Relay Attacks on ATMs: How They Work and How to Prevent Them

Niklas Damhofer

ATM Software Solutions

A high-tech ATM being manipulated through a relay attack. A hacker’s hands use a device to intercept and relay transaction data remotely. Digital signals transfer between two devices, enabling unauthorized ATM withdrawals while the victim’s contactless card is unknowingly scanned. The dark, futuristic background highlights cybersecurity threats.

As financial institutions enhance ATM security, cybercriminals evolve their attack strategies. One of the most sophisticated and damaging threats is the relay attack—a form of man-in-the-middle (MitM) attack that exploits authentication mechanisms to fraudulently withdraw money. Unlike traditional skimming or phishing tactics, relay attacks can bypass even advanced security measures, making them a growing concern.

This article provides a comprehensive analysis of relay attacks, covering their techniques, real-world examples, and advanced prevention strategies that go beyond conventional security recommendations.

What Is a Relay Attack?

A relay attack occurs when cybercriminals intercept and forward transaction data between an ATM and a legitimate banking system, tricking the ATM into approving unauthorized transactions. These attacks typically involve two synchronized devices:

Relay Device – Placed near a victim's payment card, intercepting authentication signals.
Proxy Device – Positioned at an ATM, replaying the intercepted authentication to conduct fraudulent withdrawals.

How It Works

A victim with an NFC-enabled card or mobile wallet unknowingly transmits authentication data.
The relay device captures this data and transmits it to a remote fraudster.
The proxy device at an ATM replays the data, bypassing security protocols.
The ATM authenticates the transaction, allowing cash withdrawal as if the victim were physically present.

This process exploits legitimate security credentials in real time, making it extremely difficult to detect.

How Relay Attacks Exploit ATMs

Relay attacks often target contactless payment authentication methods, which were designed for convenience rather than long-distance security. The most common methods include:

1. NFC Relay Attacks

Cybercriminals use wireless relaying to transmit NFC card data over long distances.
If the ATM lacks proximity verification, it assumes the card is physically present.

2. Chip & PIN Bypass

Attackers manipulate EMV (Europay, Mastercard, and Visa) protocols.
Weak authentication flows allow unauthorized relay transactions.

3. Biometric Spoofing

If an ATM uses fingerprint or facial recognition, criminals use spoofed biometric data relayed from a hacked device.

4. Ghost Transactions

Some attacks manipulate ATM software into processing transactions without physical card interaction.

Real-World Cases of Relay Attacks

Europe: Contactless Card Theft

Cybercriminals used relay devices to intercept contactless card signals from unsuspecting users in crowded areas.
Attackers executed withdrawals from ATMs miles away, exploiting poor NFC range restrictions.

Asia: ATM Ghost Transactions

Fraudsters manipulated banking software vulnerabilities, allowing transactions without card insertion.
These ghost transactions exploited weak chip authentication measures.

United States: High-Tech EMV Relay Fraud

Hackers successfully relayed Chip & PIN authentication data from stolen cards to an ATM in a different state.
The attack bypassed fraud detection by matching expected user behavior.

Solutions to Prevent ATM Relay Attacks

Effective defense requires a multi-layered security approach combining hardware upgrades, AI-driven fraud detection, and customer education.

1. Enhanced EMV Security

Dynamic Data Authentication (DDA): Uses unique encryption keys per transaction, blocking static relay attempts.
Transaction Timers: ATMs can reject delayed transactions, identifying relayed attempts.

2. NFC and Contactless Protection

Distance Bounding Protocols: Ensures transactions occur within a secure proximity.
NFC Signal Limitation: Restricts unauthorized long-range scanning.

3. AI-Powered Fraud Detection

Behavioral Analytics: Machine learning detects anomalous withdrawal patterns.
Geolocation Tracking: If a mobile device is far from the ATM, the transaction is flagged.

4. Reinforced User Authentication

Multi-Factor Authentication (MFA): Adds extra verification layers (e.g., SMS OTP, biometric validation).
Liveness Detection for Biometrics: Prevents the use of static biometric data.

5. ATM Hardware and Software Enhancements

Shielded ATM Sensors: Prevents installation of unauthorized relay devices.
End-to-End Encryption: Ensures secure data transmission between ATM, bank, and user.

Future Trends in ATM Security

With relay attacks becoming more sophisticated, financial institutions must invest in emerging security technologies:

Quantum-Secure Authentication – Future-proofing ATMs against advanced cryptographic attacks.
Tokenized Transactions – Replacing card data with dynamic, single-use tokens.
AI-Powered ATM Monitoring – Real-time AI detection of suspicious ATM interactions.

Financial institutions must remain proactive, continuously updating security protocols to stay ahead of cybercriminal tactics.

Conclusion

Relay attacks pose a significant and evolving threat to ATM security. However, banks and ATM operators can dramatically reduce risks by implementing stronger authentication protocols, AI-driven fraud detection, and secure hardware enhancements.

By taking a proactive stance on security, financial institutions can protect users, minimize fraud, and maintain trust in ATM networks.

Sources

Chip & PIN (EMV) Relay Attacks - University of Cambridge
NFC Relay Attacks - TapTrack
Software Attacks on ATMs Are Rising – Here's How to Stop Them - Tietoevry