Architecture of the ATM environment is evaluated to discover architecture level flaws. Architecture review is done by reviewing the available architecture documentation, policies, security controls and interviewing the associated stake holders to ensure a resilient ATM environment. Inter-connectivity of the networks, systems, process workflow, alerting and detection mechanism on physical tampering, incident response program, security guidelines and general security controls are evaluated at this stage.

ATM’s physical case is the first line of defense in which various components including computer, cash cassettes, cash dispenser and rest of the hardware is enclosed. Physical IO ports such as USB/serial are also abused to implant a malware into the ATM. Possibilities of escaping or "jail breaking” via IO ports, lock‐picking techniques, boot loader security, setting up rogue processing unit, internet connection hijacking and even protection from physical force or tampering is evaluated during this phase.

Network security testing identifies the network level vulnerabilities in the ATM system. ATM network is normally segregated from the bank network and ATM has to communicate with the back‐end server in order to process the transactions. By obtaining the IP address of the ATM host, a comprehensive port scan, vulnerability assessment and penetration testing is performed. This exercise may also include traffic capturing or replay, MITM attacks, etc. to determine insecure communication between the client‐server. Network security testing highlights the remotely exploitable vulnerabilities in the ATM host and connected host or devices.

In this phase, the application is tested for various flaws include insecure storage, logs, data files, registry and even in-memory data which can be utilized by malware to steal confidential data. Protection from reverse engineering, DLL hijacking, encryption strength both in storage and transit is also evaluated. Communication between the client‐server is intercepted and tampered to test the server side vulnerabilities. Traffic replay and protocol fuzzing is also performed to identify insecure protocol implementation which could be utilized by the attacker to take over the ATM machines or the back-end network.