W3C Publishes Working Draft of the Web Content Accessibility Guidelines (WCAG) 3.0
w3c wcag accessibility logo
The World Wide Web Consortium (W3C) has published the First Call Public Working Draft of its Web Content Accessibility Guidelines (WCAG) 3.0, which are developed through the W3C process in cooperation with individuals and organizations around the world. WCAG 3.0 provides new ways to evaluate web content accessibility for people with disabilities by addressing more types of disabilities, concentrating on both mobile and desktop applications, and developing new tests and scoring to determine accessibility.
While WCAG 3.0 would succeed WCAG 2.1 and 2.0, it would not deprecate these earlier versions. WCAG 3.0 covers a wider set of user and disability needs, publishing requirements, and emerging technologies such as web XR (augmented, virtual, and mixed reality) and voice input. WCAG 3.0 also includes non-normative information about web technologies working in conjunction with authoring tools, user agents, and assistive technologies. The WCAG 3.0 model is designed to support better coverage across disabilities and be easier to maintain so that the model keeps pace with accelerating technology change.
Since the late 1990s, the Board and the WCAG working groups have engaged in ongoing collaboration to make web content more accessible to users with disabilities. The Board’s original Section 508 Standards (2000) cited WCAG 1.0 and included a mapping between specific WCAG 1.0 checkpoints and 508 provisions. The refreshed 508 Standards (2017) incorporate significant portions of WCAG 2.0 by reference.
The finalized WCAG 3.0 standards are not expected to be completed until after 2022.
DENVER, Jan. 8, 2021 /PRNewswire/ — Visit NRF 2021 Chapter 1 next week and meet with Kiosk Association. Dates are January 12, 13, 14, 19, 21 and 22 beginning next week. Our online page is https://virtualbigshow.nrf.com/company/kiosk-association-kma
If interested in attending the cost for retailers is $195. The Kiosk Association has a limited number of free Expo passes that are available. Contact Craig or one of our Gold Sponsors or members.
The Kiosk Association (KMA) is a global organization focused on improving self-service for customers and employees thru kiosks & digital signage. Our mission is to inform and educate. We provide:
Solutions
Retail kiosk solutions Cash2Card
Self-order stations (McDonalds e.g.)
Outdoor solutions for customer order including menuboards for drive-thru
Digital signage & wayfinding
Bill Payment & Financial Kiosks
Ticketing Kiosks
Employee Health Screening Kiosks or Temperature Kiosks
Software including Contactless, Touchless Kiosk, and AI
Regulatory Guidance We help establish & communicate best practice regulatory guidelines for ADA and PCI. We work with U.S. Access Board and are a Participating Organization of PCI SSC. Other regulatory issues are UL, HIPAA, & DOT.
Research The February 2021 research report (130 pages) is being released this month. Contact us at NRF2021 for report in its entirety. Excerpt: The U.S market for self-service kiosks was valued at $2.6 billion in 2019.
Questions – Contact Craig Keefner | [email protected] | 720.324.1837 m (text or call)
Gold Sponsors: Olea Kiosks, Inc., KioWare, Frank Mayer and Associates, Inc., Nanonation, Pyramid, KIOSK Information Systems, KioskGroup, Vispero, Zebra, AUO Displays, 22 Miles & Honeywell.
About Kiosk Manufacturer Association:
Based in Westminster, Colorado, the Kiosk Association or KMA has served the unattended self-service kiosk market since 1995. The Kiosk Association leads the effort to optimize self-service engagements and outcomes using technology such as kiosks, digital signage and displays, service, monitoring, and touchscreens.
Regulatory issues PCI Compliance and EMV are the primary regulatory focus for the KMA along with ADA Accessibility. KMA is a Participating Organization with the PCI SSC. For ADA, the KMA meets annually with U.S. Access Board on accessibility standards for unattended. Additional market coverage includes digital signage, interactive digital, Point-of-Sale, Smart City, vending and robotics. See us on LinkedIn. KMA is available on https://kioskindustry.org and https://kma.global
WESTMINSTER, Colo., Dec. 15, 2020 (SEND2PRESS NEWSWIRE) — The Kiosk Manufacturer Association (KMA), the leading unattended self-service kiosk association established in 1995, today announced the launch of new initiatives in the PCI Compliance space for unattended self-service kiosks. Those initiatives include providing content for the PCI Perspectives Blog, creating a SIG or Special Interest Group on PCI SSC for unattended and semi-attended transaction, as well as new guidepost content from our sponsors and members outlining best practices.
“The pandemic is fundamentally altering the relationship that business and customer have had historically. Rather than the conventional ‘push’ from storefront to customer, the ratio of customers ‘pulling’ from business is rapidly increasing. Online mechanisms are no longer optional but instead, mandatory,” says association spokesman, Craig Keefner. “Contactless and touchless are the new cornerstones. Shortening those transaction timeframes whether Drive-Thru or Text-to-pay are the new base metrics.”
The pandemic impact on the currencies and payment methods involved in today’s secure transaction has also expanded. Cash2Card deployments are rising and instead of the old Redbox DVDs at McDonalds you may soon have a new Bitcoin ATM Kiosks.
Technologies emerging and in-use include conversational artificial intelligence (AI) and all types of visual recognition systems (automobile license and facial examples given).
To stay informed on customer self-order and employee terminals sign up for our monthly news update or you can visit our website.
Based in Westminster, Colorado, the Kiosk Manufacturer Association – or KMA – has served the unattended self-service kiosk market since 1995. The Kiosk Association leads the effort to optimize self-service engagements and outcomes using technology such as kiosks, digital signage, and touchscreens.
Regulatory issues such as PCI Compliance and EMV are a primary focus for the KMA along with ADA Accessibility. KMA is a Participating Organization with the PCI SSC. For ADA, the KMA meets annually with U.S. Access Board on accessibility standards for unattended. Additional market coverage includes digital signage, interactive digital, Point-of-Sale, Smart City, vending and robotics. See us on LinkedIn. KMA is available on https://kioskindustry.org/ and https://kma.global/.
November 2020: POI devices must support one or more of four specified techniques for the loading of private or secret keys. Methods a and b are for plaintext key loading and methods c and d are for encrypted key loading. The requirement specifies that EPPs and OEM PEDs intended for use in an unattended environment shall only support methods a, c, and d. It further specifies that SCRPs shall only support the loading of encrypted keying material. Are there any other restrictions?
A Yes. For all new evaluations (i.e., evaluations that result in a new approval) of POI v5 devices, the POI devices must support at least one of the encrypted key loading methods for the loading of private or secret keys
Requirement A9 stipulates that the device must provide a means to deter the visual observation of PIN values as they are being entered by the cardholder. What methods are acceptable?
A The POI Security Requirements provide for several options that may be used separately or in combination to provide privacy during PIN entry. These options are: ▪ A physical (privacy)shielding barrier. Note that in case the privacy shield is detachable, a user’s guide must accompany the device that states that the privacy shield must be used to comply with ISO 9564. Optionally, the user’s guide can also reference PCI device requirements; ▪ Designed so that the cardholder can shield it with his/her body to protect against observation of the PIN during PIN entry, e.g., a handheld device; ▪ Limited viewing angle (for example, a polarizing filter or recessed PIN pad); ▪ Housing that is part of the ATM or kiosk, cardholder’s hand or body (applies to handheld devices only); and ▪ The installed device’s environment.
May (update) 2018: PIN entry devices may physically integrate in the same device other functionality, such as mobile phone, PDA capabilities or POS terminal. Handheld configurations of PIN entry devices may accommodate the attachment (e.g., via a sled, sleeve or audio jack) of a mobile phone, PDA or POS terminal, where the attached device communicates with the PED. Such a configuration appears as a single device, with separate interfaces for input by the clerk and cardholder. What considerations must be taken into account for either of these configurations?
May (update) 2018: PIN Entry Devices that attach to a mobile phone, PDA or POS terminal via a sled, sleeve, audio jack, or wireless connection are required to support SRED. Does this apply to PEDs that are integrated with other devices (such as a tablet or mobile phone) that appear as a single device?
A Yes. An integrated device is one where two physically and electronically distinct devices (e.g., a PED and a commercial off the shelf (COTS) device such as a mobile phone) appear as a single device through the use of the plastics to mask the connectivity. In such a configuration, there is a risk that the cardholder enters the PIN on the wrong interface. Furthermore, the communication interface between the PED and the integrated device may give the latter access to card reader functions without cryptographic controls, allowing skimming of card account data. In this integration model, then either: ▪ Both the PED and non-PED are assessed and validated as compliant to the PTS POI requirements, or ▪ The PED, which must also control the card reader(s), must implement and be validated against the PTS POI SRED module and be both physically and electronically distinct from the non-PED system (for example, it is not acceptable to have the PED firmware execute within the same processor as the non-PED firmware). The PED must enforce SRED functions for encryption of card data at all times. The PED is only allowed one state, and that is to encrypt all account data. It cannot be configured to enter a state where account data is not encrypted. The Security Policy must also state that the non-PED has not been assessed under the PCI PTS program and security guidance is required to ensure the secure operation of the solution. An additional note will be added to the portal noting that the non-PED has not been assessed under the PTS program.
October 2018: Are there minimum requirements for the version of Android to be used within a PTS device?
A Yes, it is expected that the Android version is officially supported with security patches, at a minimum. Any reports, including deltas, where the Android version is not supported with regular security patches will be rejected. Where these patches are not provided by Google, evidence of security patches (implemented at least monthly) provided by the vendor must be documented in the report provided by PCI; evidence for this is expected to be validation of the update code by the laboratory for at least two previous patches, as well as validation by the laboratory that these patches have remediated existing known vulnerabilities in the version of Android used. Vendors should note that this means that consideration for the future patch status of any Android version used must be made during the initial design stages of the device, to prevent unexpected rejection of devices after an Android version becomes unsupported during the development of a solution.
What vulnerabilities must be taken into account for a touchscreen?
A If the sides are accessible, an overlay attack utilizing a second, clear touchscreen could be a problem. The connection/path from the touchscreen to the processor (and any devices used for decoding the signals in between) needs to be verified to be secure. Bezels around the touchscreen are especially dangerous because they can conceal access to areas of concern that are described above. The API for firmware and applications (if applicable) needs to be looked at carefully to determine the conditions under which plain-text data entry is allowed. Example: It should not be possible unless under acquirer display prompt-controlled devices, for a third party to display an image (JPEG) that states “press enter when ready for PIN entry” and then have a plain-text keypad pop up on the next screen. The extra caution is warranted for touchscreen devices because of the desire to make touchscreen devices user-friendly and to run many different, unauthenticated, uncontrolled applications. This is especially true for the devices that are intended to be held because of the tendency to regard them as a PDA that can perform debit transactions.
February (update) 2014: Does the use of protective keypad overlays impact the approval status of a device?
A Yes. In general, overlays are not supported by the device approval program due to the potential for keypad tapping or hiding tamper evidence. Overlays may be used where they do not cover any portion of the PIN entry area. For example, in a touchscreen device where the touchscreen is used for both signature capture and PIN entry, an overlay may be used to protect the signature area from excessive wear. In this example only the area used for signature capture may be protected. The material used must be transparent, and not merely translucent, so as not to obstruct the key-entry area when viewed from any angle
Some devices ship with firmware that may be convertible into a compliant version but is not compliant as shipped. When is this acceptable?
A This is only acceptable where the conversion is one way and cannot be reversed. A device can only be converted to a compliant version. It shall not be capable of converting a compliant version to a non-compliant version. The conversion must be performed at the initial key loading of the acquiring entity’s secret keys. The transformation must result in the zeroization of any previously existing acquiring entity secret keys. The compliant version of firmware must be clearly distinguishable from the non-compliant version. Merely appending a suffix (one or more characters) to an existing firmware version is not acceptable. Rather the conversion must result in a high order version number that is clearly distinguishable to purchasers of such devices. Only the compliant version shall be approved and listed.
January 2015: There are a number of FAQs on the use of wireless technologies, such as Bluetooth and Wi-Fi. What is the intent of these FAQs, and does PCI have any specific requirements for other types of communications technologies?
A The intent of the FAQs on all wireless communications for POI devices is to ensure that the interfaces of the POI are protected such that: ▪ Card data cannot be easily intercepted. ▪ Command interfaces to the terminal cannot be easily accessed, intercepted for attack (such as MITM), or used as an attack vector into the device. ▪ Compromise of the interface does not lead to, support, or facilitate further compromise of security assets of the POI. PCI does not mandate or require the use of any specific communication technology, but any implementation must meet the above requirements through some aspect of the physical or logical layers of communication. Physical or direct wired communication often achieves this through the nature of its physical interface. Wireless communications cannot rely on this and therefore must rely instead on security at the link or application layers through use of a Security Protocol to establish a trusted path for all communications over the wireless link. This Security Protocol must have been tested and approved under the open-protocols module of the PCI PTS evaluation of that device, and examples of acceptable Security Protocol implementations include WPA2 (implemented at the link layer), or VPN encrypted tunnels (implemented at the application layer)
December (update) 2016: Can a PTS device be used as a beacon (iBeacon or BLE beacon) transmitter?
A Beacons for any version of BLE (e.g., 4.0, 4.1) are allowed providing the following conditions exists and are validated by a PTS approved lab: ▪ The beacon is listed as a device interface in the PTS POI report. ▪ Over the Air (OTA) provisioning is not allowed at any time. Provisioning and updating of beacons must be consistent with existing PTS standards. (i.e., Section J, B4 or B4.1) ▪ Must be referenced in the security policy. ▪ Beacons are transmit-only. The lab must validate that BLE communication cannot be used to respond to any external requests, connect, pair, or otherwise provide two-way communication to any other device. ▪ The vendor provides documentation on the secure use and provisioning of the beacon and that the documentation clearly states the beacon is used for transmit only, and that OTA provisioning is not allowed. ▪ The vendor will document the purpose of use of the beacon functionality⎯i.e., its intended use. The documentation must include what data is transmitted and ensure that no sensitive data can be transmitted. ▪ The PTS device is never allowed to receive beacon transmissions.
From PCI SSC – The COVID-19 pandemic is quickly changing how many small merchants accept payments. Merchants that previously only had brick-and-mortar locations are moving to accept e-commerce and over-the-phone transactions. PCI Security Standards Council shares key
considerations to help small merchants keep their customers’ payment data secure in this rapidly changing environment.
One tip from Kiosk Industry Group is to understand and know what access, if any, your vendors and supply chain have access to. The Target breach for example was due to a vendor using out-of-date free Malware protection on their PC and getting in via Microsoft infrastructure.
TIP #1: REDUCE WHERE PAYMENT CARD DATA CAN BE FOUND
The best way to protect against data breaches is not store card data at all. Many small merchants are offering curbside pickup now and are accepting telephone payments in lieu of former face-to-face transactions. Avoid writing payment card details down and instead enter them directly into your secure terminal. More Information: PCI SSC Special Interest Group Paper: Accepting Telephone Payments Securely
TIP #2: USE STRONG PASSWORDS
The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. To be effective, passwords must be strong and updated regularly. Weak and vendor default passwords are a frequent source of small merchant breaches. More Information: Strong Passwords Infographic
TIP #3: KEEP SOFTWARE PATCHED AND UP TO DATE
Criminals look for outdated software to exploit flaws in unpatched systems. Timely installation of security patches is crucial to minimize the risk of being breached. One way to keep up with all the necessary changes is by ensuring vulnerability scans are performed regularly to identify security issues. PCI Approved Scanning Vendors (ASVs) can help you identify vulnerabilities and misconfigurations in your Internet-facing payment systems, e-commerce website, and other systems, providing a report of your vulnerabilities and how to address them—for example, what patches to
apply. Be sure to act upon the results of ASV vulnerability scans and keep your software up to date. More Information: Patching Infographic
TIP #4: USE STRONG ENCRYPTION
Encryption makes payment card data unreadable to people without a specific key, and can be used to protect stored data and data transmitted over a network. Ask your vendor whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI SSC’s List of PCI P2PE Validated Solutions. If you are setting up a new website, confirm the shopping cart provider is using proper encryption, such as TLS v1.2, to protect your customers’ data. More Information: Information Supplements on Use of SSL/Early TLS
TIP #5: USE SECURE REMOTE ACCESS
To minimize the risk of being breached, it’s important that you take part in managing how and when your vendors can access your systems. Criminals can gain access to your systems that store, process, or transmit payment data through weak remote access controls. You should limit use of remote access and disable it when not needed. If you must allow remote access, ask your vendors to use multi-factor authentication and strong remote access credentials that are unique to your business and not the same as those used for other customers. More Information: PCI SSC Secure Remote Access Infographic
TIP #6: ENSURE FIREWALLS ARE CONFIGURED PROPERLY
A firewall is a device or software that sits between your network and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize. Firewall rules can seem complex, but configuring them properly is vital to security. If you require additional assistance to properly configure your firewall, seek help from a network professional. More Information: Resource for Small Merchants: Firewall Basics
TIP #7: THINK BEFORE YOU CLICK
Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as payment card number, merchant account number or password. Small merchants should be extra vigilant and be on the look out for common phishing and social engineering hacks. More Information: Beware of COVID-19 Online Scams and Threats
TIP #8: CHOOSE TRUSTED PARTNERS
It’s critical you know who your service providers are and what security questions to ask them. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants (and those of you that recently started accepting e-commerce payments in lieu of face-to-face payments), it is important that your payment service providers are PCI DSS compliant, including the service provider that manages your payment process (your “payment service provider” or PSP). More Information:
Call for participation in upcoming 2021-2022 Self-Service Kiosk Market Analysis Report
WESTMINSTER, COLORADO, UNITED STATES, November 17, 2020 /EINPresswire.com/ — The kioskindustry.org communications site for the Kiosk Manufacturer Association (KMA) is pleased to announce the launch of our new website design.
The new design emphasizes content such as videos, opinion, sponsor and member news as well as industry-wide news in the self-service kiosk related markets. Coverage of digital signage, smart city, POS and retail automation are also part of the content mix.
Major improvements include:
o More relevant content more quickly found
o Demo videos in articles by default
o Up to date SEO mechanisms such as Structured Data
o Inbuilt Ad and Analytics hooks (though we are no fan of Adsense)
o HTML5 | CSS3 support
o Author pagestyles
o Responsive slider for features
o And lastly, it is extremely quick (as measured by Google)
As part of the launch the KMA has commissioned a 2021-2022 Kiosk Market Analysis report covering a minimum of 40 companies (members and non-members). Participation is open to any company involved in self-service kiosks. That includes deployers and customers, as well as device supply chain providers (printers, service, displays, menuboards, touchscreens, drive-thru, mobile scanning, touchless touch, computers and more).
Markets covered include self-service kiosks, customer-facing POS (with exception of supermarkets checkout), Smart City, International markets such as SE Asia and Europe, plus a wide range of “interactive” and smart digital signage (including menuboards, outdoor and drive-thru).
How the market was before the pandemic and how it has changed due to the pandemic is a major focus. Looking forward to how self-service will be utilized in the future is final component.
Your input is welcome and completely confidential with the nationally recognized research firm commissioned (BCC Research). Contact Craig at catareno.com and we will forward your contact information to the research firm.
Lastly, as a public service announcement, we would like to bring to the attention recent in-depth content on current VA fever screening actions which are endangering veterans as well as content on deceptive temperature screening tablets from China. IPVM has been the leading independent test authority for temperature kiosks and surveillance cameras.
craig keefner
KMA/ Kiosk Manufacturer Association
+ +1 720-324-1837 email us here
Visit us on social media: LinkedIn
WESTMINSTER, Colo.–(BUSINESS WIRE)–Tomorrow, Tuesday the 20th at 3:30 pm EDT, the CEO of Inspire Brands Paul Brown speaks on innovation and lessons from Arby’s, Jimmy John’s, Sonic, and other Inspire Brands companies. The Kiosk Association is the session sponsor. Our mission is to inform and educate. Towards that end here is a direct link to register. Some of the innovations include new drive-thru designs as well as integration to Alexa and Amazon.
Some other recent innovations in the QSR and Fast Casual space that the Kiosk Association has noted include:
Weatherproof Android EMV Terminals Introduced – link
Touchless Kiosk Software (patent pending) – podcast interview at FinTech – link
QSR Market Review by Kiosk Industry – in SLED and Federal $6B in Opportunities – link
Contactless Curbside Pickup with Geo-Fencing – El Pollo Loco – link
Self-Service Kiosks With Pickup “Cubbies” ala Brightlook and Caesars Pizza – link
If you are interested in self-order kiosks we have a catalog on kioskindustry.org of many manufacturers (customers include Appetize and McDonald’s to name some). There are 22 COVID-related solutions available from the Kiosk Association including automatic sanitizers, CDC-approved kiosks, and temperature scanning. You can see the catalog Temperature COVID Catalog on the Intel Marketplace Solutions.
About the Kiosk Association (KMA) —
On ADA and accessibility, we work directly with the U.S. Access Board and have a complete set of guidelines.
On PCI – we are a participating organization with PCI SSC. Our primary focus is on unattended ordering and ADA.
We are international with members in US, Germany, UK, SE Asia, and more.
The 21st Century Integrated Digital Experience Act (IDEA) aims to improve the digital experience for government customers. It requires federal agencies to update their websites according to the U.S. Web Design System (USWDS) to make them more user-friendly. Developed by the General Services Administration (GSA) and U.S. Digital Service, the USDWS helps federal agencies create websites that are accessible, fast, and easy to use on mobile devices.
Webinar Subject
The next webinar in the Section 508 Best Practices Webinar Series on November 24 from 1:00 to 2:30 (ET) will explain how to create accessible websites using the USWDS and meet the requirements of the IDEA. Representatives from GSA will review USWDS code, tools, and guidance for website accessibility. They will also cover common issues, offer recommendations and best practices, and suggest resources for meeting IDEA requirements.
For more details or to register
Visit www.accessibilityonline.org. Questions can be submitted in advance of the session or can be posed during the live webinar. The webinar will include video remote interpreting (VRI) and real-time captioning.
The Section 508 Best Practices Webinar Series provides helpful information and best practices for federal agencies in meeting their obligations under Section 508 of the Rehabilitation Act which ensures access to information and communication technology in the federal sector. This webinar series is made available by the Accessibility Community of Practice of the CIO Council in partnership with the U.S. Access Board.
Section 508 Best Practices: Creating accessible websites using the U.S. Web Design System (USWDS) and the 21st Century Integrated Digital Experience Act (IDEA)
Note: Registration closes 24 hours before the start of the session. Instructions for accessing the webinar on the day of the session will be sent via email to registered individuals in advance of the session. Communication Access Realtime Translation (CART) and Video Sign Language Interpreters are available for each session and will be broadcast via the webinar platform. A telephone option (not toll-free) for receiving audio is also available.
The US FDA has now defined the correct operation of “Thermal Imaging Systems”, colloquially known as “fever cameras”.
Many in video surveillance have interpreted the FDA’s decision to temporarily lift 510(k) clearance requirements for fever cameras to mean that ‘anything goes’, ignoring well-established global standards.
However, this latest FDA guidance show that even amid a fever camera Gold Rush, the agency believes such systems need to be set up and operated “correctly”.
The Kiosk Association (KMA) is a participating organization with the PCI Security Standards Council. Initiatives include suggesting SIG group for unattended self-service transactions as well as beginning to note considerations for ADA and accessibility as well as unattended transactions.
Why are you issuing this industry threat bulletin?
Troy Leach: We have heard from many of our stakeholders in the payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.
What are ATM Cash-outs? How do they work?
Mike Lee: Basically an ATM “cash-out” attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time. Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.
So how exactly do these attacks work?
Mike Lee: An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems. The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner. With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash. These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.
What businesses are at risk of this devious attack?
Troy Leach: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.
What are some detection best practices to detect these threats before they can cause damage?
Troy Leach: Since ATM “cash-out” attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:
Velocity monitoring of underlying accounts and volume
24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
Reporting system that sounds the alarm immediately when suspicious activity is identified
Development and practice of an incident response management system
Check for unexpected traffic sources (e.g. IP addresses)
Look for unauthorized execution of network tools
What are some prevention best practices to stop this attack from happening in the first place?
Troy Leach: The best protection to mitigate against ATM “cash-outs” is to adopt a layered defense that includes people, processes, and technology. Some recommendations to prevent ATM “cash-outs” include:
Strong access controls to your systems and identification of third-party risks
Employee monitoring systems to guard against an “inside job”
Continuous phishing training for employees
Multi-factor authentication
Strong password management
Require layers of authentication/approval for remote changes to account balances and transaction limits
Implementation of required security patches in a timely manner (ASAP)
Regular penetration testing
Frequent reviews of access control mechanisms and access privileges
Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
Installation of file integrity monitoring software that can also serve as a detection mechanism
Strict adherence to the entire PCI DSS
For more information about best practices for detection and prevention, people should review our full bulletin.
How can people learn more about these type of attacks?
Mike Lee: ATMIA has published a detailed alert report on the topic of ATM Cash-outs. I would also encourage stakeholders interested in this topic to read our joint bulletin in its entirety. A link to those helpful resources is included in this blog.
The 21st Century Integrated Digital Experience Act (IDEA) aims to improve the digital experience for government customers. It requires federal agencies to update their websites according to the U.S. Web Design System (USWDS) to make them more user-friendly. Developed by the General Services Administration (GSA) and U.S. Digital Service, the USDWS helps federal agencies create websites that are accessible, fast, and easy to use on mobile devices.
