"This is why there is more chance of card skimmers working on them and that attackers can either physically get into the devices to put internal skimmers or to eavesdrop on the modem connection out of the back," Swaine said.

Since not all payment cards have the EMV chip in Australia, some banks may have not turned off the so-called "fallback" mechanism which allows an ATM to read data from the card's magnetic stripe. In some cases, ATMs will also read the magnetic stripe data if the chip appears faulty.

That opens a window of opportunity for fraudsters, who can take advantage of the complexity, testing ATMs to see if the devices will pay out.

If a customer's ATM card has been skimmed and a counterfeit card is made, "there's no way for a bank to tell whether a cloned magstripe or a real magstripe is used," said Steven J. Murdoch, a researcher in the Security Group of the University of Cambridge Computer Laboratory who has extensively studied EMV. "Bank records should be able to distinguish between chip and magstripe."

The situation is bad news for customers, who can bear the liability if their chip card is used fraudulently. If a chip card's magnetic stripe is cloned and a bank's ATM is configured to only read the magnetic stripe, it can be difficult for a customer to prove they did not perform a suspicious transaction.