We were unable to update this podcast for some time now. As a result, the information shown here might be outdated. If you are the owner of the podcast, you can validate that your RSS feed is available and correct.
It looks like this podcast has ended some time ago. This means that no new episodes have been added some time ago. If you're the host of this podcast, you can check whether your RSS file is reachable for podcast clients.
COMMERCE NOW
by Diebold NixdorfA Podcast dedicated to topics impacting the world of connected commerce & consumer centric solutions for banking to retail and all the payments and Fintech in between
Copyright: 2019 Diebold Nixdorf, Incorporated. All Rights Reserved.
Episodes
Security - 2018 Year-in-Review
20m · PublishedSummary:
In this podcast, Scott Harroff and Dave Phister spend some time looking back on some security related topics that transpired throughout 2018. Also, they touch on a few things that you might want to think about as you're heading into 2019; how to best protect you from organized criminals attacking your ATM fleets and more so your gas pumps.
Resources:
Blog: Security: A Changing Industry Requires A Changed Approach
Transcription:
Scott Harroff: 00:00
Hello again, I'm Scott Harroff, Chief Information Security Architect for Diebold Nixdorf. I'm your host for this episode of COMMERCE NOW. Today I'm joined by Dave Phister, Director of Security Solutions for Diebold Nixdorf. I'd like to spend a little bit of time here today, walking through some of the things towards the end of the year that we thought you might find to be interesting. And a few things that you might want to think about as you're heading into your new year. Dave, what surprised you in 2018?
Dave Phister: 00:30
Well, I think the first thing that surprised me, Scott, is the emergence of you as the Diebold Nixdorf podcast hosts superstar. You splash on the scene here from an industry standpoint, and really take charge of the security topic, and help us talk through this very important topic for our industry. So that's first and foremost.
Second, realistically, nothing's really surprised, you or I, I don't think. We spend all our days focused on security anticipating forecasting. A couple of things do stand out certainly, as I think back through the year. We rang in the new year with a bang, certainly coming out of 2017, with the emergence of, of jackpotting and malware in the Americas. Certainly, not a new scenario to deal with, but in the Americas it was quite a surprise.
So certainly, the beginning of the year was focused on malware and specific to malware. Just a point to remind our listeners it really has exploded onto the scene as we've indicated in previous podcasts, the number of ATM malware variants is expanding almost on a daily basis.
As I indicated on our last podcast, this ATM malware, it's available for sale on the dark web. It's in the aisle right next to the stolen credit card information. So it's sold as a technology just like we're trying to sell technology to defend against it. So certainly, I think that's a key takeaway from this year, is really the explosion of ATM malware in this space.
Then secondly, Scott, I was pleased, very pleased to see a lot of collaboration this year between public and private industry. I know you have engagements with Secret Service, FBI and local law enforcement. But there were several communications that came out through the industry, the FBI warning. In August there was another warning and October, the fast cash hidden Cobra. I think you remember. I think it's a great example of what's happening not only in our industry, but other industries from an information security standpoint.
I think that type of collaboration, that type of awareness, that type of sharing a needs to continue because it's only going to help you and I. It's only going to help our customers, whether it's the banking of the retail space. So just a couple of things that I've taken away certainly from this year. What about you, Scott? Where do you see our industry struggling, let's say at this stage of 2018?
Scott Harroff: 03:16
Well, first I want to thank you for acknowledging me as the king of podcasts in 2018, Dave, I appreciate that very much.
Dave Phister: 03:24
It's my pleasure.
Scott Harroff: 03:24
I have to then therefore knowledge you as the best co-host of these podcasts, and the second most popular person in the world. Thanks to all the other folks that have joined us on the back podcasts. They've really made this more than just a speaking conversation, but have made it very interesting and very dynamic. So thank you very much for that.
Relative to 2018, I wasn't really surprised that the organized criminals kept becoming more and more sophisticated. I think our industry, Dave, is struggling around how to share information. If we look at some very large financial institutions, I won't even pull names out of the air, but individual, large financial institution A knows a lot about the fraud that they see in their environments. Large financial institution B knows about theirs, but they really haven't shared anything with A. So even though they could've quote/unquote help each other, that really wasn't in place.
What you referred to with private and federal coming together, is really, I think very enlightening and very well received. I've talked to handfuls of financial institutions about this new alliance. By the way, for those that don't know what Dave and I are referring to, we're talking about, the National Cyber Forensics and Training Alliance. That is kind of a amalgamation between FBI and Secret Service and really almost any large financial institution, medium or small financial institution, that can give them data about what they're seeing, so they can do two things.
One, respond more quickly to what's happening. The sooner they know about a bad guy being in a certain area, the quicker they can react to the bad guy. And, hopefully either capture them, or at least reduce the losses that could be going on out there.
Another thing that I think that we're struggling with is really understanding the dynamics of the fraud. For example, everybody who has an ATM is all focused in on ATM skimming and ATM security issues. They're thinking, Oh, I've got to do all these things at my ATM to keep from being skimmed," quote/ unquote. But one of the things that we've learned, working through the International Association of Financial Crime Investigators as well as the NCFTA, is that guess what, gas pumps have taken the lead over ATMs.
Now our average loss on an ATM is somewhere in the neighborhood of $60,000 per skimming event. But if you manage to get a skimmer onto a gas pump and you're effective, you can get $100,000 to $200,000. In watching the videos and these attacks on gas pumps, it's even quicker and easier to install a skimmer on a gas pump. So yep, skimming on ATMs is still an issue, but it's migrating over to the gas pump channel, because it is twice as profitable for the bad guys, and apparently less likely to get caught.
So I think that's one of the things is, our industry is looking at itself, and it's not looking into the other channels, like gas pump and point of sale, gift cards, and things of that nature. I think if you're a fraud investigator for your financial institution, I think adding in those other things would be a really important thing to look into.
I talked a little bit about where we saw some success, local law enforcement and federal law enforcement cooperating The new exchanges coming out to share information. Some new techniques are coming out. Where have you seen success, Dave?
Dave Phister: 07:02 Y
eah, that's a good question. I believe that, as you know, crisis creates opportunity. Unfortunately, many times it takes crisis to increase awareness, get the visibility, and the recognition that's necessary. So certainly we've seen the jackpotting and the malware attacks that were very familiar with here in the last several months, create an awareness with our customers. That security is certainly very important.
We talked about during the ZEro Trust webinar that endpoint security is certainly important. The cash is sitting there off the end of the network, but some of those FBI, the fast cash hidden Cobra attack situation was really an attack at the payment application switch ... Or, actually, that's a masquerading or spoofing attack. That is an indication of the fact that security applies not just to the end point, but it has to apply all the way back to the host.
Zero Trust Security
29m · PublishedSummary:
In this podcast on Zero Trust security; an encore to our November 15 webinar, during which, Dave and Merritt explored the architectural concept of Zero Trust and discussed how it can be leveraged by financial institutions to gain tighter control of ATM networks. Today, we want to take a deeper dive a few of the questions we received during the live webinar and actionable outcomes to consider when it comes to applying this concept to your operations.
Resources:
Research Report:
The Forrester Tech Tide: Zero Trust Threat Prevention, recently published in the third quarter of 2018. Download a copy today.
Blog: Our Commitment to you as our security partner
Scott: 00:00
Hello again, I'm Scott Harroff, chief information security architect for Diebold Nixdorf, and I'm your host for this episode of COMMERCE NOW.
Today I'm joined by Dave Phister, director of security solutions for Diebold Nixdorf, and guest speaker Merritt Maxim, principle analyst for Forrester. Today, we're going to discuss an interesting concept, zero trust security. This podcast is actually an encore to our November 15th webinar during which Dave and Merritt explored the architectural concept of zero trust, and discussed how it can be leveraged by financial institutions to gain tighter control of ATM networks.
Today, we want to take a deeper dive into a few of the questions we received during a live webinar, and in actionable outcome to consider when it comes to applying this concept to your operations. A link to the webinar replay can be found on the podcast show notes. If you'd like to learn more about this topic, we'll give you a little bit more about this in a few minutes.
With that, I'd like to welcome Dave and Merritt. We're happy to have you on the show today.
Dave: 01:04
Yeah, thanks Scott, excited to be here today as well, appreciate that. And also thanks to Merritt for being with us here again today to talk about zero trust and ATM security.
Merritt: 01:15
Yeah, and thanks Scott and Dave for having me, I'm looking forward to our discussion here.
Scott: 01:19
Right, so let's dive right in. As I mentioned, there was a lot of useful information provided during our zero trust security webinar, but one question was asked by several webinar attendees, which was can you summarize, and give me bullet points, which would provide me a list of the key things I can do right now to help safe keep my ATMs?
So where we're going to focus our time today is in looking at that. And we're going to go through each of these individual bullet points. I know each of you have some areas you'd like to highlight. So let's get started with Merritt, and his thoughts on topic one, which is controlled access.
Merritt: 02:02
Yeah, sure, thanks. So I think as kind of a backdrop to this, it's important to realize that although we are increasingly moving to a cashless society, ATMs are still a relevant part of our kind of daily lives, and we still use them, and have to rely on them for a variety of purposes. But because they're still relevant, it also means they're still active in the public, and they store cash, which is still a useful target for hackers. For all the talk about cyber attacks, and malware, and viruses, the reality is there still are numerous instances of people physically just trying to get access to an ATM to actually steal the cash out of it. A much more kind of low tech way to ... instead of trying to, say, steal credit card numbers or Social Security information online.
And what this means is that organizations do need to think about securing the physical asset itself. And this is increasingly, I'd say, problematic because the traditional model where the ATMs are only located within the branch is not necessarily a model now, they're located everywhere, they're in airports, they're in hotel lobbies, they're in convenience stores, or at gas stations, and those are all in the name of providing convenience, but that also means that those assets are now potentially more accessible to a greater part of the population, which may be inclined to try to steal the currency out of the ATM itself.
And so what this means is that as you distribute and extend your ATM network, you can't overlook the need to just control and manage physical access to the machine itself. So that can include everything from verifying who actually has access to the system, whether they're going there to do maintenance, or whether the part of the currier that actually is putting new currency, or reloading the ATM at some interval. And also looking at what kind of locking mechanisms do we now need to have in place to actually secure the head compartment of the ATM itself.
So again, these are all measures that have been in place for some period of time, and which companies have already been using, but it never hurts to stress the importance of doing this because the ATM is still a target. And from a IT side, you can also begin to look at logging all of your activity of maintenance on those machines as well. There's still the possibility of potential insider abuse, maybe if they actually have access to ATMs that perhaps they may be sharing that credential with somebody else in exchange for sharing the proceeds of a theft, and again, having logging and various analytic mechanisms in place to track and monitor the usage and alert when there is unauthorized access. So if you see a maintenance call on a device beyond, outside of its normal operating windows, you can flag and eventually block that device, and then maybe using the video analytics that are embedded into the ATM itself, use that for forensic purposes to follow up with law enforcement.
But these are all, I think, useful things and it never hurts to stress the importance of looking at what kind of measures you should be putting in place to actually control access to the asset itself, because that's ultimately going to help minimize the risk of fraud or attacks against the infrastructure.
Scott: 05:03
Excellent. So Merritt, I spent Wednesday and Thursday of last week it Pittsburgh with the Secret Service, FBI, and a lot of really high profile banks and credit unions, talking about the strategic and tactical points around ATM security, and skimming around ATMS, and gas stations, and a lot of different areas. So let's focus a little bit on talking about the end point security aspect. So Merritt, can you share a little bit with me around how end point security should be addressed?
Merritt: 05:40
Yeah, absolutely. And it's a good point to raise. When we talk about threats to the ATM, we've certainly seen instances of card skimming, or card readers that are inserted into the terminals and used to capture credit card data. But also we're seeing scenarios, there was a large ring that was arrested or discovered last year, mostly in Europe, that were actually attacking the banks back office systems, and using that to actually issue, literally just to spew out cash at designated ATMs at certain periods of time for criminals to collect. So the point is that the ATM is connected to your network, it is a valued part of your network, but because it's connected to the network, it also means it's potentially vulnerable to exploitation, either through skimming type things at the end point itself, or through lateral movement from hackers who have gained access to your network elsewhere, and are trying to move either towards a specific ATM or class of ATMs, and use that to allow it to behave abnormally, that may allow users to them actually extract cash from that ATM.
And so this means you need to follow many of the same kind of best practices that you follow for traditional, say, desktop end point, whether it relates to keeping your operating systems up to date and patched, and making sure that you're not running a legacy or outdated code for which a zero day exploit may actually be available, and may be able to be utilized. You could also include at the ATM end point actually h
All Things Connected Commerce
12m · PublishedSummary:
Devon Watson and Michael Engel discuss all things Connected Commerce. In this episode, both touch on the unparalleled services and technology that are essential to evolve in an 'always on' and changing consumer landscape.
Resources:
Blog:
Connected Commerce: It’s Not Just for Retailers
Exploring the Path to Connected Commerce
Advertorial:
Michael Engel on Pymnts.com
Devon Watson: This is commerce now. My name is Devon Watson, chief marketing officer for Diebold Nixdorf. Really excited this week. We have Michael Engel here with me. We're in Phuket, Thailand, meeting with our Asia Pacific team and talking about all things connected commerce. So Michael, if you could please just give us a quick intro, tell us a little bit about what you do with the company. You and I bumped into each other all over the world. Uh, give us, uh, just kind of quick background, who you are, what you do.
Michael Engel: Well, my background has been in suffer all my life more or less professional life, um, and in banking. So, um, I've been traveling around the world talking to different customers and my job is officially being responsible for our software sales globally in banking. But the nice side effect of that is that you can talk to customers and you listen to customers and having that privilege, getting so much knowledge from the different geographies and then being able to consolidate all of that and drive that back into our R and d organization. That is the fun part really of the job. So really getting to know what is happening in the market, where the concerns of our customers, but also see the different cultures, the different drivers in those markets really bring together that knowledge that we can then utilize and transformed that into innovations and products and solutions so that that's what it's basically all about.
Devon Watson: Yeah. So you're, you're kind of a really important glue between the customer base and the product slash r and d organization, which is just a fantastic place to be in. You obviously are in a global role. So I imagine that you might have a fantastic frequent flyer mile account. Do you know how many miles he did last year meeting with customers?
Michael Engel: A bunch. So accumulated there probably in the seven digit number. So I'm not truly sure if that's a good number. Yeah,
Devon Watson: it's kind of like winning the, uh, the race that you never wanted to enter. Exactly. Exactly. Well, so this customer connectivity, right? The amount of time that you spend around the world meeting with customers. Can you give us a little bit of flavor about the Fintech Revolution? Right. So, uh, I think last year there was some like $26,000,000,000 went into financial technology, startups and innovation and a lot of the customers that I talked to at conferences and in my travels they're wrestling with how do they respond to that? How do they incorporate that? Can you tell us a little bit about, you know, what you're hearing around the world.
Michael Engel: Well, I strongly believed that fintechs are positive disruption of our industry. The reason why I say this is banks are there to provide the element of trust which very good and very important. However, in the past you to regulations and also the tendency to stick as human beings to the known and that's also in business and the business processes created an environment where although bangs for very sound, organizations that were also very hard to move. And if we look into our society today, then technology has made an amazing seeing happen. And that is the cadence and speed of innovation that we see today. So if you look into the past then you had like every hundred years and major invention then every 50 years, every 20 years, every year, and now we're not talking years anymore. It's really down to months or weeks or even days when you see the new and next thing coming up.
Michael Engel: So that speed of innovation at the same time is a very good thing because it's enabling us today was utilizing that technology. So just think about what you do today with your smartphone or your tablet in terms of ordering your ticket for coming here, checking in, organizing transportation to the hotel, getting recommendations were to die and where to stay. So you basically organize everything that took in the past couple of weeks to prepare that trip. You do that and a couple of clicks. So that enablement is what people like today, this is what people want, but that is also what they know because in every commercial transaction there's this financial element involved. Now expect also from the bank to support that. So this is the big challenge where now these fintechs are coming in and say, okay, here is little sweet spot and we create based on that technology, a solution for that particular sweet spot, which is good because that gives some or bring some dynamic into this whole world at the same time it starts a thought process within the bank to say, okay, we need to be in a similar way like those fintechs. So how can we embrace the results coming out of the Fintech, how can we integrate that into our own it environment and how can we even leverage our strengths of the element of trust being a sound financial organization and that speed of innovation and bring all of that together. That's
Devon Watson: the real trick, right? So, so at a, at a corporate level, you know, we've engaged some different ways in this wave ourselves. So we're a, we're a member of Fintech 71, which is a selarator primarily for financial technology companies, uh, bringing together a bunch of different innovation hubs in the U. S we're also a member of workbench, which is a venture capital and startup, a innovation fund in New York City, and we're working with startup companies and large companies as well in R and d portfolio. Clearly. So, you know, we're engaged in it. The banks are engaged in it. When you talk to a customer for the, you know, for the bankers listening to us, you know, what would your advice be on how our customers and dibels next door can work together to kind of ride this wave navigated as partners?
Michael Engel: Yeah. You mentioned the term glue in the beginning in terms of how we transform, um, so to speak knowledge that we pick up from the market and bring that back into our own organization. If I'm in a certain way, bangs need similar glue because on the one side they, they sit on a wealth of data and information about what we do as customers was any financial transaction that we execute. Well, leveraging that information is still yet to come. Um, second thing is you have all this existing financial, uh, information including the business processes sitting in different core banking systems, but they're very much siloed, so there's not much connectivity between data in one bucket to the data turn, another bucket, and if you think about the evolution of the IT industry is all about taking data, taking processes that are manual today and automate them and really bringing this together as the fundamental idea of what we do in connected commerce.
Michael Engel: So we're kind of the glue bringing all of these elements together and bring that to the end consumer because that's the important thing. So how can we get better, more automated processes to a customer because to me it's beyond the traditional view of you have a bank and you have a Fintech, the Fintech as the innovator that shakes things up and let you think to innovate and to thrive. Now some of the technologies that are used in there, like the whole idea of the API economy, blockchain, all of that. These are just enablers, but these enablers go beyond the financial industry per se. It involves us as a consumer. It involves every solution provider or retailer or merchant that's out there because in any transaction we don't think banking. We think buying a car, getting a new house, I'm traveling to book it now. That is what we want to do and if this consumer customer journey, we need to involve a sort of financial transaction, whether that's buying flight ticket or whether it's getting the mortgage for the house.
Michael Engel: If we bring those elements together through an API economy, that is what really consumers are expecting from us and this is where I also see as the role of the bank being that aggregator, being that glue and as Sdi service provider, we need to provide the frameworks, the components that make that process faster so banks will not start from scratch building that way. So they are looking to guys like us to say, okay, is there something in the box that is open source technology that are prebuilt components that are frameworks, that are tools that are interfaces precertified based on all the government regulations that you have from the world. Services that you can give me to gain more speed to acce
Reducing ATM-Related Fraud
18m · PublishedSummary:
Physical and cyber attacks against ATMs receive a lot of coverage, but they are not the only ways in which criminals can empty an ATM of cash. Transaction reversal fraud is one example of a manipulation of loopholes in transaction processing rules to steal cash, but it requires little to no tampering with the terminal. This episode will cover the latest process/communication manipulation fraud methods and news, as well as how to stop these attacks.
Resources:
Blog:
Changing Risk, Risking Change: Security at the ATM
A look at how ATM Security has Changed....and how it hasn't
Whitepaper:
Managing ATM Security
Amy Lombardo: 00:00
Physical and cyber attacks against ATMs receive a lot of coverage, but they are not the only ways in which criminals can empty an ATM of cash. Transaction reversal fraud is one example of a manipulation of loopholes in transaction processing rules to steal cash, but it requires little to no tampering with the terminal. This episode will cover the latest process and communication manipulation fraud methods and news, as well as how to stop these attacks. I'm Amy Lombardo, and this is COMMERCE NOW.
Scott Harroff: 00:43
Hello, again. I am Scott Harroff, Chief Information Security Architect at Diebold Nixdorf and your host for this episode of COMMERCE NOW. Today, we are live from the TAG PIX event in Las Vegas. I'm joined today by a very special guest from First Data, Mr. John Campbell, Director of STAR ATM Acceptance.
Welcome, John. I hope your experience here at TAG PIX has been a good one so far?
John Campbell: 01:04
Yes, it's always a pleasure to be here at TAG's hut. This is actually my 13th year, and I look forward to it every year to get some great information from the vendors and the clients themselves.
Scott Harroff: 01:15
Yeah. I think I've been coming here, John, for about 15 years. I've probably bumped into you one of those first early sessions. Great seeing you here every year for all those years, year over year. Hey, before we dive into some questions on reducing ATM related fraud, tell us a little bit about your background, positions you've held. What are doing these days?
John Campbell: 01:36
I spent about 15 years working at Virginia Credit Union. I was a longtime TAG member. In a previous life, I was an accountant who actually settled the debit networks before jumping into ATM operations back in 2005. TAG attendee for 11 years. During those times, presenter and director on the TAG board from 2010 to 2015. Back in those days, I was responsible for the ATMs and debit processing for the credit union. These days, I work for First Data in Atlanta. I'm Director of STAR ATM acceptance for the STAR network and work closely with First Data processing ATM requiring side of the business, [ISOs 00:02:09] and [FIs 00:02:12]. I am currently a member of ATMIA, US Payments Forum ATM Work Group, and the National ATM Council.
Scott Harroff: 02:17
So what you're saying, John, is you've been around a little while and you've seen a few things when it comes to ATM fraud?
John Campbell: 02:22
A couple.
Scott Harroff: 02:23
All right. Having been on both the FI side and now working for a transaction processor, how would you describe the state of ATM security today?
John Campbell: 02:32
Fluctuating, evolving, and sometimes growing. We are better at what we used to do, but so are the bad guys. When I started in ATMs in the early 2000s, the biggest scares we had were the occasional ram raid and the old webanese loop capturing cards at ATMs before DIP readers came into existence. The move from OS/2 to Windows started bringing all sorts of different degrees of cyber attacks and logical attacks on software that we had never seen. But they were still sporadic and slow. But now it seems that even after all the security enhancements we've done, EMV, encrypted hard drives, point-to-point encryption, the attacks seem almost constant and even renewed. I think some of that's also from the fact that criminals are not just attacking the ATMs logically, but they've gone back to the low-hanging fruit and ram raids and cash trapping. The cashouts that made a lot of news the last couple weeks in the FBI. A lot of it were from best practices just not being followed that had been out there for years. It's still a very fluid environment.
Scott Harroff: 03:40
Yeah. That's about the same thing I'm seeing. When you say EMVs out there, I just got done talking to customers where they were charged back several hundred thousand dollars, because they had made the decision, "Maybe I won't implement EMV. What's the worst that could happen if I don't spend all that money to do the upgrade to EMV?" I've had quite of few of them where they didn't spend the money, and now what's happening is larger financial institutions are coming back. They're saying, "Hey, we detected this fraud. The only thing in common is your ATM, so why are getting all these non-EMV transactions from our customers that have EMV cards off your ATMs?"
It's the same thing with TLS, John. I've watched TLS roll out. Your network was one of the early adopters of rolling out the TLS protocol. But at the same time, there was some really big FIs that are out there that still haven't turned it on. There's some big networks that haven't turned it on. It's interesting to me that some folks are really thought leaders in the industry and gets stuff done, and some others tend to be a little bit more of a laggard.
What security risk do you see as they pertain to FIs and processors, or even processes in communication protocols?
John Campbell: 04:53
Well, I think, first, as an industry, what's really been hampering us is the fact that we have no problem jumping on the barbarian at the gate, but then we go back to sleep behind the walls. We're seeing that over and over again with skimming and then EMV. We ramp up, a lot of the earlier adopters go, and then we seem to just get lulled back into sleep.
I take it back to Ploutus coming out with the malware when those were rearing its head in the 2013 timeframe. Diebold and other industry leaders came out and said, "Here's best practices. This is what you need to implement to protect yourself." And it got quiet. In early 2018, suddenly a variant, Ploutus-D, comes out. It hits some ATMs in the country, and everyone's panicking. Everybody's freaking out. "What do I need to do?" And you're sitting there thinking, "The best practices that would have protected you were put out there five years ago, and you just didn't do it." And some of them were physical, of top hat security, and some of them were logical, just default passwords. Somehow, here we are in 2018, and it's still a problem. That really blows my mind and that.
But one of the bigger steps I've seen that's actually moving the ATM industry in good spot is, as you were saying, that point-to-point encryption of the data between the ATM and the host to prevent man-in-the-middle attacks. Folks forget that, even in an EMV environment, there's still data that's visible out there. I mean, we're still in a US market that's routing by BIN tables, even though you have EMV protocol having it in the ATM. So whether it's an ISO ATM or a FI, you can still do man-in-the-middle attacks, still attack the data. So seeing MPLS communications at the routers and hosts was great, but now we need to protect those small spots where the criminals are still attacking. Because even with EMV, MFA, and tokenized PAN, there is no reason we should be sending any data in the clear anymore, and it's still happening. Those that have been, before, what you said, First Data and STAR, it's starting to pick up, but I'd like to see it pick up at a faster pace.
The ones that's bypassing all these security protocols is account takeover. It's still a real problem, and it truly does bypass th
Human vs. Machine: How Can They Co-Exist?
22m · PublishedOverview:
In this episode we will discuss how Financial Institutions can bridge the physical and digital worlds to create a convenient, unique experience for their customers.
Resources:
Blog:
Transcription:
Amy Lombardo: 00:00
Hello again, this is Amy Lombardo, your host for this episode of COMMERCE NOW. Our title is cleverly named Human Vs. Machine: How Can They Coexist? And I'm joined by Chris Gill, our Senior Director of Global Advisory Services. We are going to have a conversation all around the concept of the human interaction and how it finds that balance with the ATM. Hey, Chris.
Chris Gill: 00:00
Hey, Amy.
Amy Lombardo: 00:28
Thanks for joining me.
Chris Gill: 00:29
Glad to be here.
Amy Lombardo: 00:30
Before we start with our questions, let's just talk about the term "branch transformation," okay? It's been the buzzword in the financial industry for, what, 10 plus years?
Chris Gill: 00:41
Mm-hmm (affirmative), mm-hmm (affirmative).
Amy Lombardo: 00:43
In 2018, what does branch transformation mean for bankers?
Chris Gill: 00:48
Well, I think increasingly it really means the transformation between the physical as well as the digital channels. I mean, 10 years ago, if you thought about branch transformation, we didn't have the adoption of mobile banking back then and as much online banking, and the sophistication of what you can offer on a self-service device today. Branch transformation today means, I think, something different than it did 10 years ago. It's really about that connection of the human versus the physical channels in a branch environment, and how you transform not only the technology, but also the way you engage with customers and the experience that you provide is really part of what branch transformation is all about today.
Amy Lombardo: 01:30
Even though it means something different, it's still relevant, right?
Chris Gill: 01:35
Yes.
Amy Lombardo: 01:36
You're still having the number of conversations that you would have had 10 years ago, it's still the same now, right? It's just bankers are asking for maybe different solutions, different recommendations?
Chris Gill: 01:48
Well, the reason why it's still relevant is still that a significant percentage of institutions have not yet transformed their branches. Because there are a lot of legacy branches, older branches where it's not as easy to transform those as opposed to newer locations. If everyone had transformed their branches, we wouldn't be having this discussion today, but a lot of institutions still haven't made the difficult decisions to really change the way their branches operate today.
Amy Lombardo: 02:17
If they haven't made those decisions, is it because of the size, the number of locations that they have? Does that play into it as well?
Chris Gill: 02:27
Well, for some institutions that maybe have a lot more branches, that could be a factor. I do think a lot of it is around the leadership of the organization and the strategy they want to pursue ...
Amy Lombardo: 02:38
Got it.
Chris Gill: 02:38
... and their willingness to make some hard decisions and move forward with a new program. There's a lot of inertia in the banking industry that just leads to the pace of change taking a long time. Also too, there are a lot of legacy systems that impact your ability to transform your branch, and making changes to those is very time consuming, so a number of different factors.
Amy Lombardo: 03:00
Got it. Okay, so you and I, we're sitting together, we're here in Las Vegas. We happen to be running this podcast live from our TAG picks event. I'm looking over some of the content of a presentation that you had given, and we're talking about an FI's having a comprehensive analysis to help understand their branch technology roadmap. You are talking about four steps in this technology roadmap. Can you walk-
Chris Gill: 03:29
Sure.
Amy Lombardo: 03:29
... our listeners through what those for are and what it means?
Chris Gill: 03:33
A successful branch transformation plan really requires upfront analysis around your client segments. How do they transact with each day? How is it different from one branch to the next? Understanding your markets and the characteristics of consumers and businesses in those markets. Then from there, it's really understanding how your branches operate today, and what kinds of transactions are your customers doing in your branches? Because that will have an impact on What kind of technology you need to deploy and the kind of functionality that you offer as part of that, so understanding branch operations is important.
Then from there, once you've done the in-depth analytics, you can really identify key opportunities to move forward with to transform your branch and digital channels, and understand which of those are higher priority to implement than others. Then the fourth step is then, develop really a multi-year roadmap on how to move forward in kind of what order. Then looking at the return on investment on the plan that you've come up.
Amy Lombardo: 04:32
All right, so let's talk a little bit about the analysis part that you mentioned, that first part. Can you review some options that FIs have when they're executing a transition to different types of branch technology?
Chris Gill: 04:45
I think most institutions do not really understand that there are some customers that are more self-service oriented and there are others that are more branch oriented, and how that varies from one branch to the next. Because if you have a branch or in a market area where you have a high concentration of, or self-service oriented kinds of consumers, then your strategy in a market like that needs to be different than in a market where you have a lot of people that only come into the branch and don't use self-service. The kind of technology you deploy and the kind of people you want to have in those different branches needs to be different. You need to have that in-depth understanding of your customers and their transaction characteristics in order to come up with that strategy.
Amy Lombardo: 05:29
Okay.
Chris Gill: 05:30
Because if you don't have that, then the risk you run is you're deploying new technology in a market where your customers are not ready for it. Then you don't get the adoption and return on that investment. Or you roll out one new technology in a market, but those customers at that market also use another branch that doesn't have that technology. It creates this customer confusion, and is an inconsistent experience from one location or one ATM to another. It's important to really understand how customers use different locations.
Amy Lombardo: 06:08
Right. How would you mitigate that risk then of, I would almost say, call it consumer confusion of what they need to do when they walk into a branch or they go up to an ATM?
Chris Gill: 06:20
Well, I think the key is, number one, doing the in-depth analytics to know and understand your customers in a greater level of detail so that you have the right plan that addresses that cross- branch, cross-ATM usage. Then secondly, from an implementation point of view, you need to have the programs in place so that the people in one location are doing the same, demonstrating the same behaviors and the same processes that they do in another location. I mean, no different than walking into a fast food restaurant or chain and you have a different experience in one part of town than you do in another. That would not be a good experience. Certainly in banking, you want to have a similar experience across locations.
Amy Lombardo: 07:03
We've talked about it a little bit from the consumer side to say, "Okay, consumers have different ways to engage with the channels," but take a step back from the operational side. What are the benefits to the actual financial institution by going through a branch transformation strategy?
Chris Gill: 07:22
Well, there are obviously several. Obviously, number one is better managing you
Security Management - A Changed Approach
10m · PublishedOverview:
As the tax against self service endpoints evolve to be more complex, and many financial institutions struggle to keep up, there's a growing demand for security management services in the industry. In this podcast, you will hear about this trend and what it means for financial institutions.
Resources:
Blog:
A look at how ATM security has changed … and how it hasn’t
ATM Security Management: Know Your Options
Transcription:
Amy Lombardo: 00:00
Hello again, and thank you for joining us on this episode of Commerce Now. As the tax against self service endpoints evolve to be more complex, and many financial institutions struggle to keep up, there's a growing demand for security management services in the industry. Today I have the pleasure of being joined by Julie Osborne, our Global Vice President of Diebold Nixdorf's Service Portfolio, and Martin Nearhos, Principal Security Architect for the Global Services Portfolio Division as well. We're going to hear about this trend and what it means for financial institutions. So, hello Julie and Martin. Thanks for being with me here today.
Julie Osborne: 00:38
Thanks Amy, it's a pleasure. Thanks for having me.
Martin Nearhos: 00:41
Yeah, thanks Amy. Happy to be here.
Amy Lombardo: 00:44
Okay. I'm really excited here, because I'm based here in the US, but I'm talking to two subject matter experts who are in our Singapore office. It's great to just have this global view on this security topic. So, let's dive in here. Let's start with just a high level question on why do you think financial institutions are having difficulty managing their self service security?
Martin Nearhos: 01:10
That's a good question. Maintaining the security of the customers' assets and information has always been a high priority for the industry, but threats against the self service banking channel have evolved. It's now much harder to keep up. A tax against ATMs have traditionally been isolated to geographic regions, and slow moving out of those regions, but this is no longer the case. We're now seeing increasingly complex attacks, such as various forms of jackpotting, taking place across the globe, and at the same time the threat of traditional physical attacks hasn't really gone away. It's a lot to combat.
Julie Osborne: 01:47
If I might just add to what Martin said, financial institutions usually don't have the time or in-house expertise to keep security measures up to date. As retail banking paradigms shift, banks and credit unions are under a lot of pressure to do more with less, and even if financial institutions wanted to hire in-house security specialists, as businesses and governments fight cyber security threats, these resources tend to be really expensive and in high demand. Also, as we all know, this constant pressure to stay compliant with security regulations and industry standards, ATM security service providers can help relieve the burden of staying on top of changes and staying protected against attacks.
Amy Lombardo: 02:28
Okay. Got it. Martin, if I can ask this to you before we jump into this whole idea of doing more with less, since you're located in the Asia Pacific region, are there certain types of attacks that you're seeing on the rise today? We talked a lot about jackpotting in the Americas, but could you give us an idea of maybe what you're seeing over in your region?
Martin Nearhos: 02:51
The Asia Pacific region is quite diverse. You've got many different markets at many levels of maturity, so it varies. Locally you won't get, say Singapore, there's a certain limit to attacks, whereas in other countries very close by, you've got a much broader range of attacks. It's complex and it doesn't move.
Amy Lombardo: 03:15
Got it. Yeah. It sounds like no matter where you are, just keeping on top of that security is always going to be top of mind here.
Martin Nearhos: 03:22
Yep.
Amy Lombardo: 03:23
Okay. Let's talk about this idea of doing a little more with less. When we're looking at it from a financial institution standpoint, can we talk a little bit about why they should be looking into outsourcing their ATM service and management?
Julie Osborne: 03:37
Oh, absolutely Amy. I might take that one. It's becoming increasingly popular for FIs to work with organizations that have intimate knowledge of the ATM channel, and offer specialized security services as part of ATM fleet management arrangements. They will want someone who can offer 24/7 secure operation centers for monitoring, and who can also take care of all necessary maintenance, hardware and software upgrades, and updates for them. Some FIs don't have the capability in house to reliably maintain secure ATM environments, and others would just simply rather have someone else handle it because it is a specialist capability, as I said. So, if FIs are looking to take the burden off themselves and effectively manage the security services of the ATM fleet, with an ATM security service provider such as Diebold Nixdorf, they should look for a provider who can deliver the following three things.
First, you'd want optimized security through 24/7 monitoring, proactive threat elimination, and an in depth understanding of emerging threats, to try and protect against attackers.
Second, you'd want increased efficiency, freeing the FI from day to day ATM security management responsibilities, or streamlining processes.
Third, you want a service that will effectively manage operational risk, to provide real time threat insights, and offer remote troubleshooting, and has a deep understanding of the industry requirements. Ultimately, I think the best approach is a multilayered security protection approach that offers real time information to ensure ATM networks are protected and available, whilst also providing the information FIs need for a [inaudible 00:05:17] ATM security audits.
Amy Lombardo: 05:19
Okay, got it. Those three points were really helpful here, especially in looking to determine your outsourcing, your Managed Security Services, but what does an engagement actually look like for an financial institution? What are some of the specific options, and what would it take to get a program like this up and running?
Martin Nearhos: 05:41
I can take that. If you're an existing customer, and you're already ready using sort of self service fleet management, which is just a suite of services designed to run multi-vendor self service devices cost effectively, the customer can sort of decide what level of protection makes sense for their organization, based on their risk profile and their operational risk. If you're a new customer, we'd look at all the fleet details that required. The ATM make, the model, physical location, that would all be analyzed. Then the customer would select the appropriate security service, and again, it's based on their business and operational risk. We suggest that whatever FIs choose is a core security service. The services offered should, at the very least, provide everything needed to comply with industry standards and requirements such as those developed by the Payment Card Industry Security Standards Council.
It should also include the hardening of various aspects of the ATM with remote monitoring and software patch deployment. It would also include things like device monitoring, secure connectivity, managed firewall, peripheral device control, anti malware, antivirus, and of course intrusion detection and prevention. Then the FI can have the option to build upon that basic level of services for such things as protection against complex logical system attacks. Although I would recommend this sort of protection to everyone, we know that financial institutions want to prioritize their investments in advanced security, and they just can't do it all at once. With these types of services, FIs can then rely on the security service provider to proactively monitor the ATM for suspicious activity, protecting terminals more effectively in real time, responding quickly when attacks are detected, and engage with customers to resolve the incident, and take the burden of managing the self service fleet off the FI, who, as we've already said, may be stretched pretty thin on resources.
Amy Lombardo: 07:42
So Martin, if I can ask you a que
Cyber Security: It Takes More Than a Firewall
17m · PublishedPodcast Summary:
No other crime is more romanticized by pop culture than the bank robbery, and no type of criminal more than the thief. Think Bonnie and Clyde, John Dillinger, the Sundance Kid and Butch Cassidy. What comes to mind? Tunneling under the bank, cracking safes, elaborate escapes, and adrenaline-filled action. However you feel about them, one thing is certain; those type of heists, no matter how notorious and exciting, are slipping in to antiquity.
We’ll probably never have another fated criminal couple like Bonnie and Clyde, or another escape artist and thief like John Dillinger, for the simple fact that their methods are outdated. Today’s criminal is more apt to attack from their home computer than at the teller window. They crack codes, not safes, and the only mining they’re doing involves data. In this episode, Scott Harroff and Dave Phister talk about cyber security, cyber criminals, and how industries can protect their data, their software, and overall – their cash.
Resources:
Blog: https://blog.dieboldnixdorf.com/our-commitment-to-you-as-your-security-partner/.
DN website: www.dieboldnixdorf.com
COMMERCE NOW website: www.commercenow.libsyn.com
Transcription:
Amy Lombardo: 00:00
No other crime is more romanticized by pop culture than the bank robbery, and no type of criminal, more than the thief. Think Bonnie and Clyde, John Dillinger, the Sundance Kid, and Butch Cassidy. What comes to mind? Tunneling under the bank, cracking safes, elaborate escapes, and adrenaline filled action. However you feel about them, one thing is certain: those types of heists, no matter how notorious and exciting, are slipping into antiquity. We'll probably never have another fated criminal couple like Bonnie and Clyde, or another escape artist and thief like John Dillinger, for the simple fact that their methods are outdated. Today's criminal is more apt to attack from their home computer than at the teller window. They crack codes, not safes, and the only mining they're doing involves data.
In this episode Scott Harroff and Dave Phister talk about cyber security, cyber criminals, and how industries can protect their data, their software, and overall, their cash. I'm Amy Lombardo, and this is COMMERCE NOW.
Scott Harroff: 01:19
Hello again. This is Scott Harroff, your host for this episode of Commerce Now. The last time I was on this podcast I spoke with Bernd Redecker on what jackpotting could teach us. You'll find that episode on www.commercenow.libsyn.com iTunes or however else you listen to your podcasts. Today, I'm joined by Dave Phister, Director and product manager responsible for security at Diebold Nixdorf. Today we're going to talk about cyber security and touch on exactly what cyber security is from our perspective and how criminals are turning to digital means to acquire things like money and data.
Hello, Dave, and welcome. Thanks for joining today.
Dave Phister: 01:56
It's a pleasure, Scott. Thanks for having me. I've been honored here since you're becoming a bit of a podcast regular, for you.
Scott Harroff: 02:04
Well, thank you very much. I never knew being a podcast star was in my history, but I'm happy to roll with it. As I said, today our focus is on cyber security, and when you and I hear this term, we have a pretty good understanding of what it means between you and I, but a lot of times people think that it's all about foreign hackers stealing secrets. Can you give a little bit of color around our definition of cyber security.
Dave Phister: 02:29
Yeah, I sure can. It's a great question, Scott, and a great point. I think simply stated, cyber is anything related to computers or computer networks. That could of course, include the internet, so then cyber security would be the measures taken to protect the computer or computer system against unauthorized access or attack. In our industry, that's typically been referred to as logical attacks, but they're really just attacks on the digital components of the ATM. As you know, the ATM contains a computer, a hard drive, uses a Windows operating system, has USB ports. It's a, amongst other things, a computer client hanging off of a network, much like a desktop computer at work. It just happens to be controlling a safe full of cash.
Strictly from a computing standpoint, the security controls required to defend the computing aspect are really no different than any other network, whether it's a national security system protecting those secrets, or essential server in a fortune 500 retail data center. The tools, tactics, techniques, and procedures to compromise, or hack, the components, are the same everywhere we look. So additional to a firewall, it needs other cyber security like encrypted hard drives, digital signatures, access controls, proper patch management.
I think this is where the industry has let down their defenses a bit. OEMs and financial institutions haven't taken enough care to maintain current technology and protect the software and computing assets of the ATM. In addition to protecting the cash, as you mentioned, data must be equally protected, specifically the computing components that process that data, else compromise is a matter of when, not if. I think one perception is that cyber security defends against a hack originating from cyber space, which would mean something remote. Though ATM networks are not connected to the internet, they still connect to a bank network somewhere, and I would remind our listeners that as recently as 2016, we witnessed an ATM attack. It was launched solely from a remote network, in this case the voice recording network was breached in Europe, the hackers navigated their way to the ATM segment, pushed malware down to the ATMs, and the mules were waiting for cash to dispense. Anything is possible as commerce, payments, and channels connect, Scott. More and more every day.
Scott Harroff: 04:40
Great. Now that our listeners understand what cyber security is when we use that word, what sort of cyber security threats do our customers face, and what do you think the biggest risks are?
Dave Phister: 04:50
As you discussed, Scott, with our colleague Bernd Redecker in the previous podcast, the jackpotting attacks we've seen recently in the Americas, they can all be categorized as cyber attacks. The January jackpot attack where they removed the hard disk, loaded malware, and replaced it was possible because the customer didn't employ hard disk encryption. It's a fundamental cyber control. Earlier attack took advantage of a weakness in a very old USB security protocol and would have not have been possible had the customer deployed the latest AAES USB security encryption.
Then as I mentioned, 2016 attack in the AP regions clearly executed remotely. There was no behavioral monitoring software installed, like a McAfee or Symantec or Bit 9, Binamic, so finally, one point here, Scott, financial institutions are continuing to see cyber attacks in the internet and the mobile arena as well. The mobile device is now a connected component to the ATM and now we're seeing financial institutions have cyber attacks against the mobile wallets in the internet banking services. Though the fraud redemption's occurring at the ATM, there's nothing the ATM can do to prevent it. It looks like a valid mobile EMV NFC connection, but the transaction is actually fraudulent.
What are the risks? Systems mostly in unattended operating environments. Systems that don't improve their top hat security with better locks, intrusion sensors. Anything with outdated hardware and software, old unpatched operating systems are the biggest risks. The example I like to give is there are so many ATMs out there running Windows XP. That's a very old, outdated operating system. Systems with no sign or encrypted software, or hard disk encryption, or just encryption in general. Anything that lacks access control and authentication enabled to protect the internal computing system. Lastly, as Bernd mentioned in the previous conversation you had with him, Scott, behavioral monitoring software. If it's not on systems today, systems certainly can be at risk. I think, Scott, you'd agree that a branch lobby system that's mostly attended may not need the same protections as a lesser attended system at convenience store, but on average we're simply not making it hard enough on the criminals, regardless.
Scott Harroff: 06:59
Yeah, I completely agree with you on the thought of a lobby ATM being different than an ATM on a remote location, an
Windows 10- An Opportunity Not An Obstacle
19m · PublishedPodcast Summary:
Procrastination. It’s a mysterious, sometimes crippling force that allows us to avoid undertaking and completing important tasks. And we’re all guilty of it on some level. Sometimes it’s due to anxiety. We’re anxious about the workload, or we’re unsure how we, or others, will feel about the finished product. It can also be due to perfectionism. We expect so much of ourselves that we delay a task as long as possible because we’re scared that, once it’s completed, it won’t be to our standards. Or it can simply come down to our emotions. We just aren’t in the mood to take on the task today, so we put it off.
Normally, procrastination is harmless. The work gets done, eventually, right? But when it comes to financial institutions and their software, the art of procrastination has some serious drawbacks. From security issues to a lackluster customer experience, neglecting to update their operating systems until the last minute can cause a bigger headache than they bargained for.
On today’s podcast, we’ll be talking about the upcoming Windows 10 software migration, and how financial institutions can look at this event not as an obstacle, but rather as an opportunity, and how banks, credit unions, and other FI’s can leverage the migration to their advantage.
Resources:
Blog:
Windows 10 - An opportunity not an obsacle -
https://blog.dieboldnixdorf.com/windows-10-an-opportunity-not-an-obstacle/
Windows 10: Your Migration FAQ - https://blog.dieboldnixdorf.com/windows-10-migration-faq/#.W2SlqChKjIU
How to Win with Windows 10 - https://blog.dieboldnixdorf.com/win-windows-10/#.W2Sl_ihKjIU
White Paper: https://www.atmmarketplace.com/whitepapers/windows-10-an-opportunity-not-an-obstacle/
Webinar: https://www.atmmarketplace.com/whitepapers/webinar-windows-10-a-financial-institutions-roadmap-to-2020/
DN website: www.dieboldnixdorf.com
COMMERCE NOW website: www.commercenow.libsyn.com
Transcription:
What Jackpotting Attacks Teach Us
25m · PublishedPodcast Summary:
Black box attacks. Cyber attacks. Malware. Manipulation of the hard drive. There are so many factors and variations when it comes to jackpotting attacks that it can make your head spin. These attacks are constantly evolving in their sophistication, but that doesn’t mean you should give up the security ghost. Every attack teaches us something new – from the preferred ATM target to the preferred type of malware. Studying these attacks and closely scrutinizing every aspect of a jackpotting attempt allows us to get ahead of the attacks and become proactive instead of reactive.
In this episode, our security gurus Scott Harroff and Bernd Redecker will discuss the lessons and takeaways banks can learn from jackpotting and security, and how they can get ahead of the problem BEFORE it costs them.
Resources:
Blog:
https://blog.dieboldnixdorf.com/what-recent-jackpotting-attacks-can-teach-us/
Sign-up for Security Alerts: http://pages.e.dieboldnixdorf.com/ATM-Alert-Subscription?_ga=2.241321483.882907520.1533304320-1846737074.1524590636
DN website: www.dieboldnixdorf.com
COMMERCE NOW website: www.commercenow.libsyn.com
Transcription:
Amy Lombardo: 00:01
Black box attacks, cyber-attacks, malware, manipulation of the hard drive, there are so many factors and variations when it comes to jackpotting attacks that can make your head spin. These attacks are constantly evolving in their sophistication. But that doesn't mean you should give up the security ghost. Every attack teaches us something new, from the preferred ATM target to the preferred type of malware. Studying these attacks and closely scrutinizing every aspect of a jackpotting attempt allows us to get ahead of the attacks and become proactive instead of being reactive. In this episode, you'll hear from two security gurus, Scott Harroff and Bernd Redecker. They'll discuss the lessons and takeaways banks can learn from jackpotting and how they can get ahead of the problem. I am Amy Lombardo and this is COMMERCE NOW.
Scott Harroff: 01:05
Hello again, and I'm Scott Harroff, your host for this episode of COMMERCE NOW. If you recall, Amy Lombardo and I had a great conversation on jackpotting a few weeks ago. And today I'm joined by Bernd Redecker, Diebold Nixdorf's Director of Corporate Product and Solution Security, and we will take a deeper dive into what recent jackpotting attacks can teach all of us and the best ways to protect against them. Thanks for joining me today Bernd.
Bernd Redecker: 01:29
Scott, it's a pleasure to be here. And thanks for the opportunity.
Scott Harroff: 01:32
Okay, so let's recap a little from the last jackpotting podcast. First, we've seen an expansion of jackpotting attacks in 2018, especially in the Americas. Secondly, while these attacks don't feature brut force, they combine aspects of physical and logical manipulation of ATMs. And then looking back at four ATM security alerts from this year, it's clear that protecting yourself requires a holistic security approach. So, diving right in Bernd, can you remind our audience that although there is no one type of jackpotting attack, what are some of the major types of jackpotting that can occur.
Bernd Redecker: 02:07
Scott, thank you very much. The term jackpotting, first of all, basically refers to getting money out of an ATM. And jackpotting is coming from the gambling machines, basically you win the jackpot. Jackpotting as such, the term has been defined or it has been created already some years ago. There is a general distinction between different verines. One is called a black box jackpotting and black box simply means that the attacker brings his own electronics. As you already said, jackpotting is always a combination of a physical and a logical breach. When this is done on-sight, like with a black box, the attacker has to open the machine, he brings his own processor, his own CPU, connects the cash hunting device of the ATM with his box and then has the machine paying out money. Of course it's not as easy as it sounds at the moment. They will have to circle then security measurements. They will have to break security measures which are there, which are in place or which should better be in place. But I guess we'll talk about that a little bit later.
There's another attack vector. And that comes with all the equipment which is already present at the machine. So the second one would be attacking the hard disk drive of the existing CPU in the ATM. We see several cases where they rip off the disk of the ATM, take it back to their car, infect it with malicious software, put it back in again and then jackpot the machine. And that, again, has different verines. Some of them have malware, some of them have even modified legal applications. And we can go through that as we touch the different alerts. And especially this year we have seen a [inaudible 00:04:04] of that. I guess we are going to touch now, right?
Scott Harroff: 04:08
Yeah. And these attacks are really only across the four alerts that we just talked about. And I know there's other types of jackpotting. And as we've seen recently, these attacks continue to evolve very quickly. So it really is crucial to stay up to date and know what's going on. Can you talk about the January 25 alert and give us some specific takeaways?
Bernd Redecker: 04:29
Yeah, the January 25 alert ... And by the way, if you would like to, please register for our security alerts, can find them on our home page. Alert from January 25th refers to, again, a combination of both attacks. It was HD a replacement attack. However, it was also using physical manipulation in the ATM, which means they did a combination of both to be able to get to the cash. And the challenge here is looking at outdated stuff, looking at outdated protections may open potential attack factor which the attackers then exploit, which means we definitely have to take care that protection is checked and verified over the time, machines are updated in a timely manner, and policies which are on the machine get updated.
Scott Harroff: 05:22
Yeah. And I'll tell you, as I keep looking at what goes on, our original alerts on the Diebold side having XFS 4139 and then 4141, then 4146 and 4148, it just seems like these guys ... You close one door and turn the lock so they can't open it, and they turn right around and they start looking for the next door as soon as you finish turning the lock on the first door. So help us understand a little bit about how the May alert is different than the January alert.
Bernd Redecker: 05:53
In that case, the attackers brought their own laptop. So the difference there is January it was disk infected, in May they brought their own computer in case it was infected. It was a small notebook. They disconnected the original PC, which means all of a sudden all logical countermeasures are completely obsolete, they can't help any longer. They connected directly to the dispenser and then they have been using physical measurements to trick the whole machine into communicating with a second notebook. That's the bad thing about it, we are seeing these combinations of physical and logical attacks more and more, taking advantage of processes.
The bad thing is it doesn't help any longer to build another fence, to build another protection mechanism, which they are then starting to re-engineer. We have to change completely the way we protect the machines. And what has shown good progress is going to a model where we have more behavioral situation. And basically that's what we did in the May topic. However, please keep in mind, of course you will have to update the machines. We have machines out there, we just have been involved in an investigation with a customer with the average age of the machine, was 17 years unpatched, never updated. These machines are liable for attacks or can fall into attacks just because they are that old and that outdated. If we update them regularly, if we maintain them regularly, on a regular base, we can protect them. But of course the attackers, as soon as we close a door, are going to try and find another one.
Scott Harroff: 07:45
Yeah, and there's something I really want to drill in on there a little bit, Bernd, because I'm in front of a lot of customers here in the US and I get this perception, especially from some of our larger financial institutions, that they've got the opinion that I'm running, I won't mention product names, but I'm running Vendor X antivirus product or I'm running Vendor Y whitelisting product or I'm running Vendor Z super security product on my hard drive, and because I've got all these products protecting me from a security standpoint, from the yello
The Amazon Effect - How To Compete with Online Retail Giants
25m · PublishedPodcast Summary:
In January of this year, Amazon shook up the retail space by introducing their own brick-and-mortar retail space, but they added a twist. The entire store is checkout-free. Customers walk in, grab their products, and go. With the use of an app, a combination of sensors and cameras, the store tracks a consumer’s purchases and charges their Amazon card when they walk out. It’s the epitome of quick and convenient, and it’s got a lot of traditional retailers on edge.
But with every new innovation, there are other companies who are quick to redesign the reinvented wheel. Now, Microsoft is designing a rebuttal to Amazon Go. While Microsoft has no interest in creating its own ecommerce platform or running a retail store, the tech giant is investing in creating cashier-less shopping technology and expanding its commercial cloud services to more retailers and businesses.
Microsoft isn’t the only company that’s hopping on the Amazon bandwagon. Retailers across the globe are trying to implement Amazon-like qualities into their digital and physical marketplaces. But should they? In today’s episode, I’ll once again be joined by Dave Kuchenski and we’ll discuss how the Amazon Effect has feverishly gripped retailers, and whether or not that’s a good thing.
Resources:
Blog: https://blog.dieboldnixdorf.com/personalization-store-one-future-retail/#.W1s8WtJKiUk
https://blog.dieboldnixdorf.com/e-commerce-represents-major-gap-for-u-s-grocers/#.W1s8etJKiUk
DN website: www.dieboldnixdorf.com
COMMERCE NOW website: www.commercenow.libsyn.com
Transcription:
Amy Lombardo: 00:01
In January of this year, Amazon shook up the retail space by introducing their own brick and mortar retail space, but did you know they added a twist? The entire store is check-out free. Consumers walk in, grab their products and go.
With the use of an app, a combination of sensors and cameras, the store tracks the consumer's purchasers and charges their Amazon card when they walk out. It's the epitome of quick-and-convenient, and it's got a lot of retailers on edge.
But, with every new innovation, there are other companies who are quick to reinvent the wheel. Now, Microsoft is designing a rebuttal to Amazon Go. While Microsoft has no interest in creating its own eCommerce platform or running a retail store, the tech giant is investing in creating cashier-less shopping technology and expanding its commercial cloud services to more retailers and businesses.
Microsoft isn't the only company that's hopping on the Amazon bandwagon. Retailers across the globe are trying to implement Amazon-like qualities into their digital and physical marketplaces, but should they?
In today's episode, I'll once again be joined by Dave Kuchenski, Diebold Nixdorf's Director of Retail Strategy and we'll discuss how the Amazon effect has feverishly gripped retailers and whether or not that's a good thing. I'm Amy Lombardo and this is COMMERCE NOW.
Amy Lombardo: 01:54
So, hello to our listeners. I am joined once again by Dave Kuchenski, the Director of Retail Strategy here at Diebold Nixdorf. He has also shared with me that he is a self-proclaimed Sonic the Hedgehog video game expert. Hi, Dave. Welcome back.
Dave Kuchenski: 01:53
Hi Amy. I'm glad to be back. I don't know if I'd call myself a video expert. My four-year-old kind of beats me every single time we play, but thanks for sharing that with everybody.
Amy Lombardo: 02:04
Yeah, no problem. That's what you can depend on me for. All right. In our last conversation, we talked a lot about the in-store shopping experience and the idea of having this connected consumer. I want to follow up with that discussion today and give some more specific examples, but to refresh the listeners' memory, we left off talking about this idea of the blind spot.
I think of the blind spot as that spot you can't see in your rear view mirror or even a movie that was popular a couple of years ago, but when it comes to the retail world, can you talk to me about what the blind spot is?
Dave Kuchenski: 02:47
Yeah. There's this blind spot that physical retailers have that online retailers do not. If you think about online retailers and how they market to their consumers, they have visibility to me, as a consumer, a lot of times, we have profiles that are set up. They know how many times I've come back to a site looking at a specific item.
There's personalized ads offers loyalty and they know who I am basically while I'm shopping on their site. They know my shopping history, what I've bought before, things that I like. There's this advantage that online shoppers have that physical retailers don't.
When I step into a physical retail store, the customer's activity is unknown. The shopping history is not visible until after I check out. I've bought some item and I'm out the door. There's a little bit of an opportunity there to capture me by the mobile app, based on the purchased history at point-of-sale, but it's a vast difference between what online shoppers are actually able to do.
The idea is what if we could change that blind spot and help recognize customers when they're coming into the store, help provide a more immersive experience that's personalized and make that interaction inside the physical store more valuable to the consumer.
Amy Lombardo: 04:07
Yeah, that's a good point, Dave, because think about your weekly grocery store ad that you get or like your home repair store. The same things are on sale to every single consumer, no matter age, demographics, whatever that might be, and that's a good point, if there could be a little more personalized.
On that thought, talk to me a little bit more about how the physical retail world itself is changing and how retailers can look at ways to overcome this idea of the blind spot.
Dave Kuchenski: 04:38
We see retailers innovating in several different ways around their customer's journeys. We've kind of outlined this framework of five areas that our customers, retailers are innovating. The first being, experiential. Improved in-store experiences. They generate more satisfaction in the shopping journey. It's purely about customer enjoying their time in the store. Expertise, customer store alliance, subject matter experts to provide guidance on products. We see some innovation there happening with retailers enabling their in-store associates with technology. Showrooming. We see different store formats happening.
Groceries are a great example. If they're not just necessarily doing these giant grocery stores anymore with thousands of products in them. They're doing these smaller format-type showrooms with more frequently purchased items, so that's one example. Then, we have store intelligence. Consumers generate data within the store, things that they look at, things that they buy. Retailers are constantly trying to find ways to collect different data points, become more intelligent about the activity that's happening in their store, and then utilize that to create better experiences, offer better products for the consumers.
Then, the last one is supply chain and fulfillment. We see all these new fulfillment models. It started with Amazon and Amazon created all these warehouses. They were able to create two-day delivery. Now, we're starting to see these physical retailers come up with creative fulfillment models to be able to deliver more products, more efficiently to customers.
Amy Lombardo: 06:15
Dave, that last example about supply chain and fulfillment, are you saying that some retailers, if they can't meet that shipping quota, they're using some of their hub-to-warehouses to actually ship product out of versus standard warehouses?
Dave Kuchenski: 06:29
Yeah, they're actually viewing their physical stores as this network of warehouses, mini-warehouses. Things like ship-from-store. They'll get drivers to come pick up items that have been bought online, in the store, and then deliver them t
COMMERCE NOW has 54 episodes in total of non- explicit content. Total playtime is 19:53:33. The language of the podcast is English. This podcast has been added on August 24th 2022. It might contain more episodes than the ones shown here. It was last updated on January 3rd, 2023 01:22.
