Teller automation machines – Security Testing Handbook for Banking Applications

4: Security Testing Repository
163
An attacker physically damages the system and steals
money from the machine:
o Check if the physical security processes for
maintenance of the machine are in place and being
followed.
Teller automation machines
A teller automation machine is used in banks for
automating the activities of the teller (cashier). Teller
automation enables prompt, accurate and secure customer
service. Teller automation machines can be used wherever
cash is dispensed via cash counters, typically banks.
Customers who do not use ATMs benefit the most from the
greater speed and efficiency these machines give the teller.
When a customer withdraws money over the counter, these
machines dispense cash at high speed, helping tellers serve
more customers in a given time. The teller does not have to
invest time counting, verifying and managing currency: the
machine does it for them. The application is customisable
according to the requirements of a particular bank/currency.
These applications can also be integrated with most core
banking platforms.
At beginning of day (BOD), the teller receives several
bundles of currency notes from the manager. The teller
dumps the unsorted currency notes at BOD into the teller
automation machine. The machine sorts the currency notes
on the basis of their dimensions into various cassettes
designed to hold the notes of a particular denomination. It
counts the notes based on their thickness. The machine
drops counterfeit notes into a separate collection bin located
inside it.
4: Security Testing Repository
164
All customer transactions are synchronised with the core
banking servers and account details updated accordingly.
When the end-of-day (EOD) process runs, the related data
collection/population is done.
There are two components for the teller automation
machine: the teller and the manager. Correspondingly, there
are two user privileges in these machines: tellers and
managers.
Teller privileges: The following privileges are usually
present in the application which can be allotted to tellers
according to the requirement:
Teller – allows tellers to view their own transactions:
o Withdrawal – limit on daily withdrawals by a teller,
cash /withdrawal;
o Teller summary – teller’s own transaction summary.
Utility – provides some special functions such as:
o Test – cash dispensing functionality can be tested by
this utility;
o Update contents – updating currency contents after
manual loading.
Accounting – provides details of the transactions
performed by the machine:
o Contents – count of each type of currency notes,
value of notes;
o Teller summary – teller’s own summary;
o Summary for all tellers – no details just summary for
tellers;
o Print out – print out of the transactions can be taken;
o View log – detailed logs for transactions can be
viewed, various details such as teller ID, user ID,
4: Security Testing Repository
165
transaction ID, amount, details of the currency
breakups, coins, rejected currency notes, uploaded
notes, status of cash in the machine as currency and
amount, ‘testing done’ events.
Calendar – provides track of working day:
o Restart – restarting of the day if day was ended
mistakenly;
o Beginning of day – start of a financial day in
accordance with other integrated banking solutions;
o End of day – day can be ended accordingly.
Security:
o Keyboard access – left and right toggle for cash
dispense;
o Open safe door – opening of safe door with four-eye
feature, i.e. two keys with two different persons;
o Lift control – lifts cassette up and down for currency
uploads;
o Change password – changing user’s password.
Manager privileges: The head-cashier or bank officer is a
manager.
The manager can set various limitations on the tellers.
The manager can configure settings on the machine
itself.
The manager can perform user administration tasks.
There can be multiple tellers for a manager.
There can be multiple managers for a teller.
While doing the security assessment of the teller
automation machine, analysis of application, network,
process, storage of sensitive data and physical security is
necessary.
4: Security Testing Repository
166
An attacker can be any user who has the teller or the
manager role.
Threat profile
An attacker escalates their privilege to gain access to
other integrated banking applications.
An attacker steals sensitive data stored in the local
machine.
An attacker modifies the daily transactions database.
An attacker bypasses authentication and gains
unauthorised access to the cash dispenser.
An attacker forces extra cash to be dispensed than what
is recorded in the approval.
An attacker withdraws cash on behalf of another cashier.
An attacker views transactions of other tellers.
Test plan
An attacker escalates their privilege to gain access to
other integrated banking applications:
o Check if a user can escalate privileges using
parameter manipulation.
o Check if a user can directly invoke other integrated
applications without logging into the application.
An attacker steals sensitive data stored in the local
machine:
o Check if local files or registry keys contain
passwords.
o Check if passwords are contained in files which are
weakly encrypted.
4: Security Testing Repository
167
o Check if validations performed at the browser can be
bypassed.
An attacker modifies the daily transactions database:
o Check if a user can connect directly to the database
using an SQL client using default passwords.
o Check if a user can modify the database by
manipulating SQL queries using SQL injection.
o Check if a user can gain privileged access to the
database using parameter manipulation.
An attacker bypasses authentication and gains
unauthorised access to the cash dispenser:
o Check if the password can be stolen by exploiting the
refresh feature of the browser, even after the user has
logged out.
o Check if a user can manipulate SQL queries and gain
unauthorised access using SQL injection.
o Check if the plain text password is visible in the
browser’s memory even after the user has logged out.
o Check if support files/executables can be directly run
without logging in.
An attacker forces extra cash to be dispensed than what
is recorded in the approval:
o Check if a user can withdraw extra cash using
parameter manipulation.
o Check if a user can modify the cash limit using
parameter manipulation.
An attacker withdraws cash on behalf of another cashier:
o Check if a user can impersonate another cashier by
changing account-related parameters using parameter
manipulation.
An attacker views transactions of other tellers: