Penetration testing and vulnerability assessment of the bank’s ATM network
Our client’s backstory
As a leading financial institution that spread dominantly over Europe with over 100 million retail clients and a strong commitment to cybersecurity, the bank decided to engage in a comprehensive penetration testing exercise to identify vulnerabilities in its widespread ATM network, including features that allowed users to easily access their finances without a PIN or card. The goal was to uncover potential weaknesses and attacks and make sure the bank’s system and services are protected against cyber threats at all times.
Klika was hired as an expert consultant to carry out the penetration testing process and share its findings and professional opinion with the bank, regarding its security protocols and data protection coverage
The challenges
New super convenient and super easy services that allow us quick access to our finances are a big hit among users, and to stay competitive, many banks are offering a range of user-friendly personal banking features that give so much freedom. However, as they come with fewer regulatory restrictions, they are harder to protect and more prone to cyberattacks. In a time of rising hacker attacks, the bank decided to check the vulnerability of its ATM services, including mobile app features that allow withdrawing money without a card or PIN.
As for our team, defining the scope and methodology was not easy as we needed to take into account all aspects and get familiar with the bank’s processes, existing security protocols and the architecture the software was built on. We also needed to perform network segmentation to isolate ATMs from the bank’s main network to make sure not to interfere with other regular operations at the bank. Another challenge was to find the best approach to assess third-party services and technology vendors the bank uses and the vulnerabilities they might bring into the picture.
Klika solution
We identified a roadmap and used a methodological approach in line with the best cybersecurity practices. We decided to test for all ten OWASP security vulnerabilities and strictly follow OWASP guidelines in how to conduct penetration tests on financial institutions. OWASP represents the most acknowledged resource for cybersecurity testing according to industry professionals and experts.
After defining a roadmap and scope, we started to collect data on the test environment, architecture and technologies the system uses to make sure we understand it as a whole and the possible vulnerabilities it might be exposed to. In that way, we were able to create test cases that can cover a wide range of security needs. We performed manual and automated tests, used our own scripts to “attack” the system and set up a comprehensive alert system that would detect suspicious activities and possible threats at different levels.
With our pen test strategy, we performed a risk assessment analysis and identified the precise number and types of vulnerabilities and its causes (e.g., vulnerable code, architecture, configuration issues, non-compliance, etc.).
We found several critical and high-severity vulnerabilities that posed a significant risk to the bank’s security. In our final report, we included actionable recommendations to address them, providing all the details and specifics to each threat found. Some of our main recommendations were: introducing an authentication check between the ATM and the server the service runs on (like OAUTH), doubling down on the encryption of the Transport Layer Security and switching to the HTTPS security protocol for communication with external APIs.
Results
The penetration test highlighted the importance of ongoing cybersecurity assessments to identify and mitigate potential threats. By implementing the recommended security measures, the bank was able to significantly enhance its security, reduce the risk of cyberattacks and safeguard its customers' confidential information. This reinforced their reputation as a trusting service provider that is safe and secure for each and every customer.
