Security Researcher Warns About NFC ATM Vulnerabilities

Just recently, a security researcher named Josep Rodriquez from Madrid, Spain has warned that the ATMs are vulnerable to hacking attacks caused by NFC readers. NFC systems are used to let people wave a credit card over a reader instead of swiping or inserting it to make a payment or withdraw cash from a machine.

Rodriguez is a security researcher from IOActive who has spent the last year investigating, testing, and reporting vulnerabilities of the “near-field communications reader chips” installed in ATMs and POS (point of sale) systems worldwide.

Josep executes his hacks in a relatively easy way. By simply waving his phone containing his software near the NFC reader of an ATM, he can manipulate whatever vulnerabilities the machine might have.

In one video shared with Wired, Josep showed that when he waved his phone at an ATM in Madrid, it displayed an error and then stopped responding to real credit cards. He further warned that there are more issues with the systems.

In a report alerting the affected vendors, Josep stated that his research discovered flaws of the NFC readers, including, but not limited to, being subjected to crashing by a nearby NFC device, a ransomware attack, or even hacking to obtain credit card data. He further warned that such vulnerabilities might also lead to the “jackpotting” attack, a hack that makes the ATMs release cash.

Josep also pointed out more problems in the systems. For instance, NFC readers do not verify the amount of data they are receiving. Following that, he was able to overload the system with data and corrupt its memory. Rodriguez intends to present his findings in a webinar to highlight the poor security services of such devices.