ATM Security Assessments

ATMs have long been a physical target for criminals who take a "smash and grab" approach. However, with the growing sophistication of organized crime, self-service cash machines are increasingly becoming the targets of high-tech fraud. Malware—such as Trojan.Skimmer, which steals card and PIN data, and Ploutus, which can be used to trigger cash withdrawals via text messages—is becoming a significant threat to financial institutions.

To protect your ATM network from fraud, the banking security experts at Positive Technologies have developed a series of hands-on vulnerability assessments that look at the entire ATM environment. We can identify software, hardware, and communication protocol vulnerabilities that are exploited by the likes of Trojan.Skimmer and Ploutus attacks, so you can block unauthorized cash withdrawals and protect payment card data. In addition, we can develop custom tools to demonstrate the potential likelihood and impact on your business of attacks related to the vulnerabilities we find.

Our detailed security audits will identify the most critical vulnerabilities that need your immediate attention and make practical recommendations for changes at the organizational and systems level. In our experience, the most common vulnerabilities include:

• Weak user authentication and access control
• Vulnerabilities in network communications, for example, lack of encryption in communication between the ATM and the processing center that would allow attackers to create a fake processing center and use it to withdraw cash or intercept track-two data
• Vulnerabilities in software and ATM-specific network services, including flaws that allow hackers to exit kiosk mode and obtain unauthorized access to the operating system within the ATM
• Weaknesses in security software that might allow an attacker to bypass security controls
• BIOS security flaws
• Inadequate security within the ATM’s component devices (PIN pad, dispenser unit, card reader, etc.), including vulnerabilities in communications via XFS that might give an attacker unauthorized access to any of these devices
• Other security flaws leading to unauthorized cash withdrawal or payment card data leakage

Measuring Up to Industry Standards

Our security assessment methodologies take into account a wide range of internationally recognized information security standards and regulations, such as:

• Payment Card Industry Data Security Standard (PCI DSS) and PIN Transaction Standards (PCI PTS) ATM Security Guidelines
• Open Source Security Testing Methodology Manual (OSSTMM)
• Web Application Security Consortium (WASC) Threat Classification
• Open Web Application Security Project (OWASP) Testing Guide

Comprehensive ATM Security

Positive Technologies has been helping leading banks to secure their networks for over a decade. We know that performing an across-the-board assessment of ATM security requires more than a simple checklist. That’s why our researchers take an in-depth approach by analyzing:

• General system information
• Main system components
• Hardware and software versions
• Network communications
• Data transfer protocols

After collecting this configuration information, our expert team performs detailed research on ATM security levels, including:

• Identifying vulnerabilities in communications between the ATM and processing center
• Finding ATM vulnerabilities, including zero-day vulnerabilities in both software and hardware
• Developing custom exploitation tools that will verify these vulnerabilities and demonstrate the potential impact on your business operations, customer accounts, and customer data

Testing Prerequisites

In order to carry out analysis, we require access to:

• An ATM cabinet in your test environment that is connected to your processing center
• The ATM’s system unit and sample credentials for all ATM user roles
• Access to virtual machines, ISO images of the OS, and/or copies of the software installed on all ATMs

Although some assessments may be conducted remotely via VPN, we may need to return to your test environment to verify and demonstrate the vulnerabilities we find.