fbpx

An ATM/ITM Security Assessment or Pentest is an essential service for any company that uses financial/banking services connected to Automated Teller Machines (ATMs), Interactive Teller Machines (ITMs), Virtual Teller Machines (VTMs) or Cash Deposit Machines (CDMs). 


Krypteia has a proven history in working in the Financial/Banking Security sector. We developed professional methodologies that will assess the entire environment of the ATM to determine if there are any vulnerabilities associated to the software, hardware or communication protocols . You will get an comprehensive assessment on each application, network or other devices that are supporting the ATM/BCDM deployment,  including a physical security detailed assessment. 

An ATM/ITM Pentest will uncover vulnerabilities that can be exploited by third parties. Such vulnerabilities include unauthorized withdrawals, access to the internal machine, exposure of USB or similar interfaces that can give the ability to by-pass security,  discovering and using sensitive information from users cards.


Your ATM Assessment will include:

Psychical Security

One important entry point when considering the security of an ATM / BCDM or similar banking devices is how easy it is for an attacker to access the internals of the machines.

The exposure of USB or similar interfaces to connect rogue devices or the ability to bypass anti-tamper mechanism to avoid disabling features or generating alarms are two examples of the issues that will be analyzed by the consultants.


Deployment Security

Not only the security of the ATM / BCDM itself is important but also how easy it is to break into the other devices used to support the ATM / BCDM deployment.

The analysis of how the device is connected to the local network in a branch or mall including whether the router / firewalls are easily accessible or configured with default credentials should also be taking into account when studying the security of the system as a whole.


Operating System Hardening

How the operating system running the ATM / BCDM application is secured should be one of the key points of any security assessment.

The consultants will look into how the kiosk mode is enforce and how easy it would be to bypass it.


Middleware / Frameworks Security

It is common that a ATM / BDCM uses a middleware that hides all the complexity of the banking transaction and allows interoperability between different manufacturers such as XFS but other less widely used frameworks could be used.

Any weakness in this layer would make it easier to an attack automate and replicate the attack across different devices and exploit issues that could allow execute privileged commands.


Backend ATM/BCDM Communications Security

The communications between the ATM / BDCM and the backend represent an important asset.

If the communications are not properly secured a security breach could allow an attacker to achieve identity theft, steal money from the ATM or reveal sensitive data that would break data protection laws.


Peripherals Security

An ATM / BCDM is made up of different peripherals plugged into the main computer that interacts with them to provide the whole banking functionality

Some of these peripherals are the card reader, cash dispenser or bank note validator as examples.

These element pose a security risk to the whole system since if an attack manage to interact with them and exploit any vulnerability she/he would be able to perform identity theft or perform any type of fraud.


Plan Preview

PHASE 1: GENERAL OVERVIEW OF THE ITM MACHINE

The objective of this engagement is to evaluate the efficacy and adequacy of the kiosk machine from a black box perspective first, and them moving to a white-box perspective, more in-depth. CTD will evaluate the following areas:

  • Physical Security
  • Deployment Security
  • Operating System Hardening
  • Middleware / Frameworks Security
  • Network security assessment
  • Backend Communications Security
  • Peripherals Security

PHASE 2: FEATURES AND FUNCTIONALITIES

The following features will be added during phase:

  • Business Flow logic testing
  • Cash withdrawal
  • Cash deposit
  • Cheque deposit
  • Cheque encashment (with coins)
  • Cheque book request
  • Online/mobile banking registration
  • Internal funds transfer
  • Email/SMS/print balance, statements

Contact Us today so we can talk about your Cybersecurity and IT solution needs for your organization!