aricoma logo avatar

#1 in Enterprise IT

Penetration tests and audits of ATMs

Solution description

ATM penetration tests and audits are specific in many ways compared to traditional web application penetration tests. They require a comprehensive knowledge of hardware, software, XFS, network protocols, reverse engineering, as well as a deep knowledge of programming languages including assembler, dissembler, debugger with direct use of instruction set codes (so-called opcodes). The result is verification that the ATM is adequately secured and suitable for production deployment and does not suffer from any obvious security weaknesses that could pose a direct security risk to the ATM itself and its clients.

 The following is a more detailed list of areas that tend to be critical from an ATM security perspective and based on our years of experience. This list is not comprehensive, but it gives a clearer idea of the scope and complexity of ATM penetration testing and auditing, whether it is your own solution under development or a third-party solution you are about to deploy in your environment. We are happy to help you with your security solution. 

ATM Penetration Testing and Audits

In our experience, even though ATM suppliers are often the same, the applications, OS, services, versions, settings and security vary widely. So, each ATM penetration test and audit is always a little different, depending on the HW, SW and other security features used.

The following is a basic list of the tests and audits we perform most often.

Benefits

  • We are one of the most established Czech security companies, we have been successfully operating on the market for over 30 years. 
  • We have more than 10 years of experience with ATM penetration tests of various suppliers, mainly DN (WN), NCR and OKI.
  • We have more than 30 years of experience in the field of security of OS, infrastructure, desktop and web applications, which are an integral part of an ATM. 
  • Our team consists of specialists with experience from hundreds of sub-projects. 
  • We are holders of eMAPT, CISSP, OSCP, OSCE, CEH and a host of other related certifications. 
  • We listen to our clients and tailor tests to their needs and time constraints. 
  • We follow modern trends in desktop application security. 
  • We emphasize a manual approach to testing, which leads to the discovery of more vulnerabilities, especially in the business logic of applications, compared to automated tools.

Security Control for Physical Access to ATM Interfaces

  • A physical local attack that targets account data.
  • A physical local attack that targets the PIN.
  • Attacks aimed at stealing encrypted sensitive data from secure components (EPPs, CRs, NFC, etc.)
  • Attacks aimed at disabling ATM security features (Privacy Shield, anti-skimming add-ons attacks)
  • Tests for unauthorized access to sensitive areas and resources (cabinet, fascia)
  • Tests whether unauthorized access to EPP, PC, etc. is monitored and triggers an alarm.
  • Attacks on interfaces such as USB, Camera, PIN-Pad connectors, serial mgmt port, card reader interface, dispenser interface, audio jack, etc.

ATM OS and application security
  • Testing the security of the ATM OS platform (Windows) 
  • We verify BIOS, TPM security. 
  • We verify the security of Sandbox solutions and OS protection.
  • We verify access to resources such as USB ports / CDs / DVDs / hard drives etc.
  • We verify XFS layer security 
  • We analyse the security of the ATM (thick/thin client) application, see Penetration testing of thick/thin client.

ATM infrastructure testing
  • We test and verify communication protocols, encryption and VPNs 
  • We verify and secure services.
  • We perform comprehensive ATM infrastructure audits

Dispenser Security Verification
  • We verify communication and encryption with the dispenser.
  • We verify service tools that are able to communicate directly with the dispenser. 
  • We verify firmware upgrade and downgrade capabilities on the dispenser.

Share

DO NOT HESITATE TO
CONTACT US

Are you interested in more information or an offer for your specific situation?

By submitting the form, I declare that I have familiarized myself with the information on the processing of personal data in ARICOMA.