Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?



The Latest Threats to ATM Security

Attacks against automated teller machines (ATMs) are nothing new, for obvious reasons. They are a perfect target for both conventional thieves and hackers, standing at the intersection of physical theft and cyber crime. Particularly in the developing world, ATMs often lack basic cybersecurity precautions, with archaic operating systems and minimal authentication requirements within the machines.

Attacks against automated teller machines (ATMs) are nothing new, for obvious reasons. They are a perfect target for both conventional thieves and hackers, standing at the intersection of physical theft and cyber crime. Particularly in the developing world, ATMs often lack basic cybersecurity precautions, with archaic operating systems and minimal authentication requirements within the machines. The past few years have seen criminals applying their creativity to stealing money from ATMs, with considerable success. Methods of attack have included:

• Insert skimmers—physical devices placed in card slots to capture information from swiped cards.

• Remote cyber attacks—taking control of ATM servers to dispense cash, using malware like ATMitch.

• Direct malware attacks—using physical access to an ATM to deploy malware variants like Ploutus-D.

2018 saw at least two new major threats to ATM security: a “jackpotting” attack that presents a unique challenge because of its speed, efficacy, and comparative lack of resources required from attackers; and “shimming”, a simple way to steal data from chip-enabled cards. 


Thieves have come up with many different ways to trick ATMs into spitting out large amounts of cash, but this new variation was first found in Europe around 2016 and has been tied to approximately a dozen attacks in 2018. It involves cutting a small hole next to the PIN pad, inserting a cable to connect a laptop, and commanding the ATM to dispense its money. Researchers from Kaspersky were able to recreate the attack using just $15 worth of equipment, swapping out the laptop for a simple microcomputer. 

The attack works because the minimal encryption and authentication requirements in many ATMs mean that once certain ports are accessed, the attacker has total control. What makes this technique so potentially dangerous is that it can dispense cash in just a few seconds and empty an ATM within minutes. Jackpotting has always been difficult to pull off in the developed world, because of faster police response times, but the speed of this technique could make it extremely lucrative in any country. Fortunately, this type of attack does not affect consumers, but it could become a major problem for financial institutions.

Advertisement. Scroll to continue reading.


As previously mentioned, “skimming” is when thieves insert a device into an ATM’s card reader to steal data from swiped cards. “Shimming” is a new variation on this attack that can steal data from chip-enabled cards in ATMs or point-of-sale machines using a paper-thin insert in the card reader. 

This type of attack is more expensive to pull off than the jackpotting attack, because of the tech involved, but it’s especially dangerous because of how simple the attack is. All thieves need is a few seconds of access to the machine, and it can be quite hard to detect once deployed. The best way to spot the shimmer is by feeling for the tighter fit that the device creates when inserting a card.

Once a card has been compromised, the attackers can create a replica of the card for use in swipe machines. To my knowledge, they are currently unable to create a chip-enabled duplicate to be used for insert and tap payments. For this reason, chip cards are still a more secure option for consumers.

What Should Businesses Do to Protect ATMs?

The current state of ATM security is far from optimal, but the unique security challenges around ATMs make improvements difficult. That said, there are short- and long-term possibilities to make these types of attacks, and others, more difficult to pull off.

Better physical security will make the biggest difference, because even most malware attacks start with physical access to the ATM. However, this is easier said than done, especially in developing countries and rural areas. ATMs could conceivably be built to shut down completely when anyone tampers with the machine, but manufacturers are unlikely to do so because of how easy it would be to trigger a false positive and disable the machine.

For better digital security, ATM manufacturers should leverage more encryption within the software of the machines, require more authentication measures, disable unused ports, and create whitelists of allowed processes so that alerts are automatically generated by unauthorized processes—just to name a few ideas.

There are some promising developments in the industry that could lead to better ATM security in the long term. Many ATM companies are moving fully off of Windows XP—which has long been one of the biggest weaknesses in ATM cybersecurity—to Windows 7 or 10, with the deadline to upgrade coming in January 2019. Separately, a group of 125 ATM companies are looking at developing their own standard for ATM software, with the goal of moving away from Windows entirely. However, this will take some time, so upgrading operating systems is an important intermediary step.

There are some potential upgrades in security that would come at the cost of convenience, and therefore might not be implemented any time soon. For example, requiring two-factor authentication for withdrawals and transactions over a certain dollar amount would go a long way to reduce the value of skimmed cards, but would consumers tolerate the inconvenience?

What Should Consumers Do to Protect Themselves?

To avoid shimming, skimming, or other methods of payment card information theft, use tap payments and smartphone payments like Apple Pay when possible. They are safer due to being much harder for thieves to replicate. When using ATMs, look for machines inside banks, or in well-lit, busy areas that would not allow thieves any uninterrupted access. When using an ATM that you think may have been compromised, look for anything that seems out of place. Scratch marks on the surface of the machine or any disturbance around the keypad might suggest that the machine has been tampered with. To avoid shimmers, feel for unusual resistance when inserting your card. Finally, it is wise to check your transaction records regularly to look for any unauthorized payments.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...