
Hacking ATM machines is a serious concern that affects not only individuals but also entire financial systems.
ATM hacking can occur through various methods, including phishing scams, where hackers trick users into revealing their PINs.
In 2019, a phishing scam in the United States resulted in over $1 million in losses.
ATM hacking can also happen through physical attacks, where hackers install skimmers or card snatchers on the ATM.
In 2018, a group of hackers in the UK installed skimmers on 200 ATMs, stealing over £1 million.
The consequences of ATM hacking can be severe, including financial losses and compromised personal data.
What is ATM Hacking?
ATM hacking is a type of cybercrime that targets automated banking machines.
ATM jackpotting is a specific type of ATM hacking that exploits physical and software vulnerabilities in ATMs to dispense cash.
This type of attack can happen at any time and takes very little time, making it a quick and efficient way for culprits to commit the crime.
ATM jackpotting uses a combination of physical and cybercrime tactics, including the use of a portable device to physically connect to the ATM and malware to target the machine's cash dispenser.
Attackers often use deception to limit risk, such as dressing as service personnel or targeting ATMs in isolated locations.
With physical access to a machine, ATM jackpotting enables the theft of the machine's cash reserves, which are not tied to the balance of any one bank account.
Explore further: Can a Atm Card Be Used as a Debit Card
Types of ATM Hacking Attacks
ATM hacking attacks can be broadly categorized into two types: physical attacks and digital attacks.
Physical attacks involve hackers gaining physical access to the ATM, usually through breaching the maintenance port.
In a Black Box attack, hackers connect a device to the ATM's internal system, bypassing security systems and directly withdrawing cash.
This type of attack is often carried out using special software or hardware tools.
Digital attacks, on the other hand, involve hackers using malware, such as banking Trojans, skimmers, or backdoors, to infiltrate the ATM's system.
These digital attacks can be carried out via USB drives or by abusing remote access ports.
Initially, attackers only exploited physical weaknesses, using skimmers to steal data from cards' magnetic strips.
The transition to digital attacks came with the advancement of ATM technology, offering more digital vulnerabilities to exploit.
Here are some common methods used in ATM hacking attacks:
- Physical access to the ATM
- Black Box Connection
- Control System Violation
- Cash Out
- Malware (banking Trojans, skimmers, backdoors)
- USB drives
- Remote access ports
Prevention and Safeguards
Implementing basic security controls is crucial to prevent ATM jackpotting attacks. Routine monitoring can help identify suspicious activities like multiple failed login attempts.
Regularly updating the ATM with security patches and software upgrades is essential. Updated security software, such as firewalls, antivirus software, and antimalware, should also be installed to protect the machine.
Disabling the ATM's auto-start and auto-boot functions can close a door on this type of crime. Criminals often exploit these functions to compromise ATMs.
Additional reading: Automated Teller Machine Security
Safeguards and Restrictions
Implementing antivirus solutions can provide some protection against malware variants, but it's not a foolproof solution.

Locking USB ports can prevent some types of attacks, but it's not enough to protect against all variants.
Encryption of hard drives can offer some security, but it's not a guarantee against all types of malware.
Criminals often use a "mule" to collect stolen money and distribute it without attracting attention from security cameras.
Regularly updating ATMs with security patches and software upgrades is crucial to prevent jackpotting attacks.
Disabling the ATM's auto-start and auto-boot functions can close one door to compromise for attackers.
Electronic surveillance systems, including video cameras, motion sensors, and intruder alarms, provide reliable 24/7 monitoring of ATMs.
On a similar theme: Types of Automated Teller Machine
Beware of PPE
PIN Pad Encryption (PPE) is often assumed to be secure, but it's not as safe as you think. XFS allows the EPP PIN keypad to be used in two modes: open mode and safe operation mode.
In open mode, the keypad can be intercepted by hackers, allowing them to steal sensitive information like PIN codes and encryption keys. This is because the keypad sends logs to hackers in clear text.
Suggestion: Forgot My Pin Number Debit Card

Hackers can exploit the XFS system breach to issue orders to distribute money, as if there was physical intervention. This allows them to empty the ATM safe remotely.
To put it simply, PPE is not as secure as you assume. It's a vulnerability that hackers can exploit to steal sensitive information and empty ATMs remotely.
Here's a summary of the risks associated with PPE:
ATM Hacking Methods and Tools
ATM hacking methods and tools are becoming increasingly sophisticated, making it essential to understand how they work. Rogue devices, for instance, can mimic an ATM's internal computer to execute jackpotting attacks.
Hackers use various tools to carry out ATM attacks, including a rogue device that connects directly to the cash dispenser or the ATM's network. A direct connection allows the device to order the ATM to dispense cash.
Malware-infested USB devices are also used to install malware on the ATM's hard drive and take control of the system. This is done by plugging the device into the machine's USB port.
Here's an interesting read: Bitcoin Atm Cash
The Black Box attack is another method used by hackers to gain access to an ATM's internal wiring and attach a device that communicates directly with the machine's system. The purpose of this device is to bypass security systems and force the ATM to dispense cash.
The steps involved in a Black Box attack are straightforward: hackers gain physical access to the ATM, disconnect the wires connecting the ATM brain to the cash dispenser, and then connect their own device. The device sends commands to the ATM to dispense money, bypassing the ATM's security systems.
Attackers often use special software or hardware tools to carry out the attack. These tools are designed to bypass the ATM's internal security systems and intercept communications with the management system.
Some of the most commonly used malware families in ATM jackpotting include Ploutus and Anunak. Ploutus enables criminals to bypass an ATM's security measures and physically control it in order to steal its money. Anunak, also known as Carbanak malware, allows attackers to remotely control the infected ATM and cash out large amounts of money at will.
The following is a list of some common tools and methods used in ATM hacking:
- Rogue devices that mimic an ATM's internal computer
- Malware-infested USB devices
- Black Box devices that bypass security systems
- Special software or hardware tools
- Ploutus and Anunak malware families
These tools and methods highlight the importance of securing ATMs and protecting against hacking attempts.
Global Impact and Response
The global impact of hacking ATM machines is a serious concern. According to a study, over 3,000 ATMs were compromised in 2020 alone, resulting in significant financial losses for banks and their customers.
The response to these attacks has been a major focus on improving security measures. Banks have been investing in advanced security protocols, such as two-factor authentication and real-time monitoring, to detect and prevent hacking attempts.
As a result, many banks have seen a significant reduction in the number of successful hacking attempts. In fact, one bank reported a 90% reduction in hacking incidents after implementing these new security measures.
Additional reading: Atm Security Solutions
Global Attacks
ATM jackpotting attacks have been a global issue, with reported cases in Latin America, Ukraine, Taiwan, Europe, Asia, and the United States.
In 2017, a rash of ATM jackpotting broke out in Latin America, following earlier incidents in Mexico in 2010 and Ukraine in 2015.
The Carbanak cybercrime group is believed to be behind many of these attacks, including those in Ukraine in 2015 and Taiwan in 2016.
In 2018, ATM jackpotting attacks were reported in Europe, Asia, and the United States, prompting the U.S. Secret Service to issue a warning to ATM manufacturers.
Two well-known ATM manufacturers, NCR and Diebold Nixdorf, issued advisories to their customers in response to the warning, outlining steps to safeguard their machines.
The Ploutus malware was used in some of these attacks, including the 2010 Mexico incident and the 2018 U.S. cases.
Security Teams Pay the Price: Cyber Incidents
Cyber incidents have become a harsh reality for organizations worldwide. The blame for these incidents may be shared, but the burden of response always falls on the security team.
Security teams are often left to deal with the aftermath of a cyber incident, which can be a daunting task. The transition to digital vulnerabilities has made it easier for attackers to infiltrate systems.
Criminals now use variants of malware, such as banking Trojans, skimmers, and backdoors, to target systems. These attacks can be launched through USB drives or by abusing remote access ports.
The physical weaknesses of ATMs, like skimmers, are no longer the only concern. The technological advancement of ATM manufacturers has introduced more digital vulnerabilities to exploit.
See what others are reading: Atm Security
Trump Administration Faces Cyber Security Balancing Act
The Trump Administration faces a tough balancing act in the borderless cyber landscape. This is evident in the challenges they'll encounter, such as navigating a complex web of threats and vulnerabilities.
President Trump's record on cybersecurity might indicate a likely approach in 2025 and beyond, but only time will tell.
Case Studies and Indictments
A Venezuelan national, Jesus Ernesto Reyes Garcia, was indicted for allegedly hacking into several ATM machines at a casino in Primm, Nevada, causing them to dispense large amounts of cash.
He used malware to exploit vulnerabilities in the machines, resulting in them dispensing more cash than authorized, a type of attack known as ATM "jackpotting".
Reyes Garcia was observed on surveillance video placing a device behind various ATM machines and using stolen and fraudulent credit cards to withdraw cash.
Each time a $20 withdrawal was requested, $800 or $1,000 would be dispensed, and he conducted a total of approximately 150 transactions, fraudulently withdrawing a total of about $125,000 in cash.
An indictment is merely an allegation, and Reyes Garcia is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.
The case was investigated by the United States Secret Service and is being prosecuted by Assistant United States Attorney Christopher Chiou.
A jury trial is scheduled for October 7, 2019, before United States District Judge James C. Mahan.
Communications and Processing
ATMs can be hacked by interacting directly with peripherals without communicating with the host, one of the most popular hacking techniques. This allows attackers to bypass the central system and send commands directly to the peripheral device.
Standard interfaces such as USB, RS232, and SDC do not require special drivers, making it easy for attackers to plug in their device and send commands. Proprietary protocols used by peripherals and central systems do not require authorization, making them vulnerable to interception and repeated attack commands.
Attackers can use network traffic detector software or hardware to collect transmitted data and gain full control of the ATM. The presence of motion detectors is extremely difficult to detect once the attacker has gained control.
Dealing with Problems

Dealing with Problems can be a challenge, especially when it comes to ATM security. Some ATM providers have developed debugging services like ATMDesk and RapidFire ATM XFS to diagnose issues and enhance security.
These services can help detect anomalies and reduce the likelihood of attacks. By using special codes, access to these services is usually restricted to authorized personnel.
However, hackers have found ways to bypass these checks by modifying the service's code. This can be done by replacing a few bytes, making it possible to withdraw cash without going through the usual security checks.
ATM manufacturers and banks need to stay one step ahead of these hackers by regularly updating and patching their systems. This can help prevent modified services from being installed on single-board microcomputers that connect directly to the banknote dispenser.
Communications Processing Center
The communications processing center is a crucial part of an ATM's operation, and it's where the machine communicates with the outside world. This can include a variety of network interfaces, from x.25 to Ethernet and mobile networks.

Many ATMs can be traced using the Shodan IoT search engine, which can be combined with an attack that compromises the security settings of the affected machine. This makes it easier for hackers to target specific ATMs.
The "last path" of communication between the ATM and the processing center includes wired and wireless communication methods, such as phone lines, Ethernet, Wi-Fi, mobile networks (CDMA, GSM, UMTS, LTE), and more.
Security mechanisms may include VPN-compatible hardware or software, SSL/TLS (both specific to a specific ATM model and from third-party manufacturers), encryption, and message authentication. However, even with these protections in place, hackers can launch effective attacks against them.
In the best case, the ATM connects to the VPN server and connects to the processing center within the private network. However, many of these networks do not provide sufficient protection, so in practice they do not protect against major variants of hacking.
A MiTM attack can be launched, which will lead to taking control of the data flows transferred between the ATM and the processing center. This can result in the hacker entering a fake processing center, which instructs the ATM to issue notes regardless of the card inserted or its balance.
Here are some common network interfaces used by ATMs:
- x.25
- Ethernet
- Mobile networks (CDMA, GSM, UMTS, LTE)
- Phone lines
- Wi-Fi
Sources
- https://medium.com/@redfanatic7/atm-jackpotting-with-the-black-box-f4159df39a86
- https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/
- https://www.justice.gov/usao-nv/pr/venezuelan-national-indicted-atm-jackpotting-case-0
- https://www.securityweek.com/iagona-scrutisweb-vulnerabilities-could-expose-atms-to-remote-hacking/
- https://www.techtarget.com/whatis/definition/ATM-jackpotting
Featured Images: pexels.com