Information security specialist Josep Rodriguez demonstrated several ways to manipulate an ATM using a smartphone. He wrote a mobile application that uses NFC and allows unlimited cash withdrawals, reducing service fees, breaking or blocking the terminal, and other actions.
Rodriguez exploited known vulnerabilities in the NFC protocol to disable the receiving device by sending it a large amount of junk information. The specialist notified banks about this problem about a year ago, and some of them made changes to the operation of their ATMs, but the vulnerability is still relevant for most organizations, since it is physically impossible to update all of them even after such a time.
Using Rodriguez's method, an attacker can remain anonymous, because he does not need to insert a card into an ATM or bring it to an NFC sensor - just touch a smartphone running a malicious application. Rodriguez calls his method a bank jackpot - by analogy with slot machines, which, with a certain amount of luck, make it possible to hit a big jackpot. With a successful combination of circumstances, you can spend your smartphone at the terminal - and in response it will give out a wad of money.
However, the application alone is not enough - you still need to know what vulnerabilities this or that ATM has. The specialist did not disclose details about these vulnerabilities. He hopes the banks will take the issue more seriously and upgrade all of their ATMs as soon as possible.
Rodriguez exploited known vulnerabilities in the NFC protocol to disable the receiving device by sending it a large amount of junk information. The specialist notified banks about this problem about a year ago, and some of them made changes to the operation of their ATMs, but the vulnerability is still relevant for most organizations, since it is physically impossible to update all of them even after such a time.
Using Rodriguez's method, an attacker can remain anonymous, because he does not need to insert a card into an ATM or bring it to an NFC sensor - just touch a smartphone running a malicious application. Rodriguez calls his method a bank jackpot - by analogy with slot machines, which, with a certain amount of luck, make it possible to hit a big jackpot. With a successful combination of circumstances, you can spend your smartphone at the terminal - and in response it will give out a wad of money.
However, the application alone is not enough - you still need to know what vulnerabilities this or that ATM has. The specialist did not disclose details about these vulnerabilities. He hopes the banks will take the issue more seriously and upgrade all of their ATMs as soon as possible.
