Back to blog Cybersécurité

Windows ATMs: The Security Flaw Draining Cash Machines Worldwide

Izri.Online 08 June 2026 1 views
Windows ATMs: The Security Flaw Draining Cash Machines Worldwide

Windows ATMs: The Security Flaw Draining Cash Machines Worldwide



An ATM crashes and displays the Windows lock screen. In plain view of everyone. This is not a rare bug — it’s the daily reality of thousands of cash machines around the world. And what this image reveals is far more concerning than a simple software crash.

Behind the steel casing and glowing screen, your ATM is a Windows PC with a cash drawer. A PC that, in many cases, runs an operating system Microsoft no longer protects.

---

1. Your Money Sleeps on Windows



Since the 1990s, the ATM industry made a pragmatic choice: Windows. Why reinvent the wheel when a mainstream OS can run cash management software, touchscreens, and security modules?

The problem is that this choice created a decades-long dependency. In 2014, when Microsoft ended support for Windows XP, 95% of the 2.2 million ATMs worldwide were still running it. Banks had to pay Microsoft extended support fees — sometimes millions of dollars — to keep patching their machines.

Table: ATM OS Evolution

PeriodDominant OSSupport StatusEstimated Global Fleet
2001-2014Windows XPSupport ended April 201495% of ATMs in 2014
2014-2020Windows 7Support ended Jan. 2020~60% migrated by 2016
2016-2026Windows 10 IoT 2016 LTSBEnd of support: Oct. 13, 2026Current industry standard
2025-2034Windows 11 IoT LTSC 2024Support until 2034Migration in progress


Today, the industry standard is Windows 10 IoT Enterprise 2016 LTSB (Long-Term Servicing Branch). A stable version, free from disruptive updates, ideal for machines that must run 24/7 without rebooting. Except Microsoft is ending support on October 13, 2026. Just 4 months away.

---

2. The Race Against October 2026



The end of support for Windows 10 IoT 2016 LTSB is the equivalent of XP’s end in 2014 — but worse.

Why? Because:

  • Replacing an ATM is expensive: A full-service banking ATM (NCR SelfServ, Diebold DN Series) costs between $20,000 and $55,000. Add installation, civil engineering, and software licensing, and you’re looking at nearly $60,000 per machine.

  • Small banks can’t afford it: A community bank with 15 ATMs needs nearly one million dollars to replace its fleet.

  • Software updates aren’t enough: Many ATMs running Windows 10 IoT 2016 LTSB can’t upgrade to Windows 11 without new hardware. Processor, RAM, TPM 2.0 — everything must be compatible.


    • Microsoft offers Extended Security Updates (ESU) for a fee, but that’s a temporary bandage. The real solution is migration.

    “Banks waiting until the last minute to migrate their ATMs are repeating the 2014 mistake — but this time, attackers are far better prepared.” — FBI FLASH Advisory, February 2026

    ---

    3. Ploutus: The Malware Draining ATMs Without a Card



    Let’s talk about the real problem. While banks deliberate over migration budgets, cybercriminals are acting.

    Ploutus is a family of malware specialized in “jackpotting” — the art of forcing an ATM to dispense all its cash without a legitimate transaction.

    How It Works



    1. Generic key — ATM locks are standardized. An attacker buys a universal key online to open the cabinet.

    2. Hard drive access — Once the cabinet is open, the ATM’s hard drive is removed or a USB device is plugged in.

    3. Malware installation — Ploutus is copied onto the system, or the drive is replaced with a pre-infected one. The malware installs as a Windows service (DIEBOLDP, ATM Service) and modifies the registry to survive reboots.

    4. XFS layer exploitation — ATMs use a software layer called XFS (eXtensions for Financial Services) that bridges Windows and the hardware (cash dispenser, card reader, PIN pad). Ploutus talks directly to XFS, bypassing the banking application. No authorization needed, no card required.

    5. The ATM dispenses cash — In minutes, the machine empties its cassettes. Up to $200,000 per machine. The entire operation takes less than 10 minutes.

    The Numbers That Chill the Spine



    The FBI published a FLASH alert on February 19, 2026:

  • +700 jackpotting attacks recorded in 2025 (vs ~1,900 since 2020)

  • +$20 million in losses in 2025 alone

  • Ploutus-D is the dominant variant, capable of adapting to any manufacturer (NCR, Diebold, Hyosung) with minimal modifications

  • Attacks are orchestrated by organized criminal groups, including the Tren de Aragua (TdA) gang


    • Indicators of Compromise (IoCs) listed by the FBI:

    Suspicious FileTypical PathBehavior
    Newage.exeC:\Users\SSAuto1\AppData\Local\PJackpotting executable
    NCRApp.exeMimics NCR softwareXFS injection
    WinMonitor.exeHides its true purposePersistent service
    sdelete.exeEvidence wipingForensic cleanup


    Windows Events to Monitor:

    Event IDMeaning
    6416USB device plugged in
    4663Suspicious file write
    4688Process creation
    7045Service installation
    1102System logs cleared


    ---

    4. PCI DSS: The Compliance Angle That Costs



    An unsupported OS isn’t just a technical risk — it’s a direct violation of PCI DSS standards (Payment Card Industry Data Security Standard). Section 4.2 of the PCI SSC ATM Security Guidelines is clear: every software component of the ATM (OS, XFS middleware, banking application) must be maintained and patched.

    Consequences for a non-compliant bank:

  • PCI DSS fines: up to $100,000 per month for small institutions

  • Risk of losing payment processing accreditation

  • Remediation costs imposed by card networks (Visa, Mastercard)

  • Reputational damage: hard to quantify, devastating for a local bank


    • ATMs running Windows XP or Windows 7 (still numerous in small community banks) are automatically PCI DSS non-compliant. Even air-gapped (disconnected from the network), a technician with a USB stick is enough to compromise the machine.

    ---

    5. The Global Picture: Who’s at Risk?



    The ATM situation varies dramatically by region:

  • United States: ~450,000 ATMs. Major banks (JPMorgan, Bank of America) have aggressive Windows 11 migration plans. Community banks lag behind.

  • Europe: ~350,000 ATMs. Stronger PCI DSS enforcement. Many already migrated or outsourcing ATM management.

  • Asia-Pacific: ~800,000 ATMs. Mixed picture — Japanese banks are well-prepared, while Southeast Asian markets have many legacy systems.

  • Africa & Middle East: ~100,000 ATMs. Older hardware, Windows 7 still present, limited budgets for migration.


    • The real risk: as European and American banks migrate to Windows 11, criminals will shift their focus to less protected ATM fleets. Emerging markets become natural targets.

    ---

    6. How to Protect Your ATMs



    If you manage an ATM fleet — or if you’re an IT decision-maker at a financial institution — here are the priority actions to take before October 2026:

    Short Term (Urgent)



    1. Audit your fleet — How many ATMs run on end-of-life OS? Document every machine.
    2. Enable Windows logging — Event IDs 6416, 4663, 4688, 7045, 1102. Forward logs to a centralized SIEM (local logs can be wiped by malware).
    3. Block USB ports — Physically or programmatically disable all non-essential USB ports.
    4. Replace locks — Swap generic key locks with non-standard alternatives.

    Medium Term (2026-2027)



    1. Migrate to Windows 11 IoT LTSC 2024 — Support guaranteed until 2034. One migration for 8 years.

    2. Deploy ATM-compatible EDR (Endpoint Detection & Response) — Specialized solutions (AppGuard, Diebold Agilis, NCR APTRA).

    3. Implement application whitelisting — Only signed executables can run on the ATM.

    4. Encrypt all drives — BitLocker or equivalent to prevent data extraction.

    Long Term (2027+)



    1. Consider ATM-as-a-Service — Outsourcing models transfer security responsibility to the provider.

    2. Train your teams — Maintenance technicians must learn to spot jackpotting signs (modified locks, open panels, suspicious USB cables).

    ---

    The ATM Doesn’t Lie



    An ATM displaying Windows isn’t a bug. It’s a reminder that your money’s security rests on a Windows PC locked inside a steel box. A PC that, in 4 months, might lose its last remaining protections.

    Banks that act now will avoid the October panic. Those that wait will offer prime targets to criminals.

    Is your IT infrastructure ready for October 2026? At Izri.Online, we help businesses audit and secure their systems before critical deadlines.

    → Get your free IT security diagnostic

    ---

    Sources & References



  • FBI FLASH Alert (FLASH-20260219-001), February 2026 — Ploutus ATM Jackpotting Surge

  • Microsoft Windows IoT Enterprise lifecycle — learn.microsoft.com

  • PCI SSC ATM Security Guidelines, Section 4.2 — Security of Basic Software

  • VISA Payment Fraud Disruption — ATM Jackpotting Malware Analysis

  • CNN Money, March 2014 — 95% of ATMs run Windows XP

  • BleepingComputer, February 2026 — FBI: Over $20 million stolen in ATM jackpotting attacks

  • ATM Marketplace / ATMIA — Windows CE to Windows 10 migration reports


    • ---

    Category: Cybersecurity Tags: ATM, GAB, Windows, security, jackpotting, Ploutus, PCI DSS, cybersecurity, banks, malware, NCR, Diebold

    ATM GAB security Windows jackpotting Ploutus PCI DSS cybersecurity banks malware NCR Diebold

    Have a similar project?

    Get a free diagnostic of your online presence and personalized recommendations.

    Free Diagnostic

    Cet article vous a été utile ?

    ☕ Offrez un café

    Don't leave without your gift!

    Download our free "Digital Diagnostic" guide to discover how to improve your online presence.