A security firm consultant also used card reader tech flaws to mess around with point-of-sale systems.
Security issues with ATMs aren’t anything new for cybercriminals and security researchers, but recently readily available phone NFC technology was used to hack into an ATM.
The researcher found bugs letting him use near field communication technology as a quick hack.
The bugs in the systems let the researcher use his phone’s NFC technology to simply wave the device over ATMs and point-of-sale terminals to hack them. By using the contactless credit card readers and the cell phone, the researcher was able to wreak havoc.
The researcher, consultant Josep Rodriguez, was from the IOActive security firm. Rodriguez has been investigated various vulnerabilities related to near field communication (NFC) systems for the last year. This tech is used in point-of-sale systems and ATMs worldwide. They are found everywhere from stores to restaurants and from taxis to farmer’s markets. This is the tech that allows people to simply tap their card or phone – or wave it over the device – to pay or to withdraw cash without having to insert the card into the device.
Rodriguez used an Android app with NFC technology to mimic exploit flaws in system firmware.
Rodriguez built the app that would make it possible for his smartphone to mimic the signals sent by contactless credit cards so that he could exploit near field communication system firmware flaws.
By simply waving his phone over the reader, he was able to exploit several types of bugs and crash ATMs and point-of-sale devices. From there, he could hack them and both obtain and transmit credit card data, altering transaction values invisibly. He was even able to lock the devices and cause a ransomware message to be displayed.
According to Rodriguez, he was able to force at least one ATM brand to dispense cash. That said, he underscored that the “jackpotting” hack for that result was only effective in combination when certain other bugs were present in the ATM software. That said, he did not identify those bugs publicly as he has nondisclosure agreements with the ATM companies.
“You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you’re paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here,” explained Rodriguez about the security issues with the NFC technology used in the systems’ firmware. “If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM—like cash out, just by tapping your phone.”