This is Part 2 of a 4-part series on ATM attack risks and defense strategies. In Part 1, we explored the evolving threat landscape and the architecture that makes ATMs vulnerable. Now we turn to the physical attacks that remain a persistent and often devastating threat to ATM operators.
Physical attacks on ATMs are as old as the machines themselves. But don’t mistake “physical” for “unsophisticated.” Today’s physical attack landscape ranges from razor-thin shimming devices invisible to the naked eye to coordinated explosive assaults that level entire storefronts. Understanding the full spectrum of these attacks is essential for any institution operating an ATM fleet.
Card Skimming: The Billion-Dollar Problem
Card skimming remains one of the most prevalent ATM threats. Criminals affix counterfeit card reader overlays to the card slot, reading and storing data from the magnetic stripe as the card is inserted. Skimming is almost always paired with a method to capture the PIN—typically miniature pinhole cameras concealed near the ATM or fake keypad overlays that record keystrokes.
The FBI warns that skimming devices are becoming increasingly difficult to detect, and criminals often work in coordinated teams to install and retrieve them quickly. The FDIC has published guidance warning consumers and institutions alike about the growing sophistication of these schemes. FICO reports that while individual compromise events may fluctuate year over year, skimming continues to generate more than a billion dollars in annual losses globally.
Deep-Insert Skimming and Shimming
As anti-skimming defenses have improved, attackers have responded with more advanced techniques. Deep-insert skimmers are ultra-thin devices placed inside the card reader throat, bypassing external anti-skimming sensors entirely. They are virtually invisible to both users and routine physical inspections.
Shimming targets EMV chip cards specifically. A paper-thin circuit board inserted into the card reader sits between the card’s chip and the ATM’s contacts, intercepting the communication. While shimmers can’t typically clone the chip itself, they capture enough data—card number, expiry date, and potentially cardholder name—to create counterfeit magnetic stripe cards when combined with a stolen PIN. As Bankrate explains, shimming exploits a critical gap: many card issuers still permit magnetic stripe fallback transactions, undermining the security benefits of EMV chip technology.
Santander and Truist have both published consumer guidance on identifying signs of skimming and shimming—a recognition that customer awareness is an important layer of defense, even when technical controls are in place.
Card and Cash Trapping
Card trapping uses devices—often a “Lebanese Loop” made of tape or plastic—inserted into the card slot to prevent the card from being ejected. The fraudster observes the PIN entry or offers “help,” and when the frustrated customer leaves, the criminal retrieves both the trapped card and the stolen PIN.
Cash trapping works on the output side. Criminals insert a device into the cash dispenser slot that physically blocks dispensed banknotes from reaching the customer. The customer assumes a malfunction and leaves; the criminal returns to collect the trapped cash. The Europol guidelines on preventing physical ATM attacks note that both techniques require relatively low technical skill but can be highly effective, particularly at off-hours locations with minimal surveillance.
When Brute Force Meets Heavy Machinery
The most dramatic physical attacks aim to breach the ATM safe itself or remove the entire machine.
Forcible Entry: Attackers use angle grinders, drills, thermal lances, crowbars, and sledgehammers to cut through or pry open the safe door. These attacks are noisy and time-consuming, making them riskier in monitored locations—but they can yield the full cash contents of the safe when successful.
Ram Raids and Rip-Outs: These highly aggressive attacks use stolen vehicles—often trucks, backhoes, or forklifts—driven directly into ATM installations. Rip-out attacks attach chains to the machine and a powerful vehicle, pulling the ATM from its mounting. Pinkerton reports that freestanding and drive-up ATMs are the most common targets, and these attacks are often completed in just minutes. The stolen machine is usually transported to a secluded location to be broken open later.
Explosive Attacks: Perhaps the most dangerous form of ATM crime, explosive attacks use either flammable gas mixtures or solid explosives to breach the safe. Gas is typically introduced through an opening created by prying the dispenser slot, then detonated to blow open the safe door. Diebold Nixdorf has documented the rising global trend in explosive attacks since they first emerged around 2005. These attacks pose severe risks to public safety—the unpredictable nature of explosions creates danger from flying debris and structural damage to surrounding buildings. The European Association for Secure Transactions (EAST) tracks these incidents across Europe, where they have become a particular concern.
The Risk Matrix for Physical Attacks
Not all physical attacks carry the same risk. Here’s how they map across likelihood and impact:
- High Risk: Card skimming (overlay and deep-insert with PIN capture) — high likelihood, major impact through widespread customer data compromise and cumulative fraud losses
- High Risk: Shimming with PIN capture — medium likelihood but major impact, especially where magnetic stripe fallback is still permitted
- High to Critical Risk: Ram raids and explosive attacks — lower likelihood but catastrophic impact including total asset loss, severe collateral damage, and public safety concerns
- Medium Risk: Card and cash trapping — moderate likelihood and moderate impact per incident, but effective and easy to execute
- Low to Medium Risk: Vandalism — primarily causes operational disruption, though repeated incidents can signal criminal reconnaissance
Geography Matters
The type and frequency of physical attacks varies significantly by location. Factors include local availability of tools and materials (access to industrial explosives in mining regions, for instance), the types of vehicles commonly available for ram raids, the perceived effectiveness of local law enforcement response, and even the severity of legal penalties for different crime categories. A risk assessment that relies solely on global trends without considering local context will miss critical vulnerabilities.
The trend toward more destructive attacks carries implications beyond immediate financial loss. Significant collateral damage and public safety risks may attract greater regulatory scrutiny. Landlords—particularly in residential and mixed-use buildings—may become reluctant to host ATMs due to liability concerns. This could reduce ATM availability in the communities that need them most.
Looking Ahead
Physical attacks are only half the story. In Part 3 of this series, we’ll cross into the digital domain: jackpotting malware that empties cash cassettes on command, black box attacks that bypass all software security, network intrusions that intercept transactions mid-flight, and the devastating backend compromises attributed to state-sponsored groups like North Korea’s Lazarus Group.
📄 Download the Full White Paper
This blog series is based on a comprehensive technical analysis covering all ATM attack vectors, a complete risk management framework, and an actionable Capability Maturity Worksheet for assessing your organization’s security posture. Download the full white paper here.