ATMs seem not to be as safe as they should be. Josep Rodríguez, a cybersecurity researcher at the firm IOActive, has warned about the serious vulnerabilities of the NFC technology present in these machines. These failures allow from extract information from cards to withdraw cash, all with an Android terminal as a tool.

Wired says the researcher has spent the last year analyzing the vulnerabilities of NFC readers. It is a technology that has multiplied its presence in recent years. Present in all types of stores and ATMs, it allows you to use cards simply by resting them on the device, that is, it is not necessary to slide or insert them.

Rodríguez explains that he has developed an Android application that mimics the radio communications of a credit card. In this way, it takes advantage of the flaws of NFC technology and can execute a wide variety of attacks on an ATM. For example, recollect card information, change transaction value, and lock devices with ransomware.

“You can modify the firmware and change the price to a dollar, for example, even when the screen shows that you are paying $ 50. You can disable the device or install some kind of ransomware. There are many possibilities here.” Josep Rodríguez, cybersecurity researcher at the firm IOActive

The NFC problem put to the test in an ATM in Madrid

Photo by Hello I’m Nik on Unsplash

In order to demonstrate the vulnerabilities, Rodríguez shared a video with Wired in which passing his phone through the NFC reader of an ATM in Madrid causes an error. The machine stopped reading cards, that is, it was unusable. The video has not been released for legal and ethical reasons.

However, this is not all. The researcher also discovered that some ATMs can be forced to distribute cash through jackpotting methods. “You can withdraw money just by touching your phone,” says Rodríguez, but points out that this type of attack is only effective on devices that combine various software bugs.

The cybersecurity consultant says that ATMs have been dragging problems for decades, since they do not receive updates regularly. Affected vendors have been notified nearly a year ago by IOActive. Among them are ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo and an unidentified one.

Also in Ezanime.net