Vida Celular

All about the best cell phones

Josep Rodriquez, a security researcher at IOActive, discovered that there are a series of bugs that allow a hacker hack the system machines that work with NFC and, with this, can clone cards, whether credit or bank cards. The revelation was made after a year of work on the chips used in ATMs and payment machines spread across thousands of establishments around the world.

In an interview with Wired website, Rodriquez revealed that he had developed an Android application that gives smartphones the power to “imitate” radio communications, exploit flaws in the firmware of NFC machines and, with this, crash the systems, collect card data and, with this, produce new, cloned ones. According to the researcher, he even managed to reproduce the system called “jackpotting”, which would make an ATM literally spit out money.

Rodriquez did not share the name of the company he managed to hack, however, for security reasons. He did say, however, that he has already contacted other companies, such as ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS and Nexgo about the bugs found.

“You can modify the firmware and change the price to one dollar, for example, even when the screen says you’re paying $50. You can disable the device or install some kind of ransomware. There are a lot of possibilities here,” Rodriguez explained of the point-of-sale attacks he’s discovered. “If you chain the attack and also send a special payload to an ATM’s computer, you can trick the ATM into withdrawing money just by tapping the phone,” he added.

Companies take a stand

Some of the companies cited by the researcher, which he said could allow customers' cards to be cloned if their NFC machines were hacked, responded to the allegations revealed by Wired. ID Tech, BBPOS and Nexgo preferred to remain silent, while the ATM Industry Association declined to comment.

Ingenico, for its part, responded that, due to its security mitigations, Rodriguez’s buffer overflow technique could only crash its devices, but not cause code execution on them. In any case, to avoid problems for customers, it said it had “issued a patch for the system.”

Verifone also weighed in. The company said it had found and fixed the point-of-sale vulnerabilities that Rodriguez highlighted. That claim, however, was disputed by the researcher, who said he had retested his technique on a Verifone device after the alleged fix and found that it remained vulnerable.

Through which channels you reach those people, classic and out of the box. The Verge

Image: Karolina Grabowska/Pexels/CC