Skip to Content
Security & privacy

Flaw in popular ATMs allows criminals to steal cash and your data

ATMs are supposed to be a safe, convenient way for people to access their money. At least, they are in theory — but hackers, as always, have other ideas.

A team of security researchers has discovered two critical security flaws in some of the most common ATMs in America. With a bit of malicious code, a hacker can easily steal all the cash from an ATM. Worse still, the second flaw gives total access to an ATM’s data — which means a hacker could siphon up the information of anyone who’s ever used it.

Criminals are still relying on less smart tech to steal your money, too. Click or tap to see how to avoid credit card skimmers at ATMs.

If you think you’re safe when you visit an ATM, think again. Here’s what you need to know about this dangerous ATM flaw before hackers are able to take advantage of it.

Bank ATMs let you “apply for a pwn”

According to new reports from Bloomberg, a pair of researchers from Red Balloon Security found a two critical security flaws in ATMs manufactured by Nautilus Hyosung America Inc. This company is the largest provider of ATMs in the United States, and their machines are found in most major banks.

The researchers found that with access to the same network as the ATM, they were able to hijack its system and completely take the machine over. These vulnerabilities allowed the researchers to bypass any security software, giving them them plenty of opportunity to wreak havoc.

One vulnerability is in the software that powers the ATM’s accessories — such as the cash dispenser, PIN pad and card reader. By cracking this exploit, the researchers found plenty of areas where malicious code could be injected. This would allow the hacker to theoretically empty the ATM of all its cash.


Relatd: Government systems not yet updated to protect against fraud


The other exploit is far more dangerous to bank visitors. This one harness the “remote management system,” which is often used by IT professionals to diagnose and control a computer remotely. Researchers theorize a hacker could steal the card information of anyone who’s ever visited that machine. Effectively, that ATM becomes a giant credit card skimmer.

The researchers aren’t sharing any specifics about how the exploits work to prevent criminals from taking advantage — but great minds tend to think alike. The fact that the vulnerabilities are out in the open means it’s only a matter of time before some cybercriminal catches on and starts robbing people.

What can be done about this security flaw?

According to the researchers, the flaw was reported to Nautilus Hyosung earlier in the summer. An urgent software fix was created and pushed to machine owners, but Red Balloon argues there’s no way of knowing which machines have been updated.

Thankfully, both Nautilus Hyosung and Red Balloon Security have acknowledged that the exploit hasn’t been used in the wild. You should still exercise caution using an ATM in an isolated area, though. Not only are these machines more likely targets for credit card skimmers, they’re also under less supervision and a prime real estate for hackers.

Stick to ATMs placed inside banks where security is present. Since both exploits required direct access to the machine’s networks, only an extremely talented hacker would be able to compromise one remotely.

Still, if you suspect your bank account or card has been compromised, there are some steps you can take to protect your identity. Click or tap here to learn why freezing your credit is a good idea if you suspect identity theft.

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out