Almost any cash machine in the world could be illegally accessed and jackpotted with or without the help of malware.
Security researchers at Kaspersky Lab reached this conclusion after investigating real attacks on ATMs and assessments of the machines carried out for several international banks.
The susceptibility of ATMs in particular is due to the widespread use of outdated and insecure software, mistakes in network configuration, and a lack of physical security for critical components of ATMs.
For many years, the biggest threat to the customers and owners of ATMs were skimmers – special devices attached to an ATM in order to steal PINs and data on bank card magstripes. However, as malicious techniques have evolved, ATMs have been exposed to a greater range of dangers.
In 2014, Kaspersky Lab researchers discovered Tyupkin – one of the first widely known examples of malware for ATMs – and in 2015, they uncovered the Carbanak gang, which among other things was capable of jackpotting ATMs through compromised banking infrastructures.
Both examples of attack were possible due to the exploitation of several common weaknesses in ATM technology and in the infrastructure that supports them.