ATM Pentesting
We provide advanced penetration testing (pentesting) in automated teller machine (ATM) solutions in the financial sector. In most cases, serious security flaws are identified in ATM configurations and associated processes.
Pentesting that simulates real attacks on ATM solutions includes carefully designed targeted attacks that combine physical, logical and optionally social engineering attack vectors. IT security managers often view ATM security as a complex area, tending to focus more on physical risks and less on logical weaknesses in the operating system and application layer.
However, ATM security is a business area that often lacks comprehensive security assessments. Our ATM tests are based on this belief and seek to show a holistic picture of your ATM environment.
Physical checks
Many banks rely heavily on the assumption that physical access to their ATM solutions is effectively restricted. Meanwhile, it is repeated in the tests, how little effort is often required to gain unauthorized access to the ATM CPU, which controls the user interface and the transaction device.
Logic controls
With physical access to the ATM CPU, authentication mechanisms can be bypassed to gain unauthorized access to the ATM platform. With this access, an attacker can steal credit card data that is stored in file systems or memory, without alerting the bank. Additionally, our pentesting experts can demonstrate that this unauthorized access can be extended from the ATM to the bank’s network and back-end servers using the compromised ATM as an attack platform.
ATM solution management processes associated with third-party service providers and application development providers are often the golden key for an attacker, and can be included in the scope of testing to identify logical weaknesses in trust relationships that an attacker can exploit to compromise an ATM.
ATM penetration tests
In ATM pentesting tests, as the number of ATM units increases, the machine is prone to hacking, theft, fraud, etc.
Electronic funds transfer has three components: communication link, computer and terminal (ATM). All three components must be secured to prevent attack. We will discuss the type of assessment that we can perform to analyze the overall security of an ATM.
PENTESTING ATM STAGES
Application design review: In this activity, we can verify the security practices * that are followed in the application. Some of the test cases can be:
- Types of events recorded in the log file.
- The privilege under which the ATM application runs.
- Does the software have a provision to restrict different menu options to different user IDs based on user level?
- Access to the folders related to the application.
- Does the application allow the transaction without a pin or with an old pin?
- Does the application allow access to the operating system while it is running?
- Communication with back-end components.
- Verification of the effective isolation of the network.
- Are there locks of a client in case there is a single invalid pin?
- Is it mandatory to enter the PIN for each and every transaction?
ATM architecture review
Evaluation of the ATM / POST environment, analyzing security controls and connectivity with the existing banking network.
Internal Pentesting
Ethical hacking, vulnerability testing and control over the ATM environment and connectivity devices.
Test to alarm systems (IDS-IPS-SIEM)
Verification of defense performance and response times to perform countermeasures on real attacks.
ATM software testing
Pentesting on the different payment applications on the final physical device (ATM), the communication levels and the controls.
Remote access tests
Evaluate RAS, RDP, VPN or similar accesses that allow access to third parties or possible attackers.
Policy and procedure analysis
Review and analysis of current existing policies against ISO / PCI / IBR standards
Physical tests
The four areas of security are evaluated: physical security, network security, application security, and operating system security.
Incident response
Analysis of times, strategies and response capacity to physical or cyber incidents.