J. Bräuer, B. Gmeiner, J. Sametinger: ATM Security - A Case Study of a Logical Risk Assessment, Proceedings of the Tenth International Conference on Software Engineering Advances (ICSEA 2015), Barcelona, Spain, November 15-20, 2015, (Best Paper Award), icsea_2015_13_40_10219.
Automated Teller Machines (ATMs) contain considerable amounts of cash and process sensitive customer data to perform cash transactions and banking operations. In the past, criminals mainly focused on physical attacks to gain access to cash inside an ATM’s safe. They captured customer data on the magnetic strip of an ATM card with skimming devices during insertion of the card. These days, criminals increasingly use logical attacks to manipulate an ATM’s software in order to withdraw cash or to capture customer data. To understand the risks that arise from such logical attacks, we have conducted a risk assessment of an ATM platform that is running in a real banking environment. The result of this assessment has revealed the main issues that are responsible for vulnerabilities of an ATM platform. In this paper, we discuss the findings of our risk assessment as well as countermeasures to mitigate serious risks in order to ensure a secure banking environment. The risk assessment has revealed effective countermeasures and has additionally provided a prioritization of activities for ATM manufacturers.