With a drill and a homemade hacking rig that can be assembled for about £12, hackers can access a cash machine and empty it in minutes, according to a demonstration at the Kaspersky Security Analyst Summit this week.
Kaspersky security researchers say that the simple attack method has already been honed ‘in the wild' in Europe and Russia, although the company hasn't revealed the type of cash machines at risk or the banks that have been attacked.
While you might see stories of people ripping cash machines out of the wall using JCBs, the result is messy and noisy, and the attackers relatively easily identified and apprehended.
In contrast, Kaspersky's attack requires drilling one hole next to the number pad, routing a cable to connect to an exposed serial port and issuing commands to dispense money.
Despite the ultimately simple attack, which required just a breadboard, an Arduino-like microcontroller, capacitors, an adaptor and a battery, Kaspersky's method did take five weeks of painstaking trial and error using an oscilloscope and logic analyzer to work out the machine's internal security protocols, which were surprisingly limited.
Once that was done, it was possible to send fake commands that look like they're being issued by other genuine modules in the machine, thereby allowing them to dispense money freely.
Perhaps the most concerning part for the affected bank in this case is that there's no over the air update that can fix the vulnerability - it'll require a hardware upgrade inside the machines to improve security, according to Wired.
Physical attacks and malware are far more common techniques used by thieves to try and score a big payday.
Kaspersky's revelation this week follows claims that as many as 140 banks, telcos and government organisations in over 40 countries (including the UK) may have been compromised with a new form of 'fileless malware'.
A fast, gorgeous but expensive display
Intel wants to get inside your car, despite missing out on mobile
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'