Increasingly, enterprises are deploying Self-Service Terminals (SSTs) at various locations for use by consumers. The locations can include financial institutions, grocery stores, retail stores, government venues, entertainment venues, gaming venues, transportation venues, and the like.
The SSTs save the enterprises money by reducing onsite support staff and increasing the operational throughput by servicing consumers more efficiently.
However, the SSTs are electromechanical devices that include a variety of hardware and software modules, which do fail on occasion requiring onsite service. Moreover, the SSTs can, from time-to-time, require new modules, updated modules, or require that some modules be removed from the SSTs. Thus, a support staff of engineers/technicians must be maintained by the enterprises.
As a result, the SSTs have security interfaces to prevent hackers or intruders from gaining unauthorized access to the SSTs. Perhaps the greatest risk of a security breach to the SSTs is disgruntled or former employees of the enterprise that are already equipped with the resources to gain access to the SSTs.
One type of SST where security is of utmost importance is an Automated Teller Machine (ATM). Moreover, ATMs are often placed in a variety of locations, some of which are entirely unrelated to a retail establishment to which the ATMs are in proximity to, such as entertainment venues, parking lots of retail establishments, and the like. So, security becomes even more challenging because someone can appear to be properly servicing an ATM in a location where the location staff may not even question what is taking place.
In the ATM scenario, an ATM is often serviced by a service engineer inserting a secure Universal Serial Port (USB) device having a secure key, which is used for authentication by the ATM security software to provide diagnostic access to the ATM.
Once authenticated, the engineer can access administrative features of the ATM, such as executing diagnostic routines, part/module validation, and authorization to dispense currency (where configured). Typically, the secure key on the USB device (often referred to as a key dongle) includes an expiration date, such that when that secure key expires the security software will prevent access to the administrative features of the ATM.
However, it is not uncommon for a service engineer to leave the employment of the enterprise associated with servicing the ATM before the key dongle (still in possessing of the parting employee) becomes unauthorized for use by that service engineer. This leaves a security hole where the ex-employee can gain access to the ATM.