ATM Audit

At Internet Security Auditors we specialize in security audit processes, and collaborate with financial institutions in reviewing their security systems.

Within the ATM platforms of financial institutions, we have experience auditing systems from the largest manufacturers in the market. The tests performed include both ethical hacking tests and technical validations, and the results are useful for evaluating or maintaining compliance with PCI DSS/PA DSS or ISO27001 certification.

Scope of the tests

Architecture and protocols analysis

  • Includes ATMs distributed across the branch network, the network and communication devices, and the servers.
  • The following aspects are reviewed:
    • Theoretical validation of that architecture.
    • Security review of the servers.
    • Network visibility from an ATM.
    • External traffic reaching the ATMs.
    • Information received from the network.
    • Analysis of communication protocols, capture of sensitive data, manipulation of requests, use of insecure protocols/services.
    • Assessment of the risk and business impact of a security incident.

 

Configuration analysis

  • Incorrect operating system configuration can sometimes generate security problems in the operating system itself or in some of the running applications.
  • The following aspects are reviewed:
    • Configuration of: Users, File system, Security levels, Services, Personal firewall rules, Access to administration tools.
    • PCI DSS hardening.
    • Alteration of the ATM application configuration to record information in logs.

 

PCI DSS review

  • Review of the PCI DSS requirements to be met by the environment.
  • Review of the controls implemented to meet the PCI DSS requirements following the security evaluation procedures.

ATM application security review

  • Application interface: information obfuscation, maintenance of confidentiality and integrity of information, availability analysis.
  • Information transmission.
  • Storage.
  • Data processing in memory.
  • Security of the services used.
  • Possible manipulations of the application from the host.
  • PCI DSS analysis as described in the previous section.

 

Client application vulnerability analysis

  • Detection of possible application shortcuts that may exist through manipulation of the client interface.
  • Detection of vulnerabilities in the application or the different software objects that interact with the client interface and that may pose a risk to the availability of the ATM, access to local ATM components or the network.
  • Analysis of possible weaknesses of the application through the use of keyboards connected to the ATM, with physical access to its interior.

Protections against illicit code execution

  • Aspects related to the risk of illicit code execution will be reviewed, specifically tests aimed at corroborating or overcoming the protection provided by specific protection systems such as white-listing.

    Protections against illicit code execution

 

Software update procedure

  • ATM systems have software components that must be updated regularly to ensure the correction of defects and emerging security vulnerabilities.
  • In the case of ATMs, according to requirements of standards such as PA-DSS, it is necessary to ensure that these processes guarantee the integrity of update files and the impossibility of carrying out an attack on the traffic or sources in such a way that the files used for updates could be altered, both for the Operating System and the ATM application itself.

 

Hard disk analysis

  • Someone who takes possession of a hard disk used in an ATM (theft, reuse of the disk without proper data deletion) could analyze the content of the disk, especially if cryptographic mechanisms are not used to protect it.
  • The information that can be obtained from the hard disk of an ATM is evaluated, not only in existing files, but also in deleted files.
  • Search for PAN, PINBLOCK, track data, etc., on the hard disk to verify secure writing and/or secure deletion of data on the HD according to PCI DSS requirements.

 

Review of monitoring and remote management processes

  • Theoretical analysis of weaknesses that may be caused by remote management tools in the environment:
    • Protections against alteration of information by third parties.
    • Accessibility to the tools from the network.
    • Requirements for user authentication.
  • Review of the possible impact of inappropriate use of customer support processes:
    • Authentication required to run those processes.
    • Filtering of origins that can execute them.
    • Auditing of actions (logs).
    • Integrity control of messages.

 

Cryptography of the ATM application

  • It should be reviewed that, in the current process, the ATM Master Key cannot be obtained, nor the keys that are communicated to it.
  • Technical evidence should be provided that, using the keys present in the ATM, data such as the PIN or the tracks cannot be decrypted when they are encrypted.

Results

As a result of this audit, the following documentation is provided:

  • Executive report.
  • Files with the results.
  • Specific report on conceptual risk scenarios.
  • Includes all technical results from the vulnerability exploitation tests.

 

What Our Clients Say


At Grupo AR, we highly value the brand protection service provided by Internet Security Auditors for its comprehensive and proactive approach. Their highly qualified team enables us to identify and mitigate risks that could affect the AR Construcciones brand and its different companies. Many thanks for your support!
Nestor Ivan Melo Ballen
Director of Cybersecurity
Grupo AR
As CEO of Beruby, we worked with Internet Security Auditors when we urgently needed to complete a PCI DSS Attestation of Compliance. The entire process was extremely fast, efficient, and professional. Their team provided us with excellent support, demonstrating strong technical expertise and a high level of commitment. Without a doubt, we recommend their services to any company in need of cybersecurity solutions.
Miguel Acosta
Global CEO
Beruby
At Grupo Arbulu, we have worked closely with Internet Security Auditors on the implementation of advanced cybersecurity measures. Thanks to their expertise, we have significantly strengthened our ability to detect and mitigate cyber risks. Their thorough audits and tailored solutions have reinforced our security infrastructure, ensuring the protection of our data and the continuity of our operations.
Marcos Montes de Oca
CIO
Grupo Arbulu
As CISO at Intaremit S.A., the importance we place on logical security is extremely high. Not only because the PCI‑CPP standard requires us to perform four internal and external vulnerability scans and an annual internal and external penetration test, but also because of the security and peace of mind our company aims to provide to each and every one of our customers.We have been working and collaborating with IsecAuditors for more than 10 years thanks to their experience, commitment, and close support, and I therefore recommend them without hesitation.
Sergio Sainz de la Maza
CISO
Intaremit S.A.
As CFO of Fleurop – Interflora Spain, we have been working with Internet Security Auditors for years in the areas of consulting and GDPR compliance. As Interflora is a company fully oriented toward online commerce, the professional services provided by ISEC Auditors give us the support, security, and peace of mind that all our activities remain aligned with GDPR requirements.
Francisco Tébar Prada
CFO Southern Europe (Spain, Italy, Portugal and Romania)
Fleurop - Interflora España
As CFO of Saint Louis University – Madrid Campus, I have had the opportunity to work with Internet Security Auditors, S.L. They have been an indispensable partner in implementing the requirements established by GDPR: preparing the record of processing activities, developing privacy policies, drafting the necessary data‑protection agreements with our service providers, and complementing all of this with thorough training for our staff—an essential element to ensure full compliance with the law. I would like to highlight their availability to address questions and their ability to translate the legal framework into concrete and understandable actions. Their periodic internal audits are efficient and allow us to stay up to date, correcting any deviations in a timely manner.I highly recommend Internet Security Auditors, S.L. to anyone seeking a successful implementation and ongoing oversight of personal data protection within their organization. 
Victoria Villarreal Palazón
Vice-Rector & Associate Vice President Chief Financial Officer
Saint Louis University, Spain
Working with Internet Security Auditors has been a positive experience in every respect. Their team combines strong technical expertise with a great willingness to collaborate, which has strengthened our security posture and regulatory compliance.
Andres Mejia
Head of GRC
PAYVÁLIDA
On behalf of Outsourcing SAS BIC, we would like to express our sincere appreciation for the commitment, professionalism, and dedication demonstrated throughout the implementation of the PCI DSS compliance project in our call center. Thanks to your expertise and guidance at every stage of the process, we were able to establish a secure environment that meets the industry’s most demanding payment‑security requirements, significantly strengthening our security controls and data‑protection practices. We especially value your team’s willingness to provide clear solutions, effective training, and smooth communication, all of which were key to achieving our objectives on time and with full confidence.
Yulian Colmenares
Information Security Officer
OUTSOURCNG SAS BIC
Working with Internet Security Auditors has been a highly satisfactory experience. Their support throughout our migration to the ISO/IEC 27001:2022 standard, the execution of internal audits, and the PCI DSS certification process has been essential in strengthening our information security management system. We especially value the professionalism and interpersonal skills of their team, which have made this collaboration a relationship of trust and great value for Neurona.
Ricardo Andrés Cárdenas Galvis
Information Security and Continuity Officer
Neurona
The strategic support provided by Internet Security Auditors as our CISOaaS has been essential in strengthening our internal team. Their expertise perfectly complements the work of our CISO and has enabled us to accelerate the maturity of our cybersecurity program.
CISO
RACC

Do not hesitate to contact us if you need more information

Send us your questions and we will contact you as soon as possible.
CAPTCHA