Best Practices: Security
Overview
As a Bitcoin ATM operator, you are (and will continue to be) a target of constant cyber attacks. This is the nature of the cryptocurrency business; attackers will always be searching for methods to gain access to your funds. The goal of this document is to help you understand your risks and learn how to reduce them.
Please don't ignore these recommendations, your business depends on it.
Evaluate your Vulnerabilities
Revisit these questions annually, and ensure that your organization discusses these topics as a team. Security is a team effort, and compliance is critical for survival.
Identify business risks
First, identify what could go wrong and the associated risks. Try to think of any additional potential “worst-case-scenarios” beyond the examples provided below:
All crypto assets disappear from your hot wallet or the exchange used by your ATM server.
All bitcoin addresses from your database become public on the internet, along with the names and identities of their owners.
Data about your customers from your leaked database is sold on the dark market, along with scans of their driving licenses. These identities are then used to obtain loans from banks, etc.
All private keys that customers accidentally scan at the ATM are leaked, and all paper wallets are emptied by an attacker.
All your machines stop working and refuse to communicate with your ATM server, preventing business operations.
Phone numbers and emails of your customers are leaked, and customers begin to receive scam instructions to send bitcoins elsewhere.
Your ATM is used to launder money, and as a result, your business is shut down via government action.
Prepare your organization for a hack attempt
Hire an IT professional to implement security policies - and enforce them!
If you decide that your company will not retain an IT professional - your business will eventually fail (sooner or later). You are in the “money” business, and security should be your primary concern.
Have your IT professional identify more attack vectors and surfaces.
Identify attack vectors and surfaces
How could an attacker view your data?
Anything created by man is imperfect. Software will always have unknown vulnerabilities, and CAS is no exception. Assume that (at some point) a vulnerability will be discovered - and act accordingly NOW to mitigate the loss and exposure. The most dangerous attackers will leave no trail behind.
Can the public access your CAS host? Firewall it!
Can the public access your CAS front page? Block it!
Who can access your MySQL? SSH? Restrict it to only known, trusted, essential users.
Do you have other programs running on the host (e.g. web server)? Shut it down.
How could an attacker change the data?
If an attacker can access your data (as previously mentioned), then they can easily alter your data as well. Once valid credentials are stolen, it’s just a tiny jump to gain full access to the host. An attacker will then (typically) insert a backdoor and wait patiently. They won’t act immediately, as they’ll seek to gain access to more victims using the same exploit. Once an exploit is discovered, we quickly patch it - so the attackers will seek to steal as much as possible in a very short timeframe.
Do not operate anything except CAS on your server. Other programs may permit easy/known access to the core systems, and that could compromise CAS.
Backup your system frequently (daily + weekly + monthly),
backup your CAS frequently (daily + weekly + monthly),
store the backups offline (to protect against ransomware),
test the backups occasionally (to ensure their integrity), and
always make sure you can afford to lose the unprotected data.
How could an attacker connect his machine to my network?
An attacker could spoof a BATM serial number to pretend that his machine belongs to your CAS and trick an operator to permit it access. Once the spoofed BATM has access, it could conduct unauthorized transactions and empty your accounts.
Don’t allow unauthorized BATMs to connect to your CAS.
Best practices
Secure your Network
VPN
Hackers can’t attack what they can’t access.
Don’t expose your CAS, your server, or your network - to anyone you don’t completely trust.
Make the network private and inaccessible from the Internet by using a VPN.
Hide your terminals and CAS server behind a VPN.
Give VPN access only to your verified terminals. There are multiple ways to deploy VPNs.
Preferred: have physical routers in the machines to perform the VPN tunnelling.
CAS is also capable of establishing a VPN tunnel, however a hardware solution is more secure.
Firewall
Use firewall rules to whitelist only specific IP addresses to be able to talk to your systems. The firewall hides your CAS (and other common access points) from view - making an attack a literal “shot in the dark”.
Don’t host your mail server. Use icloud.com, gmail.com or outlook.com to host your email server mailboxes. These companies have the resources to protect you from phishing and spam. Once somebody gets into your email he can steal your identity, bypassing your 2FA/MFA.
Passwords
Password attacks are the simplest vector to exploit. There are software factories readily available to attack password authentication automatically and quickly. Avoid using password authentication whenever possible - and when you must use a password? Use the most complex password possible, with 2FA/MFA.
Use SSH keys (instead of passwords) to access your servers. Disable SSH passwords entirely.
Never use the same password twice.
Change your passwords regularly (minimum: annually).
Use complex passwords.
Use an offline password manager to generate & secure your passwords.
Secure your Server
Have only one person accessing server via SSH and only from specific IPs.
Only create CAS Users for users that require access to the system.
Delete Users that are no longer part of your team.
Use the CAS built-in permission system to limit User permissions to only essential functions.
Set 2FA as required for all of the Users of your CAS Organization.
Give CAS administration rights only to one person.
Enforce strong passwords (see Passwords above).
Don’t let terminals connect to the server from outside the VPN network.
Don’t install software on your server other than that recommended by GENERAL BYTES.
Use a different server for each function. Don’t commingle applications on the same server.
Secure your Terminals
Store all physical keys from your machines in a secure place and track who accesses them (and when).
Set reasonable CAS cash limits on your ATMs. Prevent any ATM from performing over $1m USD per day (e.g. if somebody forgot to close the ATM vault door).
Have all your Terminals connect to your CAS server only via VPN.
Create restore-points on your Terminals so that if the Terminal somehow gets wiped - it will still recover to a secure software version with working VPN keys.
Operate BATMs in a safe place under CCTV supervision.
Unpair a Terminal from your server only when you are 100% certain that there is no attacker trying to impersonate the machine.
Use “Clear remembered HW configuration” only when you know you have actually changed the hardware configuration.
Mount the terminal to the floor.
Have a secret challenge password for communication with the location staff. This mitigates the attack of somebody calling you and pretending that he is an employee of a trusted location/host.
Secure your Users
Use TOTP as a 2FA tool (e.g. Google Authenticator or FreeOTP)
Update and use the latest browser version to avoid known browser vulnerabilities.
Enforce the password policies established above.
Example Google Policy. Notice that policy prohibits using SMS or phone calls that are vulnerable to SIM swap attacks.
Secure your Funds
Keep the majority of your coins in a Cold Wallet (e.g. a Trezor wallet that is not connected to the Internet, or in an Exchange’s “vault” which requires special permissions & delays to access.
Setup limits on your Hot Wallet. Set withdrawal thresholds on the Hot Wallet.
When a request is sent to your wallet to transfer more than $2000 USD to a single address?
Something is wrong and your Hot Wallet should shut down until the action is reviewed.
e.g. see Bitgo’s Hot Wallet features.
Keep your Hot Wallet’s balance as low as possible and refill it from your Cold Wallet multiple times per day -or- have a second Warm Wallet for manual refills (by a known person from a dedicated IP address).
This is a task your ATM business should never automate (or make easy).
Keep only an amount in your Hot Wallet that you are comfortable losing.
Use the CAS Hot Wallet balance notifications to be notified when:
the balance is too high (when replenishment or SELL transactions may increase your coin balances).
the balance is too low (and you need to refill from a Cold Wallet).
Generate Exchange/Hot Wallet API keys for your production server only.
Don’t store them anywhere else.
Don’t even put them on a test server - otherwise they may be discovered by an attacker and used.
Delete or disable any Exchange/Hot Wallet API keys when they are no longer in use.
Whitelist only your CAS server IP in your Hot Wallet settings (where supported).
You don’t want anyone else to be sending commands to your Hot Wallet.
Verification
Hire an IPSEC professional to inspect/review your server once a year and every time you perform significant change to your architecture.
A free trial of Tenable Nessus Essentials can help you identify common vulnerabilities:
Ask GENERAL BYTES to review your security policies.
The cost of failure is much higher than the cost of an independent review.
Vigilance
Information is the key
Sign up for the generalbytes.com Telegram channel.
Review all emails from generalbytes.com to learn about the latest threats and security updates.
Updates
Always operate your server using the latest patch containing the latest security fixes.
Update your Ubuntu frequently and routinely.
Automate security updates.
Update CAS frequently, check: generalbytes.com/patch
Update your browsers and any SSH clients with the utmost urgency.
All software is vulnerable to some type of attack. This is true to any type of software
Deploy the latest software version to ensure that known vulnerabilities are addressed.
Pay invoices to GB and other service providers in time to prevent loss of access to technical support during critical business times.
Monitor
Monitor the network for suspicious activity. Regularly monitoring can help identify potential security threats before they can be fully exploited. Do not take them lightly.
Transfer all server logs automatically to an external system and analyze them in automated fashion. Having logs on an external system prevents attacker from deleting the logs to cover his tracks.
Audit
Conducting regular security audits: Conducting regular security audits can help identify potential vulnerabilities in the ATM system - and address them before they can be exploited.
Overall, it is important for BATM Operators to take a comprehensive approach to security, implementing multiple layers of protection to ensure the safety and security of their assets, their employees, and their customers' assets.
Copyright © 2020-2024 General Bytes USA LLC