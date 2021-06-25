When we talk about security in the world of computing, it seems that hackers are always ahead. Thousands of people are constantly searching for security holes, and corporate security professionals take it upon themselves to plug them as they become exposed.

Now this theory has been proven again with some ATMs, vulnerable to mobile phones with NFC.

It is clear that hacking an ATM can be of enormous interest to criminals. There is a lot of money inside those machines, so breaching security can mean immediate enrichment difficult to track, but in addition to money there is something that can be even tastier: data.

The point is that hacking an ATM through a USB port is no longer as easy as it used to be, but doing it wirelessly is. It is not necessary to break anything, and according to Wired, there is evidence that Josep Rodríguez, a researcher at the security firm IOActive, has identified errors related to the way data is transmitted in NFC systems. Apparently many ATMs rely on NFC to send data such as debit and credit card numbers of their customers. In the Wired article there is a video showing the error.

In tests, it used NFC readers and managed to cause a buffer overflow error, sending more data than the machine can process. This error has been enough to recover customer card data, but it has also allowed injecting malware or fooling merchant machines, indicating that you are paying $ 50 when in fact only one is being paid, for example.

You can modify the firmware and change the price to a dollar, for example, even when the screen shows that you are paying 50 dollars. You can disable the device or install some kind of ransomware. There are many possibilities here […] If you chain the attack and also send a special payload to an ATM computer, you can earn money at the ATM, such as withdrawing money, just by touching your phone.

To do this, Josep developed an android app that mimics credit card communications. In this way, and taking advantage of security holes and errors in NFC systems, it could go from blocking devices to stealing private data.

For legal reasons, the consultant cannot say which are the victim companies, but since the problems are not solved, and it has been a year since he identified them, he plans to give technical details during the next few weeks, something that could cause both immediate solution problems such as the use of these apps by hackers around the world.