NFC, or Near Field Communications, is that technology that allows you to wave your credit card or phone near a reader and pay for a Starbucks or get money from an ATM without having to take that card out of your wallet.
Many of you have heard me say “Security or convenience, pick only one”. This is an example of that expression.
Historically, researchers and hackers have broken into ATMs using mechanical methods. Opening them up and installing hardware; hacking the software and even drilling holes to expose the innards.
Add to that a pure 21st century attack.
Security firm IOActive has been working on hacking the NFC chips that are used in ATMs and tens of millions of credit card readers in stores and other places that accept credit cards.
The result is an app that allows the researcher to imitate what the chips do.
That means he can crash the devices in stores and other places where credit cards are accepted, hack them to collect stored credit card data, change the value of transactions invisibly (want to buy that Rolex – how about $1.29?)
He even figured out how to make one brand of ATM “jackpot” – spit out money. The researcher isn’t saying what brand of ATM it was, but he was working FOR the ATM maker, so that issue is likely fixed. Maybe – see below.
The researcher has told the chip makers about the problems he found, but there is a slight problem.
Many ATMs will require a technician to go to the ATM to physically do the update. After all, doing the update over the wire seems a bit insecure for something that amounts to a small bank vault.
7 months or so after reporting his findings to the ATM maker, he waved his phone in front of an ATM in Madrid where he lives and caused the ATM to crash. Which, I guess, is better than making it jackpot. But crashes can often be turned into more dangerous hacks.
But here is the bigger problem.
While there are tens of thousands of ATMs that need to be upgraded, there are tens of millions of point of sale credit card readers that need to be updated. I will guarantee you that many of those will never be updated. That means clever hackers will walk into stores, pick out something expensive, and pay a dollar for it. Then fence it or sell it on the black market.
For consumers, that means higher prices due to fraud, but for business owner, it could mean fraud losses and for privately owned ATMs – well, I hope they have good insurance. Credit: Wired