ATMs are at risk

We have entered a new era of active and sophisticated malware attack from sophisticated code-literate cybercriminals. New risks from their increasingly well-researched activities include side channel attacks and offline attacks that occur when your machine is not running and while protection may not be available. There is protection available but it doesn’t provide all the answers.

offline attacks

So let’s take a closer look at offline attacks and how you can protect your data.

An offline attack is performed when the main OS is not running – in this case usually when the machine has been booted from a second HDD or USB device. This can happen BEFORE your own operating system starts running and takes control, rendering conventional anti-virus methods useless.

In this offline state the main HDD is simply a storage device that can be updated. This means malware can be copied onto it and then the next time the HDD is booted again that malware WILL execute.

There are some ways to protect your machine: if the HDD is encrypted then it is impossible to access it in this offline state, so it is safe against malware being added.


It may appear that the above is a hypothetical solution that can only occur under a very specialized set of circumstances. In fact it is already happening and a good example can be found in the spate of “jackpotting” attacks seen in the US and elsewhere.

You can find more on these attacks in other thought-leadership articles from KAL but an important and familiar aspect on the use of the malware is how it is initially installed on the ATM. It appears that the malware can only be used on ATMs that have no security protections or where the security protection has not been enabled. In order for the malware to be successful, it requires access to a keyboard port (e.g. PS/2) and/or access to a USB port. As the malware would need to be installed inside the ATM runtime environment, it would be necessary to have physical access as above, and the USB ports would need to be left unlocked for mass storage devices; likely via an unlocked USB port. Once installed, the malware has to install itself and run on the ATM. (Although we should note that this would not be possible on ATMs protected with whitelisting technology as recommended by KAL.) So as we can see the vulnerabilities of a machine described before are already being exploited by cyber criminals.

Request a demo and get started

Due to the nature of our product and services, we only deal with legitimate businesses.
Enquiries will be validated carefully before shipping a sample.

logo ATM´s are at risk How it works News About and Contact