EN ID TH
Other Compliance → ATM

ATM Penetration Testing

Full-stack ATM penetration testing, hardware, software, firmware, network communication, and physical security.

ATMs and Cash Deposit Machines are unusual in cybersecurity: a fielded device that handles cash, accepts cards, runs decade-old operating systems in many cases, and sits in physically exposed locations. The threat model spans physical tampering, software compromise, network intrusion, and the operational processes around cassette handling and key management.

Engagements typically run on a representative test ATM at our lab or in a controlled bank environment. Coverage spans hardware-level testing (card reader, PIN pad, cash dispenser), software and firmware analysis, network and transaction-layer testing, and operational process review. Findings map to the relevant regional banking regulator requirements and to PCI PIN / PTS expectations.

Why it matters

What's at stake.

ATMs run unusually long-lived software

A typical ATM in production may be running an OS family no longer in mainstream support. Patch cycles are constrained by vendor release schedules and operational windows.

Regional regulators look at this specifically

Bank of Thailand, MAS, and OJK all publish expectations on ATM security testing for banks operating the channel. Vendor-supplied attestation is rarely sufficient.

Scope & Coverage

What we test.

Hardware & physical

  • Card readers
  • Cash dispensers
  • PIN pads
  • Physical security and enclosure
  • Environmental and operational security

Software & network

  • ATM software and firmware
  • Transaction processing systems
  • Network communication
  • Skimming, tampering, and malware attacks
  • Network intrusion
What we typically find

The flaws engagements like this consistently surface.

Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.

Enclosure and tamper resistance

Skim-friendly card-reader bezel designs, defeatable enclosure locks, exposed maintenance interfaces.

Software stack weaknesses

ATM application bypassable via kiosk-mode escape, unpatched OS components, insecure update channel.

Network and transaction

Weak protection on host-to-ATM communication, replay-tolerant transaction messages, lateral movement from network into ATM estate.

Engagement Model

A structured, intelligence-led path through every engagement.

Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.

Scoping

Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.

Execution

Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.

Validation

Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.

Reporting

Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.

Debrief & Retest

Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.

Standards & Frameworks

Mapped to recognised baselines.

PCI PIN
PCI PTS
Vendor security guidance (NCR, Diebold, Wincor)
Regional regulator expectations

Test Your Defences Against Adversarial Expertise

Talk to a CREST-accredited consultant about your next penetration testing engagement.

Speak to an Expert