Beyond the relentless headlines of data breaches, credit card theft, and many other cybersecurity related stories lies a very simple explanation. Sometimes it’s as simple as an employee clicking onto a link within an email, or a user of a popular cloud service using 123456 as their password. So with recent headlines reporting the widespread theft of ‘millions’ from ATMs infected with Tyupkin malware we undertook analysis in an effort to understand the simple explanation behind the attack. A clue to this simple explanation is of course in the title of this post. Simply put, the attackers were able to gain physical access to the ATMs and rebooted using a Live CD, they would then follow-up with directly manipulation of security controls and follow up with installation of the malware executable onto the machine. Not only could the attackers infect the system, and then ultimately steal the millions we all saw across the 140 characters that inevitably follow such stories, but the malware was also able to delete itself, and clear all logs in an effort to cover the tracks of the criminals. Herein lies the nub of the issue. There are solutions that can greatly reduce ths risk of malware attacks. However, there is not just ONE solution that will accomplish this. ATM security must be implemented in a layered approach. The layers create barriers of protection to make the criminals job more difficult. Changing the boot order sequence, would go far in preventing the attacks.. Eliminating the capability to boot from external media would also be effective as another layer of protection.To add more protection, consideration needs to be given to how ATMs are deployed. Some models are designed to be used in certain settings. Additional physical protection to make access to the ATM CPU need to be implemented. In such circumstances there are approaches that should be considered that not only include physical security controls (e.g. alarms, CCTV) but also considering tamper-proof security controls. Best practice recommends a layered approach to security so that there are lots of hurdles to jump and not just one. A weakness in one layer is mitigated by security provision elsewhere. A combination of physical, process and logical controls provide a robust environment. Determining the level of security for such environments means that in future risk assessments should not assume that all devices will be in physical environments that are controlled, and that today criminals are becoming more brazen in mixing physical and cyber with modern-day crimes. We would like to thank the team at Kaspersky in providing their analysis into the criminal campaign to our research team.