We all use ATMs. They are compulsory. The question is: are they safe? One might think that yes, of course. A recent experiment has shown the contrary. ATMs can be insecure. This is because they contain NFC vulnerabilities in their system. So, with a wave of a phone, vital data can be exposed to hackers’ malicious actions, not only from ATMs but from point-of-sale terminals (POS) too.
NFC Vulnerabilities: What Is NFC?
NFC, explained as Near Field Communication, is a wireless technology that allows compatible devices to communicate. NFCs are both passive and active, the first ones could not communicate and respond, just send data. An example of an active NFC device is the smartphone. Based on radio-frequency identification technology, NFC allows users to wave a credit card over a card reader, instead of actually inserting it there. People can withdraw money from an ATM or make a payment to a POS through NFC systems.
An Experiment Shows NFC Vulnerabilities: ATMs and POS Targeted
Josep Rodriguez, an IOActive security consultant, has been investigating NFC flaws for quite a while. Thus, he put ATM and POS’s NFC reader chips to test. All that he need was a smartphone with NFC and an Android application he designed. According to wired.com, the researcher’s experiment consisted of creating an app that can imitate radio transmitting. Then the NFC vulnerabilities in the system could be exploited. He even shared with Wired Publication the way it works in a video that was not made public due to GDPR. He chose an ATM on a street in Madrid. Then he waved a smartphone over the NFC reader. The result? An error message appeared on the machine and blocked the NFC system to further read his credit card when used.
Another experiment from last year, made Josep Rodriguez buy NFC readers and point of sales to analyze the securities flaws here too. This experiment concluded that:
They didn’t validate the size of the data packet sent via NFC from a credit card to the reader, known as an application protocol data unit or APDU. By using a custom app to send a carefully crafted APDU from his NFC-enabled Android phone that’s hundreds of times larger than the reader expects, Rodriguez was able to trigger a “buffer overflow,” a decades-old type of software vulnerability that allows a hacker to corrupt a target device’s memory and run their own code.
What a Hacker Can Do Using NFC Vulnerabilities?
Through NFC Vulnerabilities a threat actor can hack an ATM or POS device, allowing him to:
- Gather data;
- Share data;
- Make changes to the transaction value;
- Use a ransomware message to lock the device;
- Create an ATM jackpotting attack where the machine dispenses money through NFC vulnerabilities alongside other additional bugs and exploits.
What Companies Are Targeted by Such Attacks?
Rodriguez warned the companies that could be exposed to such an attack, like ID Tech, the payment solution provider mainly for ATMs and point of sales, BBPOS, Nexo and the ATM Industry Association. The mentioned ones did not comment. Only Ingenico, the POS provider responded to these alerts, saying that NFC vulnerabilities could not obtain execution over the code.
Can These NFC Vulnerabilities Be Erased and the Systems Improved?
Erasing NFC vulnerabilities is actually an issue because it will be a time-consuming process that requires a physical presence to test the devices. Since the machines exist in big numbers, it would take time to apply patches to all of them, not to mention the fact that these machines are not even regularly checked on security flaws, says TheVerge.