NFC Errors Allow Investigators To Open ATMs While Sending A Phone
[ad_1]
For many years, security detectives and fraudulent criminals have hacked ATMs using every means they can find on their site, from open the front panel and pick up your thumb in the USB port that drilling a hole that exposes the inner strings. Now another researcher has found bugs that allow him to hack ATMs – along with various retail outlets – in a new way: with a wave of his phone on a credit card reader.
Josep Rodriguez, a researcher and consultant for the human rights company IOActive, spent last year digging up and exposing their vulnerabilities to so-called mobile devices used in millions of ATMs and sales systems around the world. NFC systems are the ones that allow you to show credit cards to readers — rather than just approaching or placing — to pay or withdraw money on cash machines. You can find them in many thrift stores and restaurants, vending machines, taxis, and parking lots around the world.
Rodriguez has now developed an Android app that allows his mobile phone to emulate credit card connections and use errors in NFC systems firmware. With the release of his cell phone, he is able to exploit thousands of pests to destroy commercial tools, steal them to pick up and send credit card data, implicit change in sales profits, and even close the site by displaying a ransom message. Rodriguez says he can force even one type of ATM to make money – however “jackpotting” hack they just work with the bribes they say they have found in ATM programs. He declined to disclose or disclose the errors publicly due to an anonymous agreement with ATM vendors.
“You can change the firmware and change the price to one dollar, for example, even if the screen shows you are paying $ 50. You can make the device useless, or set up a ransom type. There are many possibilities here,” Rodriguez said of his sales. “If you send the plot and send the special payments on ATM computers, you can make an ATM-like money, and just grab your phone.”
Rodriguez reportedly warned affected retailers – such as ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unnamed ATM dealer – of their findings between 7 months and a year ago. However, he warns that the sheer number of systems affected and the fact that many ATMs do not receive frequent applications – and often want to have them – means that many of these devices are likely to be insecure. “Holding hundreds of hundreds of ATMs is something that can take a lot of time,” Rodriguez says.
As an indication of the growing crisis, Rodriguez shared a video with WIRED on how to read a mobile phone to NFC ATM readers on the street in Madrid, where they live, and cause the machine to display incorrect information. The NFC reader seems to be stuck, and no longer reads his credit card when he touches the machine. (Rodriguez asked WIRED not to release the video for fear of legal action.
The findings are “an excellent study of the risks of software used on integrated devices,” says Karsten Nohl, founder of security company SRLabs and well-known firmware firm, who reviewed Rodriguez’s work. But Nohl points out a number of issues that reduce the need for real thieves. A stolen NFC reader can only steal credit card information, not the victim’s PIN or notification from EMV chips. And the fact that ATM fraud may require an additional, well-known threat in an ATM wallet is no small matter, Nohl says.
[ad_2]
Source link