NFC Flaw Lets Hacker Break ATMs With a Phone

[…]

According to Wired, however, at least one researcher has found a way to avoid most of this trouble, drawing cash from ATMs like magic with a simple flick of his wrist. The outlet reported Thursday that Josep Rodriguez, a researcher and consultant at security firm IOActive, has built up a collection of bugs affecting NFC systems—a.k.a. near-field communication—which many modern machines rely on to wirelessly transmit data, including debit and credit card info.

Rodriguez, who’s hired to legally test machines to improve their security, has been able to use NFC readers to trigger what programmers call a “buffer overflow,” or excess of data that corrupts a machine’s memory. This decades-old attack has allowed Rodriguez to exploit ATMs and other point-of-sale machines—think retail store checkout machines—in a variety of ways: capturing payment card info, injecting malware, and even in one case “jackpotting” an ATM, which is exactly what it sounds like:

“Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems’ firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message.”

According to Wired, Rodriguez has kept his findings under wraps for around a year and is otherwise legally bound not to reveal the identities of certain companies he’s worked for. Nevertheless, being bothered that a decades-old technique is still affecting a host of modern machines, he intends to disclosure more technical details in the coming weeks in an effort to call attention to, as Wired puts it, “the abysmal state of embedded device security more broadly.”

Source: NFC Flaw Lets Hacker Break ATMs With a Phone

Which is why people think Responsible Disclosure is important – ie telling a company about a flaw and then giving them a reasonable time frame to fix it before going public with the full details of the flaw. If you don’t do it, the problem doesn’t get fixed.

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft