Terminal Security
Terminal data security is a critical aspect of your fleet management. Without it, a malicious actor could steal or impersonate your Terminal and clean out your funds.
General Bytes views security as our most important function, and we’ve implemented many different tools to effect that end:
IP Whitelisting
When a Terminal connects to CAS, you may save the IP and restrict that BATM to connect only via that IP. An attacker typically won’t be able to forge the IP that a Terminal connects from. In instances where a BATM will be consistently connected from a known IP, this is also a valuable tool to prevent a stolen BATM from operating.
Client Certificates
Client Certificates ensure that an encrypted channel between your Terminal and CAS is intact. The certificate cannot be forged, and encrypted traffic between your Terminal and CAS cannot be established without that certificate. The certificate absolutely identifies the Terminal.
A Terminal offering an improper certificate won’t be permitted to connect to CAS.
Hardware Pinning
Hardware pinning checks the serial numbers of various components within your BATM. It saves this data and checks it during every boot. It sends it to CAS to verify that nothing has changed. If something has changed, that Terminal won’t be permitted to conduct transactions until either the original components have been reinstalled -or- the list has been updated (by you).
Terminal >> Actions:
Also available via the batm-manage command: batm-manage: the CAS CLI Toolkit - General Bytes Knowledge Base - Confluence
See:
terminal-hwconf-clear
Terminal VPN
Terminal VPNs are supported on firmwares 20221118
and newer.
A VPN is another specific hurdle for hackers. When enabled, the VPN establishes a secure tunnel between the BATM and CAS that cannot be intercepted or manipulated. A VPN ensures that all data traffic is encrypted end-to-end and builds out a bit further than a mere TLS connection.
Instructions: Confluence
Copyright © 2020-2024 General Bytes USA LLC