Security Experts:

Connect with us

Hi, what are you looking for?



Many ATMs Can be Hacked in Minutes: Report

Many automated teller machines (ATMs) lack adequate security mechanisms and can be compromised in minutes using various methods, according to a new report from vulnerability assessment firm Positive Technologies. 

Many automated teller machines (ATMs) lack adequate security mechanisms and can be compromised in minutes using various methods, according to a new report from vulnerability assessment firm Positive Technologies. 

Assaults on ATMs aren’t new and attack techniques are plenty. Positive Technologies’ security researchers decided to have a look into how machines from different vendors are secured against various attacks. They discovered that many of the security mechanisms in place are simply a nuisance in most cases. 

The researchers conducted their tests on 46 ATM machines from NCR, Diebold Nixdorf, and GRGBanking. The machines were running Windows XP, Windows 7, or Windows 10, and each had its own unique configuration.

Attack exposure varies according to factors such as the type of connection to the processing center, the installed software, and security features, the researchers say. They found that several vulnerabilities stemmed from issues such as insufficient network and peripheral security, improper configuration of systems or devices, and vulnerable or improper configuration of Application Control. 

Manby attacks on ATMs are in an effort to steal cash located inside the machine. Other incidents, however, aim at stealing the information stored on the banking cards users insert into the ATMs. 

According to the study, 85% of the ATMs that were analyzed are vulnerable to network-level attacks as means to fraudulently dispense the cash inside. With access to the network to which the machine is connected, an attacker would only need about 15 minutes to compromise the machine, the security researchers say. 

The report also shows that 27% of the tested ATMs were vulnerable to the spoofing of processing center, an attack scenario where the connection to the processing center is not properly secured, allowing the attacker to manipulate the transaction confirmation process.

Vulnerabilities in available network services, such as poor firewall protection, use of vulnerable or out-of-date software versions, and improper configuration of security tools, can be exploited to compromise 58% of the tested ATMs, the study discovered. 23% of the ATMs are vulnerable to attacks targeting network devices connected to them.

Cybercriminals looking to steal cash from ATMs also engage into so called Black Box attacks, where, having physical access to the machine, they connect to the cash dispenser using malware or special devices. 69% of the tested devices were found vulnerable, with an attacker able to steal cash within 10 minutes. 

Attackers may also attempt to run commands on the machine’s operating system, bypassing the usual restriction where the ATM users only interact with a single application, which runs in kiosk mode. 76% of the tested devices were found vulnerable. 

The security researchers also reveal that the tested ATMs contained various configuration errors, with the majority of them involving insufficient restriction of user account rights. 

The discovered issues include insufficient protection of communication with peripherals (96% of devices), use of outdated or vulnerable applications and OS versions (92%), vulnerabilities or improper configuration of Application Control (88%), insufficient local security policies (85%), unauthorized exit from kiosk mode (85%), and connection of arbitrary USB and PS2 devices (81%).

“Most tested ATMs ran special software to selectively disable key combinations. However, in 85 percent of cases, standard key combinations remained available, including Alt+F4 (close active window) and Win+Ctrl, Alt+Tab, and Alt+Shift+Tab (switch task). This technique allowed closing the window of the ATM kiosk application and disabling the applications responsible for blocking arbitrary keyboard input,” Positive Technologies says. 

92% of the tested ATMs were found to allow direct access to hard drive, thus allowing an attacker to gain control of the cash dispenser. 27% of the machines support boot from external disks, while 42% allow starting the OS in a special mode that can bypass security (such as kernel debug mode, Directory Service Restore Mode, and various safe modes). 

All of the tested ATMs were vulnerable to attacks aiming at stealing users’ credit card data, either through skimmers (physical shims) placed on card readers, to steal information directly from the cards, or by targeting the data transmission between ATM operating system and card reader (100% of tested ATMs), or between the ATM and processing center (58% of tested ATMs). 

“Logic attacks on ATMs are growing in popularity, with losses running in the millions of dollars. […] More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case. Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale,” Positive Technologies concludes. 

Related: Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash

Related: Creating ATM Botnets Not Difficult, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.