ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities

An ATM is a maker that empowers the customers to carry out keeping money exchange without triggering to the bank.

ATM Penetration screening, Hackers have found various techniques to hack into the Automated Teller Machine. Developers are not restricting themselves to physical assaults, for instance, money/card catching, skimming, and so forth they are investigating much better approaches to hack ATM programs.

In this short article, we will perceive how do an ATM functions, security plans used to protect the ATMs, diverse sorts of seepage testing to break down ATM security and a portion of the security finest practices which can be utilized to avert ATM hack.

Making use of an ATM, a client can draw back or save the cash, get to the bank shop or credit account, foot the bill, alter the stick, redesign the private information, and so on. Given that the ATM maker handles money, it has actually developed into a high need focus for programmers and intruders.

Read ATM Black box attacks– ATM Jackpotting

ATM Work Function:

There are for the a lot of part 2 sorts of ATMs which vary as suggested by the way they work. They can be called as

Many of the ATMs have 2 input and 4 output. The card reader and keypad are input whereas a screen, invoice printer, cash dispenser, and the speaker are output.

1. Rented line ATM2.Dial-up ATM devices

Any ATM maker requires a details terminal with 2 information sources and 4 yield devices. The host processor is important so that the ATM can user interface furthermore speak with the individual asking for the money.

Image Credit: HowstuffWorks

A rented line ATM device has a 4-wire, show point committed phone line which helps in associating it with the host processor. These sorts of devices are preferred in areas where the client volume is high. They are deemed top of the working and the line costs of this sort of a device is high.

The dial-up ATM devices just has a normal telephone line with a toll and a modem complimentary number. As these are typical associations their underlying facility cost is less and their working expenses simply become a percentage of that of a leased line ATM.

The host is primarily declared by the bank. It can similarly be claimed by an ISP. On the off chance that the host is possessed by the bank just makers that work for that particular bank will be promoted.

Aso Read Undetectable ATM “Shimmers” Hackers Latest Tool for Steal your Chip Based Card Details

What takes place when a customer embed his card to pull back the money?

1. Customers record data is put away on the appealing portion of the card which is situated posterior of the card. The customer embeds the card in card peruser.

The card peruser peruses the data from the attractive part of the card. The details from this card is sent out to the host processor which advances the data to clients bank.

2. After the card is perceived, the customer is asked for that provide the stick. The client goes into the stick using the keypad. The stick is encoded and sent to the host server. The record and stick are authorized by the clients bank. As soon as approved by the bank, the host server sends out the response code to the ATM maker.

3. The client enters the amount to draw back. The request goes to the host processor. The host server sends out the exchange need to the customers bank which approves the sum, draw back cutoff, etc. At that point fund exchange occurs in between customers bank and host processors record. As soon as the exchange is done, the host processor sends the endorsement code to the ATM which allows the ATM maker to administer the cash.

4. The application running on the ATM teaches the money container to administer the money. This details identified with the exchange like record number, exchange id, time, amount, charge group, and so forth is logged to the log document.

5. Amid the administering treatment, a sensing unit sweeps every costs for its density. This is to check if 2 bills are stuck or if any expense is torn or collapsed. On the occasion that two bills are stuck together, then they are occupied to the reject receptacle.

Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

ATM BPT Style Penetration Testing

ATM security is a business location that typically lacks holistic security assessments. Our ATM tests are based on this belief, and look for to paint a holistic) image of your ATM environment.

ATM security is often thought about an intricate location by IT security supervisors, who tend to focus more on the physical dangers and less on the sensible weaknesses in the os and application layer.

Security specialists carry out innovative penetration tests on automated teller maker (ATM) services in the monetary sector. Major security defects are recognized in the ATM setups and associated processes.

ATMs test with our Business Penetration Test (BPT) method, which imitates real attacks on ATM services. This consists of carefully created targeted attacks, which integrates physical, sensible and optionally social engineering attack vectors.

Physical controls

Many banks rely greatly on the presumption that physical access to their ATM services is effectively limited. In the meantime duplicated, shows how little effort is frequently required to gain unauthorized access to the ATM CPU, which controls the user interface and deal gadget.

Rational controls

With this gain access to, an enemy may have the ability to steal credit card information that is kept in file systems or memory, without ever alerting the bank. Experts able to demonstrate, this unauthorized gain access to can be broadened from the ATM to the banks network and back-end servers by using the jeopardized ATM as an attack platform.

ATM service management procedures related to 3rd party provider and application development vendors are frequently the golden secret for an aggressor, and can be consisted of in the scope of our test to identify logical weaknesses in trust relationships that an attacker can exploit to compromise an ATM.

With physical access to the ATM CPU, authentication systems can be bypassed to gain unapproved access to the ATM platform.

ATM environment

These attacks are not always advanced and often not included in standard penetration tests.

An ATM service and network form an intricate community that consists of various vendors and accountable representatives, both internal and external to the banking organization.

Due to the intricacy of this environment with its distributed roles and responsibilities that cross organizational limits, the locations connected with security risk are typically overlooked. The ATM application itself, with its software updates, running system patches, platform hardening, and networks, is typically vulnerable to attacks.


The ATM environment is also part of the PCI DSS scope. Just a part of the real life hacking attacks is entirely covered by PCI DSS and PA-DSS. The PCI SSC launched the “ATM Security guideline” info supplement document in January 2013.

ATM Penetration testing

Electronic fund transfer has three parts which are interaction link, computer, and terminal (ATM). All 3 of the parts should be protected to prevent the attack. We will look into the type of evaluation we can carry out to examine the overall security of an ATM.

In ATM Penetration testing, As the variety of ATM units increase, the machine is vulnerable to hack attacks, burglaries, scams, etc. Many of ATMs are still using Windows XP that make this ATM a simple target for the hackers.

1. Vulnerability Assessment and Network Penetration Testing

VAPT are 2 types of vulnerability screening. The tests have various strengths and are often integrated to achieve a complete vulnerability analysis. In short, Penetration Testing and Vulnerability Assessments carry out two different tasks, normally with various results, within the same location of focus.

We can run full port NMAP scan to identify the TCP and UDP ports and services running on the ATM. Furthermore, Nessus authenticated scan can be used to recognize vulnerability related to the installed components in the ATM OS like Adobe, Internet Explorer, and so on

These 2 activities are really common when dealing with ATM security. In network penetration screening we look for network level vulnerability in an ATM. Given that ATM communicates with the back-end server, it needs to belong to some network. By obtaining the IP address of the ATM, we can perform a network level penetration test.

As a security finest practice, ATM network is segregated with another network of the bank. The tester has to be part of the ATM network to reach the ATM IP and carry out screening. Once in the ATM network, we can perform a Nessus scan to determine the open port, services running on them and vulnerabilities related to the running services.

Vulnerability evaluation tools find which vulnerabilities exist, however they do not separate in between flaws that can be exploited to trigger damage and those that can not. Vulnerability scanners alert business to the pre-existing flaws in their code and where they are located.

. The configuration audit offers with the hardening of the operating system. Many of the ATM runs the Windows OS. This OS must be solidified according to security finest practices to minimize the attack surface area for the assaulter. A few of the areas we can check out while doing configuration audit are:

System access and authentication: Checks connected to password and account lockout policy, User right policy, etc

. Auditing and logging: Checks related to the security, application and event logs, audit policy, authorization on occasion logs.

Account configuration: Checks associated with users under administrator group, the existence of default users, guest account, password requirement, and expiration.

2. Application Security Audit:

An application security audit is an extensive, technical, privileged and unprivileged security test of an application and its associated elements with a high portion of manual screening and verification. Because unprivileged and fortunate tests will be performed, both the point of view of an outsider (e.g. hacker) and an insider are covered.

We can divide this activity into two categories:

a. Thick client application penetration screening: Majority of the ATM application are a thick client. We can carry out an application penetration screening of this thick customer application. A few of the test cases we can perform is:

Sensitive information in application setup files, qualifications in the registry, delicate info, hardcoded in code.
Obstruct the traffic going to the server and attempt to control/ damage the criteria or search for any sensitive information passing in between application and server.
If application and database are communication in cleartext protocol, examine.
Defense from Reverse Engineering.

b. Application Design Review: In this activity, we can look for security practices being followed in the application. A few of the test cases can be:

  • Kinds of event logged to the log file.
  • The opportunity with which ATM application is running.
  • Does the software have arrangement to limit different menu options to different user-IDs based on user level?
  • Access the application related folders.
  • Does the application enable the deal without a pin or with an old pin?
  • Does the application allow the access to OS while running?
  • Interaction with back-end parts.
  • Inspect for efficient network seclusion.
  • Logging out of a customer in case of even a single void pin?
    PIN entry for each and every transaction is Mandatory?

Assessment of ATM Security Solution Installed in the ATM:

What is ATM security option?

Many of the ATMs run on Windows XP and 7. Given That Windows XP is no longer supported by Microsoft, many ATM vendor uses security solution to alleviate the hazards related to ATM attacks such as Malware-based attacks, OS-level vulnerabilities.

Mcafee Solidcore:

  • Total security from unwanted applications with protection of executable files, libraries, motorists, Java apps, ActiveX controls, scripts, and specialized code.
  • Flexibility for desktop users and server admins with self-approval and auto-approval based upon application score.Feasible security for fixed-function, tradition, and modern systems.
  • Spot cycle decrease and advanced memory security.
  • Centralized, integrated management by means of McAfee ePolicy Orchestrator.

McAfee Application Control obstructs unapproved executables on servers, business desktops, and fixed-function devices. Utilizing a dynamic trust model and innovative security features such as regional and global track record intelligence, real-time behavioral analytics, and auto-immunization of endpoints, it immediately prevents advanced consistent hazards– without needing labor-intensive list management or signature updates.

Phoenix Vista ATM:

XFS (eXtensions for Financial Services) provides a client-server architecture for monetary applications on the Microsoft Windows platform, especially peripheral devices such as ATMs which are unique to the financial market. It is a global standard promoted by the European Committee for Standardization (known by the acronym CEN, for this reason CEN/XFS). XFS supplies a typical API for accessing and manipulating numerous financial services gadgets no matter the maker.

The technique for screening security service in ATM stays the same. Completion goal is to get to OS or to fiddle with the application related file to see how does the application act. An opponent after accessing to OS can produce a malware which can issue the command to system hardware utilizing XFS parts.

Phoenix Vista ATM is an item of Phoenix Interactive Design Inc.This solution incorporates with the ATM application itself. This application deals with file integrity check where any modification/tampering with the application related vital file will result in a system shutdown. This disallows any unauthorized program to customize the application particular file.

Vista ATM communicates with the XFS layer which gives commands to the hardware like cash dispenser of the ATM to dispense the money. Any unapproved modification in XFS files will trigger the Vista ATM application to restart the maker powerfully. The device reboots 4-5 times, and after that, it enters into maintenance mode which does not enable the user to carry out any deal.

Some of the test cases that can be considered are:

Test cases related to access the OS and related file:

Checks associated with process modification: Rename unauthorized file to a legitimate security option process. When the application starts, this will result in the execution of unapproved file.

Test related to code defense: Check if application related files can be relocated to another area, customized or erased.

Another method is to make your USB bootable. Boot from USB, this will give access to file system directly with no Windows login.

Examine if USB is enabled, make your USB bootable.

Plug-in the USB and boot the system through USB.

Given that most of the security option take control of the OS as quickly as it boots, keep pressing the “Shift” button at boot time. This will break any series set up to perform at boot in OS. This will lead to Windows login screen.
If you are mindful of legitimate username, then go into that and push the “Enter” button. This will lead to direct access to the OS without a password.
If you are not familiar with valid username, try login with “Administrator” as lots of ATM does not disable the default administrator account.

Test related to runtime code permission: Check if USB is allowed, try to run unauthorized code (exe or batch file) directly from the USB or utilizing autorun feature of the USB.

Dangers related to unapproved execution through computer system registry: Check if any crucial computer registry key can be customized or unapproved software application can be carried out by keeping them in the Windows startup folder. Executables under Windows start-up folder will carry out first when the system reboots.
Security Best Practices to be followed for ATM
The banks can execute security best practices to decrease the attack surface area for the assaulter. This section can be classifications into three classifications:

Protection against physical attacks:

  • Detection and protection versus Card skimming.
  • Detection and security versus card/ cash trapping.
  • Detection against keypad tampering.
  • Mirror and pin guard to avoid and recognize shoulder browsing attack.
  • Carrying out a DVSS cam inbuilt in the ATM to catch facial features of the user in addition to deal information and timestamp.
  • Vault security against fire, explosion, etc
  • Lock defense again unauthorized access to expenses or banknotes.
  • Electric power point and network point security.
  • Disabling unused network and electric port.
    The ATM should be grouted on the flooring to protect against hazards related to the burglary. ATM can be carried out with shock sensing unit to identify the effect and movement of ATM device.
  • Execution of CCTV electronic camera. The existence of security personnel.

6. Defense versus rational attacks:

  • Security versus unapproved booting by setting non-guessable boot and BIOS password. The majority of ATM have default boot password configured.
  • Protection against Unauthorized and usb hard drive access.
    OS hardening and latest spot.
  • Whitelisting the application, services, and process on ATM.
  • Running ATM with least privilege user. Required to understand and require to have method.
  • Submit integrity checks.
  • Protecting the deal logs.
  • Use of safe and secure channel for the interaction and deal.
  • Set up security finest practices in ATM application.
  • Antivirus defense.
  • ATM network partition with other networks.
  • Protection versus Malware like tyupkin, ploutus, etc.

7. Security versus scams attacks:

The tester has to be part of the ATM network to reach the ATM IP and perform screening. Because Windows XP is no longer supported by Microsoft, many ATM supplier uses security option to mitigate the threats related to ATM attacks such as Malware-based attacks, OS-level vulnerabilities. Phoenix Vista ATM is an item of Phoenix Interactive Design Inc.This solution integrates with the ATM application itself. Vista ATM communicates with the XFS layer which offers commands to the hardware like cash dispenser of the ATM to dispense the money.

Execution of geo-blocking. In this application, the card can just be used in coming from country or region. The user needs to take consent to use the card outside the originating country.

Application of chip and pin based card to mitigate copied and skimming card based attack.

Executing a behavior mentoring which finds the unusual deal in term of the quantity, location of deal, frequency of transaction, etc

As soon as the exchange is done, the host processor sends the recommendation code to the ATM which allows the ATM machine to administer the money.

For More about ATM skimming attack protection Click here