aricoma logo avatar

#1 in Enterprise IT

Penetration tests and audits of ATMs

Contact us
Solutions Enterprise Cybersecurity Penetration Tests

Solution description

ATM penetration tests and audits are specific in many ways compared to traditional web application penetration tests. They require a comprehensive knowledge of hardware, software, XFS, network protocols, reverse engineering, as well as a deep knowledge of programming languages including assembler, dissembler, debugger with direct use of instruction set codes (so-called opcodes). The result is verification that the ATM is adequately secured and suitable for production deployment and does not suffer from any obvious security weaknesses that could pose a direct security risk to the ATM itself and its clients.

 The following is a more detailed list of areas that tend to be critical from an ATM security perspective and based on our years of experience. This list is not comprehensive, but it gives a clearer idea of the scope and complexity of ATM penetration testing and auditing, whether it is your own solution under development or a third-party solution you are about to deploy in your environment. We are happy to help you with your security solution. 

ATM Penetration Testing and Audits

In our experience, even though ATM suppliers are often the same, the applications, OS, services, versions, settings and security vary widely. So, each ATM penetration test and audit is always a little different, depending on the HW, SW and other security features used.

The following is a basic list of the tests and audits we perform most often.

Benefits

  • We are one of the most established Czech security companies, we have been successfully operating on the market for over 30 years. 
  • We have more than 10 years of experience with ATM penetration tests of various suppliers, mainly DN (WN), NCR and OKI.
  • We have more than 30 years of experience in the field of security of OS, infrastructure, desktop and web applications, which are an integral part of an ATM. 
  • Our team consists of specialists with experience from hundreds of sub-projects. 
  • We are holders of eMAPT, CISSP, OSCP, OSCE, CEH and a host of other related certifications. 
  • We listen to our clients and tailor tests to their needs and time constraints. 
  • We follow modern trends in desktop application security. 
  • We emphasize a manual approach to testing, which leads to the discovery of more vulnerabilities, especially in the business logic of applications, compared to automated tools.

Security Control for Physical Access to ATM Interfaces

  • A physical local attack that targets account data.
  • A physical local attack that targets the PIN.
  • Attacks aimed at stealing encrypted sensitive data from secure components (EPPs, CRs, NFC, etc.)
  • Attacks aimed at disabling ATM security features (Privacy Shield, anti-skimming add-ons attacks)
  • Tests for unauthorized access to sensitive areas and resources (cabinet, fascia)
  • Tests whether unauthorized access to EPP, PC, etc. is monitored and triggers an alarm.
  • Attacks on interfaces such as USB, Camera, PIN-Pad connectors, serial mgmt port, card reader interface, dispenser interface, audio jack, etc.

ATM OS and application security
  • Testing the security of the ATM OS platform (Windows) 
  • We verify BIOS, TPM security. 
  • We verify the security of Sandbox solutions and OS protection.
  • We verify access to resources such as USB ports / CDs / DVDs / hard drives etc.
  • We verify XFS layer security 
  • We analyse the security of the ATM (thick/thin client) application, see Penetration testing of thick/thin client.

ATM infrastructure testing
  • We test and verify communication protocols, encryption and VPNs 
  • We verify and secure services.
  • We perform comprehensive ATM infrastructure audits

Dispenser Security Verification
  • We verify communication and encryption with the dispenser.
  • We verify service tools that are able to communicate directly with the dispenser. 
  • We verify firmware upgrade and downgrade capabilities on the dispenser.
Share
Print into PDF

References
  • logo zakaznika
    Our penetration tests identified and remediated vulnerabilities within the company Konica Minolta
  • logo zakaznika
    Raising cybersecurity awareness at Broker Consulting
  • logo zakaznika
    Security of clients and employees of ČSOB has been improved not only through penetration tests
  • logo zakaznika
    Audits and sophisticated penetration tests for vulnerability identification for Škoda Auto
  • logo zakaznika
    At T-Mobile, we performed security tests and audits
  • logo zakaznika
    At Deutsche Telekom (T-Systems), we cover the areas of cyber security.
  • logo zakaznika
    Cyber security training services for dozens of OTE employees
  • logo zakaznika
    Implementation of penetration tests to improve the security of ING
  • logo zakaznika
    Implementation of security audits and penetration tests for ČEZ
  • logo zakaznika
    Increasing cyber security at the Hradec Králové University Hospital
    View study case

DO NOT HESITATE TO
CONTACT US

Are you interested in more information or an offer for your specific situation?

By submitting the form, I declare that I have familiarized myself with the information on the processing of personal data in ARICOMA.

We care about your privacy

We use cookie identifiers that are necessary for the functionality of the website. By clicking the "I understand" button, you agree to the use of other types of cookies for statistical traffic measurement or content customization and marketing targeting according to what interests you.

The consent granted in this way can be revoked at any time later or adjusted according to your preferences. This is offered by the "Detailed settings" option, where there is also more detailed information on the whole issue.

I understand Detailed settings Reject everything