ATMs are getting out of date

Attacks against ATMs and payment terminals have more than doubled since 2017

In 2019, ATMs and online payment terminals (PoS terminals) were attacked more than twice as often as in 2017, as a current long-term analysis by Kaspersky shows [1]. In the past year, the security experts identified more than 8,000 devices worldwide that were affected by ATM or PoS malware. Germany is the front runner in Europe and had a total of 228 ATMs or payment terminals attacked in 2019 - in 2017 there were only 58 [2]. This is particularly problematic because cyber criminals can also gain access to the infrastructure - for example a bank - via a compromised device.

Even if most of the affected devices worldwide were in Brazil and Russia - both countries are considered hotspots for ATM malware and targeted cyber attacks on financial institutions and banks - the increasing trend of attacks against machines and terminals located in Germany gives cause for concern. According to the Kaspersky analysis, malware in the ATM and PoS area is constantly evolving - today's malware can, for example, cover its tracks or contain a video spying tool. In addition, attackers are able to get ATMs to spit out money directly (e.g. ATMJackpot or granting the backers remote access to a bank's network.

The attack routes currently:

  • Port scanning: At the beginning, cyber criminals often look for open ports, services running on them and weak points in these services. The information obtained enables them to choose an effective attack vector.
  • Brute force attacks: Cybercriminals can gain access to a device via an active Remote Desktop Protocol (RDP) on an ATM or PoS system. They try to “guess” the correct password by sending several character combinations to the service.
  • Denial of service attacks: By sending large amounts of data or data in a format that cannot be processed by an application, a cybercriminal can stop an embedded device from working (denial of service).
  • Network exploits: Cyber ​​criminals use unpatched vulnerabilities to initiate an infection.

“ATMs are the ideal target for cybercriminals in several ways because they often run outdated systems that are relatively easy to exploit by attackers and provide access to large amounts of cash,” explains Dmitry Bestuzhev, security researcher at Kaspersky. “The increase in cyberattacks in the ATM and PoS area is likely to continue this year. We are also seeing a new dangerous trend: A group of cybercriminals in Latin America are currently trying to sell ATM malware that has been developed specifically for each major vendor on the market as part of a malware-as-a-service model. Financial organizations should therefore be particularly vigilant and bring their threat intelligence and systems up to date accordingly. "

Kaspersky recommendations for protecting ATMs and PoS terminals

With the recently updated Kaspersky Embedded Systems Security [2] solution, ATMs, PoS systems and other Windows-based embedded devices can be protected from malware and managed and updated remotely, even in areas with weak internet connections. In addition, the new network threat protection component prevents attacks at the network level.

Furthermore, ATMs should be secured as follows:

  • An evaluation of the attack vectors enables the creation of a specific threat model. The risk potential depends on the network architecture and the location where an ATM is installed - so it makes a difference whether an ATM is set up on the street or in the branch with video surveillance.
  • Carry out an assessment of which ATMs are out of date or which operating system they are using, which may no longer be supplied with updates by the provider.
  • Regular security assessments or penetration tests carried out by security experts such as Kaspersky reveal possible cyberattacks.
  • Regular checking of the physical security of ATMs in order to remove elements such as scammers that may have been attached to the device by attackers.

In addition to an embedded security solution (if possible), PoS terminals require the following measures:

  • Compared to an average ATM, Windows-based PoS terminals are often more powerful, offer more leeway for attackers' tactics and more options for the use of modern malware and hacking tools. The implementation of multi-layer IT protection is essential here in order to effectively secure PoS terminals.
  • Payment terminals are also located in public spaces and are generally less armored than ATMs. As a result, they are also more vulnerable to direct attacks from unauthorized devices. An adequately configured device control based on software is strongly recommended here.
  • Since PoS terminals are often involved not only in financial data processing, but also in the processing of personal data, this increases their attractiveness for cyber criminals. Implementing a monitoring system for data integrity and checking the logs should therefore be mandatory, preferably in such a way that changes can also be tracked offline.
  • Embedded systems should not only be protected by a host-based security solution, but also by an application at network level - for example via secure web gateways or next-gen firewalls. In this way, undesired configurations and unauthorized systems, both inside and outside the network infrastructure of an organization, can be discovered and prevented.

The analysis “A look at the ATM / PoS Malware lancscape from 2017 to 2019” can be found at

Further information on Kaspersky Embedded Systems Security can be found at



Usefull links:

About Kaspersky

Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise form the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250,000 corporate customers. Further information on Kaspersky can be found at

Attacks against ATMs and payment terminals have more than doubled since 2017

Kaspersky long-term analysis: trends, attack vectors and suitable countermeasures in the area of ​​ATM and PoS malware