Blog Details Image

Banks have long relied on Automated Teller Machines (ATMs) as the primary agent for basic banking services such as balance checks, cash withdrawal, account statement, etc. Today, with over 3.5 million ATMs planted worldwide, banks and customers greatly benefit from the convenient and instantaneous 24/7 service that ATMs bring enable. But as is the case with most things convenient (and instantaneous), ATMs are placed with drawbacks in the form of severe security risks and potential exploitability by hackers and criminal agents. Banks are thus left to adapt with new measures and prevention mechanisms to eliminate these risks.

One of the main challenges when it comes to ATM attack prevention is understanding a particular attack vector and picking the suitable vendor-solution that is specific to its corresponding threats. In this article, we discuss the various attack prevention methods and tools that are available from different vendors. These include vendor solutions for ATM logical attack prevention, ATM application whitelisting, ATM Blackbox attack prevention, ATM RAM raid prevention, ATM host OS Security and communication security and the necessity to inspect the status of their effectiveness with a comprehensive ATM Penetration Testing.

1.ATM Logical Attack Prevention

A logical attack on an ATM network is a coordinated set of malicious actions performed by criminals or groups to gain access to ATM computer systems for obtaining cash or sensitive data from ATMs. ATM malware attacks are the sub-category of Logical attacks. These attacks involve the deployment of software in the ATM, which runs in the background when the ATM operates. Various prevention solutions for ATM Logical attack are as follows:

1.1 NCR SPS with Skimmer Detect and Alert Monitoring

NCR Skimming Protection Solution (SPS) uses multiple jammers that generate random signals, preventing any criminal attack from isolating and recording data using the card’s magnetic strip. In NCR SPS SelfServ ATMs with DIP card readers, detection is available as the primary feature.

1.2 NCR Anti-Eavesdropping kit:

Eavesdropping attacks can be prevented by modifying the existing ATMs with a physical barrier around the internal card reader. NCR has an anti-eavesdropping kit that offers a simple and inexpensive protective measure. The SelfServ 80 series family has no card orientation window which removes the chances of drilling into the ATM.

1.3 NCR Card reader device detection firmware, third party anti-insert kits:

Criminals have developed techniques to install a Deep Insert Skimmer inside a motorized card reader such that the ATM platform software cannot detect it. NCR suggests using the Tamper Resistant Card Reader as the prevention mechanism for Deep Insert Skimming and Eavesdropping Skimming techniques. The NCR SPS (Skimming Prevention Solution) is built with a field-programmable framework. This framework enables the functionality of the ATMs and prevents deep insert skimmer attacks.

1.4 Cash degradation solutions such as ink staining or glue solutions:

An Intelligent Banknote Neutralization System (IBNS) is a process that protects money against unauthorized access by making it unusable when an attempted attack on the system is detected.

  • Ink-stain Technology: In the case of the identified attack, the ink-stained technology installed in the ATM will release indelible or permanent security ink that will stain the banknotes, making it unfit for use.
  • IBNS using glue: In case of an attack, the glue fusion module glues all the banknotes in the cash cassette together immediately, leaving nothing but the worthless, solid brick of paper. If an attacker tries to peel off the single banknote, it will tear into small shreds immediately.

1.5 Gas Detection/Neutralization solutions:

The gas detection and neutralization system is a second-generation product which includes advanced monitoring and alarm system, totally hidden from the view. A microprocessor built within the device interprets and measures the change in the environment and discharge the contents for neutralizing the gas. On detecting the gas, an alarm is triggered, alerting the local police about the attack immediately on detection. The option of an audible siren can also be provided, and it is also possible to connect to a third-party alerting system.

1.6 Sabotage and Shimming attack prevention

The recommended solution for this type of attack is to integrate an SPS solution with a skimmer detect and alert system. The SPS anti-tamper sensor will detect and alert on a wide range of tamper conditions, including simple disabling attacks similar to sabotage attacks.

Ensure that the host network checks for card verification code in both chip-based and magnetic strip card transactions. Ensure that the Integrated Card Validation Code (ICVC) of the EMV chip is different from the Magnetic stripe card’s CVV value.

1.7 CCTV and ATM built-in camera Tampering prevention:

Tamper detection is an option within your IP camera that will alert you if the camera has been tampered. If the attacker tries to knock off the camera or block its view, the alert system will notify the security which handles the video management system to monitor the situation.

1.8 ATM BIOS Hardening:

The Basic-Input-Output-System is a set of programs that consist of code and configuration settings. The BIOS enables an ATMs Central Processing Unit (CPU) to communicate with peripheral devices. Safeguarding the BIOS is fundamental to the security of the ATM.


Whitelisting is a concept in which no action can happen in the ATM unless it has been previously identified as legitimate. It includes all possible activities in the ATM workstation that can be controlled from the operating system. Below is the list of common ATM application whitelisting solutions and a brief look into their processes.

2.1 KX Security solution for ATM Application whitelisting:

KX security is a framework that allows you to design, develop, and deploy high-performance, enterprise-grade data capture systems. The KX platform is built on top of the world’s leading column-oriented database, Kdb+, to capture, store, and analyze real-time and historical data. Kx security contains a secure parser that ensures all queries are strictly based on permissions at a functional level when enabled.

2.2 Windows AppLocker for ATM Application whitelisting:

AppLocker is a software whitelisting tool introduced by Microsoft to restrict normal users only to execute specific applications. In Windows 10 version 1709, Microsoft introduced a feature known as Controlled Folder Access, which aims to prevent ransomware from encrypting files within folders. The ATM workstation with windows AppLocker can protect sensitive files from unauthorized access.

2.3 GMV Checker ATM security suite for application whitelisting:

GMV Checker provides a set of tools to create, install, and maintain the security policies on the server-side and the required tools to implement their application on the ATMs. These security policies can be designed in a flexible way permitting a standard policy for all ATM Network.

2.4 NCR’s Solidcore Suite for APTRA:

The Solidcore Suite for APTRA is focused on two critical, but historically opposed, issues facing IT and banking institutions:

  • To eliminate the business risk posed by internal security threats or network perimeter breaches.
  • To reduce growing information security operating costs while facing increasingly restrained IT resources.

Solidcore Suite for APTRA addresses both these issues simultaneously by only allowing authorized code to run on a protected ATM.

2.5 McAfee Solidcore for ATMs:

NCR offers Solidcore Suite for APTRA using the McAfee e-Policy Orchestrator (McAfee e-PO) platform, which guards and simplifies security through end-to-end network visibility and automated delivery of security responses.


An ATM black-box attack is a banking-system crime in which the attacker bores holes into the top of the ATM to gain access to its internal infrastructure. The cash dispenser is disconnected and attached to the external black box, which bypasses the need for card or transaction authorization to release money. Preventions of these type of attacks are listed below:

3.1 OS to Dispenser data protection solutions:

To prevent Black Box attacks, ATM vendors recommend using the latest XFS versions for strong encryption and physical authentication between the OS and dispenser. When physical authentication is present, encryption keys are sent only when legitimate access to the safe has been confirmed.

3.2 NCR USB Encryption Suite:

Encrypting the communications line between the ATM core and the dispenser will prevent black-box attacks. Only commands from the ATM software will be authenticated and processed by the dispenser. NCR uses the USB CDM software component from APTRA XFS 06.03.00 or later to encrypt the communication line.

3.3 Cerber Lock:

ANSER PRO has developed a safety device called Cerber NCR Lock, which will protect the ATM dispenser from the Black Box attacks. Cerber NCR Lock is compatible with ATM series NCR Persona, NCR SelfServ, and any ATM in which the dispenser is connected via USB.

The connector of the Cerber lock is installed between the ATM PC and the ATM dispenser. The Control unit of Cerber Lock is located in the ATM safe along with the dispenser to prevent its detection and hacking. In case of unauthorized connection to the ATM dispenser, the Cerber lock blocks the dispenser from releasing currency.

3.4 Wincor USB Encryption

Wincor has released a cryptographic device designed to prevent viruses from triggering unauthorized cash withdrawals at ATMs. The SCOP (Secure Cash Out Procedure) module prevents viruses from triggering any non-permissible withdrawals within an ATM’s control module, dispending the currencies. The system ensures complete security checks in combination with a central point of authorization.


Ram-raiding is a type of robbery in which a heavy vehicle is driven into the windows or doors of a building, usually ATMs, jewelry shop, and department store, which allow the attackers to steal. There are various solutions to prevent ATM, which are as follows:

4.1 GPS devices and ATM trackers:

The primary purpose behind most individual businesses or organizations going for GPS tracking systems and devices is real-time tracking. If the machine is impressed or moved unauthorized, the tracking device triggers the silent alarm. The ATM is configured to sense motion, and when the machine is moved, the device acts accordingly.

It also signals the control room whenever the ATM becomes interfered with by attackers. The device’s dynamic feature will help the authorities inform the law enforcement about the crime and activate appropriate action by the law enforcers and fight crime before the money gets stolen.

4.2 ATM Software Distribution attack prevention:

Software distribution attacks in an ATM is a network-based attack. Attackers use the network access points to connect to the bank’s internal network and gain access to ATMs locally. Once inside the system, the attackers spoof the software distribution server as the means to deliver the malware to ATMs

A software distribution capability with best practices, including security controls, authorization, and built-in authentication to make it safe, is an essential layer that will maintain the confidentiality, integrity, and availability of the ATMs. It is also crucial to have remote software distribution capabilities within the ATM.

If malware is launched or suspected to be on an ATM, software distribution will accelerate the clean-up and update malware signature files across the ATM. APTRA Vision Software Distribution and NCR View 360 are some of the NCR recommended software to protect against software distribution attacks


5.1 ATM OS Hardening solutions:

The ATM host’s OS should be hardened by removing unnecessary services and applications, securing weak default settings, and having updated security patches. The host OS must also have Anti-virus software, firewall/intrusion detection tools, Logging and auditing controls, and proper backup policies or tools.

5.2 Hard disk Encryption:

Installing complete hard disk encryption protects the integrity of the ATM hard disk and offline attacks. NCR SECURE Hard Disk Encryption is widely recommended.

By Hard disk encryption, the ATM is protected against:

  • Malware attacks when the ATM hard disk is offline.
  • Attacker’s reverse engineering software on the ATM hard disk.
  • Attacker’s collecting data from the hard disk of ATM.
  • Hard Disk being visible when ATM is booted from removable media.
  • The hard disk is removed from the ATM and mounted as a secondary drive.
  • The core is removed from the ATM.

The NCR SECURE Hard Disk Encryption:

  • Protects ATM against attackers deploying malware onto the hard disk of the ATM.
  • It distributes the hard disk contents unreadable to protect against offline attacks, reverse engineering of code, or data harvesting.
  • Prevents attackers from deriving or harvesting the decryption keys locally to circumvent encryption technology.
  • Remote authentication prevents the encryption key from being derived or harvested from the local hard disk.


Transmission of sensitive cardholder data across every network must be encrypted. Cybercriminals may be able to intercept transmissions of cardholder data over networks, so it is vital to prevent their ability to read this data. Encryption is a technology that can be used to distribute transmitted data unreadable by any unauthorized person.

6.1 Network Sniffing prevention with NCR TLS 1.2:

PCI DSS Requirement 4.1 suggests using strong cryptography and security protocols to protect sensitive cardholder information during transmission over open, public networks. SSL and TLS encryption have been demonstrated to have weaknesses that can be exploited and must not be used to meet PCI requirements.

NCR Secure TLS Encrypted Communications supports TLS version 1.2 and is more robust when combined with the environment’s hardening guidelines. NCR Secure TLS Encrypted communication never send unprotected cardholder data by the end-user messaging technologies like e-mail, instant messaging, SMS, chat, etc.

Need for effectiveness checking of ATM attack prevention solutions with ATM Penetration Testing

In a changing technological landscape, it is enormously fatal for Banks and Financial Institutes to overlook the various threats targeting ATMs. There has been a constant rise in ATM physical attacks for the last 5 years. In fact, there is a year on year growth of 16% since 2015 on reported ATM attacks.

This makes it essential to have a thorough and periodic security assessment of ATMs, investigating the possibilities of physical and logical attacks along with ATM malware, logical, and terminal related testing.

NetSentries Technologies is a leader in the Cyber Threat Management space. NetSentries provides a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NetSentries is engaged with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks. NetSentries works with several Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.

NetSentries provides a proven and comprehensive assessment framework for ATM, CDM, Service Kiosk, ITM, Bitcoin Teller Machines and other type of terminal testing, our security assessment services are second to none.

With a comprehensive testing portfolio for ATMs, derived from a combination of advanced hardware and software tools, coupled with vast experience in cyber threat management, NetSentries delivers assurance and peace of mind to banking institutes around the world.

About NetSentries: NetSentries Technologies is leader in the Cyber Threat Management space. NetSentries provides a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NetSentries is engaged with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks. NetSentries works with several Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.

For more information, contact us on

All product names, brands and trademarks referred to in this article are property of their respective owners.

Schedule your
Application Security Assessment Now

Free Consultation ImageFree Consultation Shape ImageFree Consultation Shape Image

Choice of the Leading Enterprises for a Reason

Brand LogoBrand LogoBrand LogoBrand Logo
Brand LogoBrand LogoBrand LogoBrand Logo
Brand LogoBrand LogoBrand LogoBrand Logo