J. Bräuer, B. Gmeiner, and J. Sametinger, A Risk Assessment of Logical Attacks on a CEN/XFS-based ATM Platform, International Journal on Advances in Security, Vol. 9, No 3&4, pp. 122–132, ISSN 1942-2636, Dec. 2016.
International Journal on Advances in Security

Automated Teller Machines (ATMs) contain considerable amounts of cash and process sensitive customer data to perform cash transactions and banking operations. In the past, criminals mainly focused on physical attacks to gain access to cash inside an ATM’s safe. For example, they captured customer data on the magnetic strip of an ATM card with skimming devices during insertion of the card. These days, criminals increasingly use logical attacks to manipulate an ATM’s software in order to withdraw cash or to capture customer data. To understand the risks that arise from such logical attacks, we have conducted a risk assessment of an ATM platform. This ATM platform is running in a real bank environment and is built on the CEN/XFS specification. The result of this assessment has revealed the main issues that are responsible for vulnerabilities of an ATM platform. The risk assessment has identified effective countermeasures and has additionally provided a prioritization of activities for ATM manufacturers.