Category

Physical Security

Logical Security
Compliance

Application Security

Process Review

Operational Control

Technical Review

ATM Interface Testing

 Test Case/Checklist Item
Presence of physical guards
Review of CCTV cameras
Presence of vault locks and switches
Vault passcode brute force
Lock picking of ATM locks (cash vault, CPU, etc.)
Presence of PIN shield
Physical security bypass

Wireless HID bypass

Access to vault & CPU panel using master key

Network access review
Hardening review of routers & switches

Review of validation at ATM (e.g., PIN/card blocking)

Alternate boot of ATMs

Disable USB/Autorun
Hard disk encryption
Review of internal communication between ATM modules
Application whitelisting
Anti-malware capabilities
ATM surveillance (logical/logs)

Password policy
Presence of host firewalls
Vulnerable operating systems

ATM network scanning & penetration testing

ATM network architecture security review

Data exfiltration through alternate boot

Data exfiltration through network sniffing

Access to supervisor/OS mode through default credentials

Remote access via HID or other attacks

Clear text storage of sensitive data
Clear text communication of sensitive data
ATM card cloning
Malware injection & reverse shell access
Review of ATM network monitoring process

Review of anti-malware solutions

Review of security solutions & integration

Compliance with regulatory/central bank guidelines
Review of PCI-DSS/PCI-DA certifications

ATM application security testing

Penetration testing of ATMs

Framework-based assessment
API security testing of ATM applications
Process for remitting/debiting ATM transactions (foreign)
Process for review of zero balance accounts
Process for payment message approval
Process for fraud management & detection
Process for risk profiling & KYC review
Review of incident management process
Geo-tagging of ATM transactions

Review of dormant/zero balance user accounts

Process for remittance based on approval messages

Fraud risk management & detection rules
Backup review
Operating system configuration review
Network device configuration review
Logical checks – USB boot
Logical checks – Data exfiltration
Logical checks – Network port access
Logical checks – ATM switch access
Logical checks – ATM network access
API security testing

Transport confidentiality

Message confidentiality
Message integrity
Server authentication
User authentication
Authorization
Schema validation
Content validation
Message throughput
XML Denial of Service protection
Business logic bypass – Bypass ATM withdrawal limits
Business logic bypass – Withdraw more funds than available
 Objective
Ensure that physical guards are present at ATM locations.
Verify that CCTV cameras are functioning and cover all critical areas.
Check the integrity and functionality of vault locks and switches.
Test the strength of vault passcodes against brute-force attacks.
Test the physical locks (including cash vault & CPU areas) for
vulnerabilities.
Ensure that the PIN entry shield is intact and functioning properly.
Test for vulnerabilities that allow bypassing physical security measures
(alarm systems, sensors, etc.).
Check for vulnerabilities in wireless or external HID (keyboard, mouse)
devices that could grant unauthorized access.
Verify proper security controls over master keys used for vault & CPU
panel access.
Review network access controls, ACLs, and firewall configurations.
Assess security configurations (passwords, services, patches, etc.) on
network devices.
Ensure correct system responses to invalid PIN attempts, blocked cards,
etc.
Test the security of alternate boot mechanisms (e.g., external media, USB).
Verify that USB/Autorun features are disabled or restricted to prevent
unauthorized software execution.
Check if the ATM hard drive is encrypted to protect data at rest.
Assess the security of internal protocols and messages (e.g., encryption,
authentication).
Ensure only authorized and signed applications can run on the ATM.
Verify that anti-malware or endpoint protection is installed and up to date.
Confirm that ATM event logs and alerts are generated and monitored for
suspicious activities.
Assess whether strong password policies (complexity, rotation, lockout) are
enforced.
Check for local/host-based firewalls and rule configurations.
Identify and remediate known OS vulnerabilities (unpatched systems, EOL
OS, etc.).
Identify open ports, services, and vulnerabilities in the ATM network
environment.
Evaluate network segmentation, firewall rules, and secure communication
for ATM endpoints.
Test for unauthorized data extraction if attackers can boot from external
devices.
Check for the possibility of intercepting unencrypted data over the network.
Test for weak or default credentials that allow unauthorized access to
supervisory or OS functions.
Assess whether remote or local HID-based attacks can lead to
unauthorized control or pivoting.
Verify that card/PIN data or other sensitive info is not stored in plaintext.
Ensure encryption of sensitive data in transit (TLS, SSL, or IPsec) and
check for any plaintext transmissions.
Check for vulnerabilities that facilitate card cloning or skimming attacks.
Test whether malicious code can be injected or a reverse shell can be
obtained for persistent access.
Evaluate the monitoring or SIEM solutions for detecting anomalies and
intrusions in real time.
Confirm that anti-malware measures are updated, configured properly, and
effective.
Assess integrated security controls (firewalls, IDS/IPS, whitelisting, logs) for
coverage and effectiveness.
Ensure adherence to relevant governing regulations or standards.
Verify that necessary payment card industry certifications and assessments
are current and valid.
Assess the ATM application for known vulnerabilities (OWASP, SANS,
etc.).
Conduct end-to-end penetration testing to identify security gaps in ATM
systems.
Evaluate alignment with common security frameworks (e.g., NIST, ISO) for
ATM security.
Test API endpoints connecting to core banking or third-party services.
Review how foreign ATM transactions are handled and posted.
Assess the process for monitoring and managing accounts with zero
balances.
Check approval workflows for ATM payment messages.
Evaluate fraud detection rules, alerting, and prevention strategies.
Assess how risk profiling and KYC measures are integrated into ATM
operations.
Evaluate how ATM-related incidents are logged, escalated, and resolved.
Review the process that tags transactions with geographic data for
risk/fraud analysis.
Assess how dormant and zero-balance accounts are handled to prevent
abuse.
Verify the accuracy and security of remittance processing after transaction
approval.
Check the fraud risk rules in place and evaluate their effectiveness.
Confirm that backup policies and processes for ATM-related data are
robust and regularly tested.
Review OS hardening, patch status, security settings, etc.
Check the configuration of routers, switches, firewalls, and other network
devices.
Test whether USB/alternate boot capabilities are locked down.
Assess the risk of data exfiltration via logical channels (e.g., file transfer,
remote access).
Verify that unnecessary network ports/services are disabled or restricted.
Ensure that access to the ATM switch (transaction router) is tightly
controlled.
Confirm that ATM network connectivity is limited to authorized endpoints.
Ensure secure authentication, authorization, and confidentiality for ATM
API calls.
Verify that all transmissions (session data) are encrypted in transit
(SSL/TLS, IPsec).
Confirm message-level encryption or obfuscation to prevent
eavesdropping.
Check that digital signatures or checksums verify message integrity.
Validate that the server endpoint is properly authenticated and trusted.
Ensure that user or cardholder authentication mechanisms are robust and
secure.
Verify correct role-based or rules-based access to ATM functions and APIs.
Confirm that all inbound/outbound data conforms to expected structures.
Validate data fields to prevent malicious or malformed inputs.
Assess performance constraints and reliability of message handling.
Test resilience against DoS attacks that exploit XML processing.
Test if attackers can circumvent normal withdrawal limitations.
Check for flaws allowing overdrafts or negative account balances.