ATM Penetration Testing

Comprehensive ATM Security Assessment

Our ATM Pentesting service evaluates all critical aspects of ATM security to identify and mitigate risks. Key areas include:

1. Physical Security: we assess the ease of accessing a machine’s internals, bypassing anti-tamper mechanisms, or exploiting exposed interfaces.

2. Network Security: we evaluate wired and wireless networks to which target ATM’s are connected, focusing on many aspects, including:

• Implemented network authentication mechanisms.
• Traffic routing rules.
• Firewalling rules on network hosts and network equipment.
• Exposed network services.

3. OS Hardening: our experts examine OS security, including kiosk mode enforcement, BIOS access protections, and disk encryption settings, to prevent unauthorized access or bypasses.

4. Middleware and Framework Security: middleware apps and frameworks are scrutinized for vulnerabilities that attackers could utilize.

5. Communications Security: we ensure ATM-backend communication is encrypted and protected by client-server authentication, to prevent data breaches, identity theft, or unauthorized transactions.

6. Peripherals Security: key components such as card readers and cash dispensers are assessed for vulnerabilities, ensuring integrity of the entire system and protecting against card data theft and other fraudulent actions.

All external interfaces are covered

All external ATM interfaces are in scope of ATM penetration test, including but not limited to:

• Human-Machine Interface (HMI)
• Card reader (EMV, NFC)
• USB interface
• Ethernet network interface
• Wireless radio interface
• Cellular network interface

All intruder types are supported

The service allows to emulate high-skilled intruders with different types (network and physical) and levels of access to ATMs.

Service goal

The goal of the penetration testing service is to comprehensively evaluate the full attack surface of the ATM, identify, and validate any critical security vulnerabilities. This includes assessing whether the ATM can be exploited to compromise its own security or to serve as a pivot point for attacks on other systems within the connected network.

Business Benefits

Improved Security
Identifies and mitigates vulnerabilities to prevent fraud, data breaches, and financial losses while protecting customer trust.

Regulatory Compliance
Ensures adherence to industry standards like PCI DSS, avoiding fines and simplifying audit processes.

Operational Resilience
Strengthens systems to minimize downtime, ensuring reliable ATM service and customer satisfaction.

Real-World Penetration Testing

Real-world penetration testing plays a crucial role in supplementing the Payment Card Industry Data Security Standard (PCI DSS). Here's why:

Beyond Compliance
Real-world testing challenges systems with actual attack scenarios, uncovering vulnerabilities that standard compliance checks may miss, providing a comprehensive understanding of security weaknesses.

Adaptability to Evolving Threats
Real-world testing is dynamic and adjusts to new threats, helping organizations stay ahead of attackers by regularly improving security measures.

Holistic Security View
Real-world testing includes a broad range of tests, such as thorough hardware and embedded software analysis, ensuring organizations are secure in all aspects, not just on paper.

Penetration Testing in Compliance with PCI DSS

We offer penetration testing services fully aligned with PCI DSS 4.0 standards, ensuring comprehensive security for Cardholder Data Environments (CDEs). Our approach covers application-layer and network-layer vulnerabilities, validates segmentation controls, and meets required testing frequencies, including annual and post-change assessments.

For clients using segmentation to reduce PCI scope, we verify segmentation controls to ensure proper CDE isolation, complying with PCI DSS requirements. Our services include vulnerability assessment, remediation, and re-testing, helping clients achieve and maintain PCI DSS compliance.

OUR CUSTOMERS

About Adyen
Adyen (AMS: ADYEN) is the financial technology platform of choice for leading companies. By providing end-to-end payments capabilities, data-driven insights, and financial products in a single global solution, Adyen helps businesses achieve their ambitions faster. With offices around the world, Adyen works with the likes of Facebook, Uber, H&M, eBay, and Microsoft.

Proven experience of our team

Affected Products	CVEs
NCR S2 Dispenser controller	CVE-2018-5717
NCR S1 Dispenser controller	CVE-2017-17668
Verifone PoS terminals and peripherals	CVE-2019-14711 CVE-2019-14713 CVE-2019-14715 CVE-2019-14716 CVE-2019-14718 CVE-2019-14719
Ingenico PoS terminals and peripherals	CVE-2018-17766 - CVE-2018-17768 CVE-2018-17771 - CVE-2018-17774
PAX PoS terminals and peripherals	CVE-2020-28891 CVE-2020-28892 CVE-2020-29044

WHY PCAUTOMOTIVE?

Expertise
Our team possesses deep expertise, with proven records in penetration testing and security audits of embedded devices, including PoS terminals, ATMs, PIN pads, and peripherals.

Proven record of success

• 100+ security evaluations conducted.
• 50+ vulnerabilities found in 2024.

On-site center of expertise
Our CyberLab offers top-tier execution and privacy, specializing in identifying and mitigating security vulnerabilities in hardware devices. We provide services such as firmware extraction and reverse engineering, discovery of debugging interfaces, cryptographic key extraction and bypassing memory protections.

Contact us today to receive a non-binding offer for security testing of your ATM.

CONTACT US TODAY