Researcher shows how an ATM can be hacked with a phone and NFC


NFC read errors discovered by a security expert could be exploited to steal credit card details, hack POS machines and steal cash from ATMs.

As if the miserable state of ATM security protocols and the constant evolution of threat vectors weren’t enough, a security researcher has now identified NFC-related vulnerabilities that could allow an ATM to be hacked. This is not entirely shocking as Kasperksy Labs documented WinPot malware as early as 2019 that could allow a hacker with physical access to the inside of a machine to spit out money. A year earlier, the US government discovered a group of hackers behind a malware attack called Operation FASTCash, which wiped out millions of ATMs in many countries.

Over the years, ATM jackpotting techniques have evolved, and most of it has to do with finding vulnerabilities that remain unpatched for years due to the continued reliance on legacy systems. Researchers have proven on several cybersecurity conventions that the majority of ATMs are still vulnerable to typical attacks such as communications spoofing or the bypassing of an ATM’s internal hard drives simply because they run out of date software and are not regularly maintained.

Related: Two Factor Authentication: How Secure is the Additional Layer of Security?

To further exacerbate the problems, Josep Rodriguez has now documented security vulnerabilities related to near-field communication (NFC) readers used in a variety of ATMs around the world, as reported by Wired. The researcher claims to have developed an Android app that could be used to hack or crash an ATM’s NFC reader by simply waving your phone over it. The detected bugs could be exploited to crash point-of-sale (POS) machines, hack them to steal credit card details, display a fake transaction value or even lock the POS devices.

Vulnerabilities galore, but bad patching multiplies the risk


Rodriguez notes that with knowledge of a few additional bugs, it is possible to exploit the technology to force an ATM of a particular banking institution to dispense cash. In a video shared as a proof of concept, Rodriguez crashed an ATM by waving a phone in front of the machine’s NFC reader. According to Rodriguez, the proper payload attack would trick an ATM into dispensing cash by simply tapping it with a phone. Karsten Nohl from the security company SRLabs mentioned that Rodriguez’s results were excellent, but the NFC trick could only be used to hack credit card details and not to hack details like a PIN. In addition, stealing cash from an ATM using the NFC exploit would require additional knowledge of system-level vulnerabilities.

However, Rodriguez notes that the majority of banking-related machines remain vulnerable as many of them do not receive regular software updates to fix critical bugs. In many cases, physical access to these machines is required in order to update the system, which adds to the challenge of the sheer number of machines. Needless to say, it takes a lot of time and resources to achieve the goal. Dr. Ang Cui, founder of Red Balloon Security, states that the NFC vulnerabilities documented by Rodriguez can actually be misused to steal cash from a modern ATM.

Rodriguez’s technique consists of sending a packet of data from a phone that is much larger than what a credit card sends to an NFC reader, essentially overloading it to corrupt memory and execute malicious code. The cybersecurity expert, who kept the findings secret for over a year, is now looking forward to sharing them in an online seminar. However, the aim is to show how bad the maintenance of such machines is and how weak points like these remain unpatched for years.

Next: Tesla Model X hacked with bluetooth in less than two minutes

Source: Wired

Black Knight on the cover of Black Knight: Curse of the Ebony Blade # 1 (variant).

A future MCU hero reveals the difference between Marvel and DC

About the author


About Author

Leave A Reply