As a result, Australian banks have stalled and allowed self-imposed deadlines to lapse. ATMs were supposed to be EMV-complaint by October 2013. The deadline was then moved forward to June 2014, but that date is still not set in stone, leaving further opportunities for fraud, Keshek said.

"By nature, the less secure country becomes a target," Keshek said. "Attackers start looking at fairly large countries that don't have the same secure infrastructure, Australia being one of them."

Commonwealth Bank, which runs more than 4,000 ATMs in Australia, said in November 2011 it would be the first to roll out ATMs that meet the EMV standard. NAB plans for its ATM fleet to be fully EMV-enabled by the end of June 2013, while ANZ said its plans were commercially sensitive but that the upgrade was a "top priority." WestPac said the majority of its ATMs are EMV-capable, but that does not necessarily mean the machines are compliant yet.

About half of the 30,000 ATMs in Australia are run by non-bank companies. The largest are First Data and Customers ATM. First Data declined to comment, while Customers ATM declined to grant an interview but said it was working toward full EMV compliance.

Typically, non-bank ATMs "are not going to be built to the same security standards as bank ATMs because they are cheaper devices," said Iain Swaine, principal consultant for e-crime prevention at Greenway Solutions, a consultancy based in the U.K. The non-bank ATMs must meet the same security standards as mandated by Visa and MasterCard, but Swaine said the devices may not be as physically secure as bank ATMs.