Despite being the fastest way to pull out cash from your bank account, ATMs have been subject to hacking since their inception, and they still remain vulnerable. Josep Rodriguez has identified a “collection of bugs” that he can manipulate to hack an ATM “with a wave of his phone over the contactless credit card reader,” the Wired reports. The same process also works to breach into other point-of-sale terminals, it confirms.
Rodriguez is a researcher and consultant at IOActive, a security firm, who has found and reported various vulnerabilities in the NFC reader chips used in most ATMs and POS systems around the world. Now, he has developed an Android app that takes advantage of these weaknesses in the firmware of NFC systems.
A large number of ATMs allow users to tap their cards and enter the PIN to withdraw cash or make payments. Even though this process is quicker and convenient than inserting the card into the ATM itself, it has some software-level vulnerabilities and prone to physical card skimmers.
The app takes advantage of software glitches. It allows Rodrigues to wave his phone over the NFC reader to exploit the ATM or POS device, hack it to change the transaction value, transmit or collect data. Rodrigues informs that he can even lock a device with a ransomware message.
Even more alarming is the fact that Rodrigues can compel a particular brand’s (unnamed owing to Non-Disclosure Agreement) ATM to dispense cash. This is termed “jackpotting” and over the years hackers and criminals have used various jackpotting methods to gain access to ATMs and steal money.
Josep Rodriguez has reportedly informed all vendors (whose machines are vulnerable) over the last one year or so. Now he is willing to share the technical details of the vulnerabilities – after keeping his findings under wraps for almost a year – in a webinar soon. The intention is to, Wired informs “in part to push customers of the affected vendors to implement the patches that the companies have made available.”
Rodriguez has even shared a video with Wired demonstrating the vulnerabilities and how by waving the phone over the NFC reader in an ATM in Madrid, he can cause the machine to display an error message. He has chosen not to share jackpotting video strictly because of the NDA with vendors.