NFC Flaws in POS Devices and ATMs

It’s a series of vulnerabilities:

Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader — rather than swipe or insert it — to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.

Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash­though that “jackpotting” hack only works in combination with additional bugs he says he’s found in the ATMs’ software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors.

Posted on June 28, 2021 at 6:53 AM7 Comments

Comments

TimH June 28, 2021 9:33 AM

From Ross Anderson’s work countering the UK banks’ attitude that ATM fraud is impossible, I hope the NDA has a publish clause if the ATM vendors sweep it under the rug.

Dave Smith June 28, 2021 11:45 AM

Sometimes managers get an idea in their head that X is going to be great regardless of the reality and neigh-saying of the uninterested designers and security people.

Lived that when management decided that wifi could be used to ‘magically’ patch 25K laptops using corporate patch servers over the internet just by driving into specific locations, without any user interaction required. That was very far from reality, but the internal customer wasn’t interested in reality. Their “vision” was all that mattered, though it wasn’t going to ever be allowed.

echo June 28, 2021 11:52 AM

My spending patterns whether by amount, location, or means are fairly predictable. This is one level of security my bank takes into account with its fraud prevention and resolution policies. For anything important involving large sums I’m happy sticking with the in-person method of needing to present myself and physically sign. I’m somewhat leery of online banking so have avoided this. Could someone fraudulently create an online banking account? I’m sure they could. I don’t use contactless cards nor would I use NFC in any other form so that’s using my phone out the window.

The loophole for banks is that you could have shared your pin and given your card to someone else. The banks do know there are flaws in the system. I got them to admit that much. Within certain boundaries staff have discretion and it really comes down to a “heuristic” of whether they believe you or not which they admitted too. While some people who contacted the bank to claim they had been victims of fraud they indicated some decisions could go either way but there are others they strongly believed were dodgy so they declined a reimbursement.

In other contexts I’ve learned that if someone is abusing it usually isn’t the first time. Some can go under the radar for some time while others leave the occasional indicator. It’s not always the usual suspects like single mothers on rough council estates or swarthy men with stripy pullovers and bags marked “SWAG” but the middle class on the surface pillar of the community type although their kinds of fraud tend to be different.

Petre Peter June 29, 2021 6:42 AM

What do i care? I am only liable for $50 and if i complain, they might even wave that. Banks work on the idea of safekeeping. Take that out and the entire industry collapses.

Security Sam June 30, 2021 9:42 AM

When POS devices and ATMs
Have their latent flaws flare up
A casual monetary transaction
Turns into a jack in a box pop up.

ADFGVX June 30, 2021 10:10 PM

near-field communications reader chips

Extreme solar activity is going unreported.

hxxps://www.swpc.noaa.gov/products/weekly-highlights-and-27-day-forecast

Highlights of Solar and Geomagnetic Activity
21 – 27 June 2021
Solar activity was at very low to low levels during the period.

Once again, there’s a government “product” yielding no useful information in the public domain.

hxxps://www.forbes.com/sites/jamiecartereurope/2021/04/21/why-the-sun-at-its-most-potent-could-now-be-set-to-give-north-americans-a-precious-naked-eye-moment/

Meanwhile Forbes and other news sources are reporting extreme solar activity: we weak and frail humans are witnesses to scorching heat and blinding bright solar flares unprecedented since Biblical times.

The other day I was very nearly blinded by the terrible bright light of a solar flare as I was in Anchorage, Alaska.

Obviously such activity can cause failures or exacerbate vulnerabilities in “near field” or similar electromagnetic communications.

lurker July 1, 2021 4:48 PM

@ADFGVX
I suppose spaceweather.com is hardly MSM, they have links to realtime GOES data, including solar wind. Their charts clearly showed the disturbance on June 22 which caused thousands of homing pigeons in Europe to fail to “home”. MSM and pigeon fanciers remain “mystified” about the cause. Spaceweather.com have headlined the summer aurora of June 30, identifying the flux change that caused it.

Research on the effects of such flux on NFC devices will be rare. The usual assumption is that there will be more serious things to worry about…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.