Point-of-Sale, ATM Systems Vulnerable to NFC Attack via Smartphone Says Researcher Josep Rodriguez

Security researcher Josep Rodriguez has warned of serious vulnerabilities in modern automated teller machines (ATMs) and point-of-sale (POS devices), which can be exploited by simply waving an off-the-shelf smartphone at them — thanks to the integration of near-field communication (NFC) capabilities.

NFC-enabled credit and debit cards are undeniably convenient: Wave your card at the reader and the transaction goes through in seconds, without having to swipe or insert anything anywhere or even type a PIN. Adding radios to supposedly-secure devices, though, can be a recipe for disaster — as Rodriguez has proven.

"You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," Rodriguez claims in an interview with WIRED. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM — like cash out, just by tapping your phone."

The vulnerabilities affect a range of devices from a number of manufacturers, though Rodriguez claims to have been able to "jackpot" — forcing a machine to spit out the contents of its money boxes - only one type of ATM. At least one company claims Rodriguez's attacks are nothing new, having been patched in 2018 — but the fact he was still able to exploit the systems suggest that devices in the field are simply not receiving timely security updates.

Rodriguez, who works with security firm IOActive, has been keeping the vulnerabilities quiet, but plans to release technical details in the coming weeks — partially, he says, to light a fire under vendors and users alike and encourage them to install required patches.

More details on Rodriguez' claims are available in the WIRED article.