With a drill and a homemade hacking rig that can be assembled for about £12, hackers can access a cash machine and empty it in minutes, according to a demonstration at the Kaspersky Security Analyst Summit this week.
Kaspersky security researchers say that the simple attack method has already been honed ‘in the wild' in Europe and Russia, although the company hasn't revealed the type of cash machines at risk or the banks that have been attacked.
While you might see stories of people ripping cash machines out of the wall using JCBs, the result is messy and noisy, and the attackers relatively easily identified and apprehended.
In contrast, Kaspersky's attack requires drilling one hole next to the number pad, routing a cable to connect to an exposed serial port and issuing commands to dispense money.
Despite the ultimately simple attack, which required just a breadboard, an Arduino-like microcontroller, capacitors, an adaptor and a battery, Kaspersky's method did take five weeks of painstaking trial and error using an oscilloscope and logic analyzer to work out the machine's internal security protocols, which were surprisingly limited.
Once that was done, it was possible to send fake commands that look like they're being issued by other genuine modules in the machine, thereby allowing them to dispense money freely.
Perhaps the most concerning part for the affected bank in this case is that there's no over the air update that can fix the vulnerability - it'll require a hardware upgrade inside the machines to improve security, according to Wired.
Physical attacks and malware are far more common techniques used by thieves to try and score a big payday.
Kaspersky's revelation this week follows claims that as many as 140 banks, telcos and government organisations in over 40 countries (including the UK) may have been compromised with a new form of 'fileless malware'.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend