Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
A cybersecurity researcher has discovered a number of bugs that allow ATMs and POS terminals to be hacked. Experts and criminals have previously demonstrated attacks on ATMs, but this time we were shown a truly new method - using a smartphone and a contactless card reader.
Joseph Rodriguez, a security researcher at IOActive, has spent the last year searching for vulnerabilities in NFC reader chips used in millions of ATMs and payment terminals around the world.
If you don't know, NFC is what allows us to contactlessly pay for goods with our cards. This system can be found in almost every store, restaurant, etc.
Taking into account this feature and the nuances of NFC operation, Rodriguez wrote an Android application that allows a smartphone to simulate interaction with a bank card. The expert's program exploits vulnerabilities in the firmware of NFC systems.
In other words, simply by waving his phone at an ATM or terminal, Rodriguez could exploit a number of bugs that could eventually hack the devices, cause them to malfunction, or alter transaction data. Furthermore, exploiting these holes could result in the ATM being locked out, after which a ransom could be demanded.
According to Rodriguez, he managed to force an ATM from one of the manufacturers to "spit out" money - the so-called "jackpot attack". The specialist refused to disclose the details of the vulnerabilities used, so as not to violate the agreement between him and the ATM manufacturers.
The specialist notified the manufacturers whose ATMs are affected by the problem: ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo. There is another nuance - patching hundreds of thousands of ATMs, which still needs to be done physically, is not an easy task.
The expert shared a video with WIRED demonstrating the attack method he described.
Source
