL YOU HAVE CONFIRMED THE RMS SYSTEM AND SOFTWARE ARE SAFE AND SECURE – IN ACCORDANCE WITH THE FOLLOWING INFORMATION AND ADVISEMENTS.
In a continuing effort to address the recent outbreak of RMS jackpotting cyberattacks against Independent ATM terminals in various states across the US, Hyosung and Genmega have recently updated their RMS Software to eliminate remote modification of the host IP Address where the ATM terminal is supposed to be directed for its transaction processing/communications.
If you have not already done so, please obtain and download these new software versions ASAP into your RMS Servers/ATM terminals. Although the new software is not a silver bullet or panacea, these latest modifications will help protect your route against RMS based jackpotting and should be downloaded as promptly as possible.
Prior to downloading the new software, it is also of utmost importance to have an ATM/IT/Security specialist conduct a thorough “audit/review/cleanup” of your RMS servers, desktops, laptops, mobile phones, and ATM terminals to ensure there’s no hidden malware already present in any of these systems/devices.
If you do not take this step first to identify any existing exposures and ensure everything is clean, your subsequent attempted fixes/updates may be ineffective.
As part of the “IT Security Audit”, it is especially important for you to have in place a robust and “Commercial Grade” Hardware-Based Firewall, behind which all your RMS Servers/CPUs and other sensitive ATM hardware/devices/systems reside and are protected.
To ensure the safety and security of your ATM route, you should take the following specific steps to protect yourself against the RMS based jackpotting attacks:
1. Make certain you’ve downloaded the latest manufacturer software into your ATMs.
2. Install a physical Commercial Grade Hardware-Based Firewall (a separate standalone “box”) on your RMS Server(s)/CPU(s) that is properly configured and secure, using U.S. branded chips only (no Huawei chips from China), behind which your RMS Server(s)/CPU(s)/Router(s) and all other sensitive ATM systems/software/hardware/data should sit. A Commercial Grade Hardware-Based Firewall designed for small-medium sized businesses will cost in the range of $1-4K – not inexpensive – but absolutely necessary to operate RMS safely on your route – and well worth the investment to avoid a much larger dollar loss.
Your Firewall configuration should only allow RMS traffic to/from your designated/approved ATMs’ static IP addresses and ideally not allow any other external connections to the RMS server(s). In addition, you should:
(a) enable the software based firewall that is included in your Microsoft operating system on the Server(s)/CPU(s) running your RMS software(s). Please ensure all your Server(s)/CPU(s) are running the latest version of Windows WITH all the latest Microsoft security updates in place;
(b) download and enable an additional software based firewall onto those Server(s)/CPU(s) running your RMS software(s); and
(c) download and enable the Microsoft + additional software based firewalls on all you other relevant end point devices (phones/tablets, etc.).
If you are required to utilize any remote access to your RMS Server(s), this should ONLY be done in conjunction with using a dedicated VPN connection and not using any open internet/wi-fi connection.
If your operations require allowing multi-party access to your RMS system (i.e. – ISO & Affiliates) – this presents a significant security risk. In order to avoid this major potential exposure, such configurations will require immediate consultation with a qualified network security specialist regarding necessary use of VPNs, additional firewall(s), etc., in order to be safe.
3. Change all your default Password settings (for RMS and all other ATM operational systems/databases) in both your ATM terminals and on your servers/computers/phones, so the PWs are at least ten (10) (and preferably more) characters in length and use a random and not easily guessed mix of capitalized & lower case letters/numbers/symbols.
Do not write these passwords down anywhere on/in/around your ATMs in the field – or record them anywhere else other than behind a password restricted Commercial Grade Firewall. Change them at least once a year or in the event of any compromise.
4. Fully enable TLS communications between your ATMs and the applicable host processor(s) (check with your ATM & Modem providers for details on steps required). (Older software versions or inadvertent misconfigurations in loading the software may result in TLS being disabled or not working properly.)
5. Work with a lock company to change the core lock from manufacture default to control fascia and cabinet access.
6. Secure your communications boxes and routers, either inside the cabinet or in a controlled environment, so they are not visible or accessible to the general public.
7. Check with your insurance agent on your current cybercrime coverage, if any, and what coverage(s) may be available to you in the marketplace.
==============================================
If your company does experience an RMS jackpotting attack, in addition to already having taken the above steps, it is imperative to immediately take the following additional remediation steps:
- Suspend use of and disconnect your RMS Server(s).
- Speak with your ISO/Manufacturer/Distributor to let them know what’s occurred and for advice on specific recommended remedial steps.
- Have an IT/ATM “hacking” specialist check your server(s)/computers/software files to identify and remove any malware and restore a clean environment.
- Speak with local law enforcement to report the specifics of the incident – being sure to use the term “RMS Jackpotting” in your written Police Report.
- Speak with your closest local/regional US Secret Service and FBI offices – being sure to use the term “RMS Jackpotting” in your incident reports.
-
File an incident report with NAC’s new US SecureATM Database: https://secureatm.us/#report-incident
- Contact your insurance agent to determine whether any insurance coverage(s) may be available.
If NAC can be of any other assistance on these vital matters, as always, please do not hesitate to reach out for assistance. However, given the highly technical and company-specific nature of the issues involved, if you do have specific equipment or software related questions, we encourage you to please contact your ISO / Manufacturer / Distributor directly for the most expeditious and effective advice and guidance.
Thank You for Your Attention to this Important Information –
Please Stay Safe!
YOUR NAC STAFF
| 
