Avoiding Credit Card Fraud is simply easy as long as you use cash. But, what if you even get hacked while withdrawing cash from an ATM?
If you are living in Germany or traveling there, then think twice before using your payment cards in the ATMs. A Security researcher in Germany has managed to hack ATM and self-service terminal from Sparkasse Bank that allowed him to reveal the sensitive details from the payment card inserted into the machine.
Benjamin Kunz-Mejri, CEO of Germany-based security firm Vulnerability Lab, discovered a vulnerability while using a Sparkasse terminal that suddenly ejected his card, and changed status to "temporarily not available." Meanwhile, the machine automatically started performing software update process in the background. However, Benjamin used a special keyboard combination to trick the ATM into another mode. Benjamin’s trick forced ATM system to put update process console (cmd) in the foreground of the warning message.
"At that moment the researcher realized that there is a gap and used his iPhone to capture the bootChkN console output (Wincor Nixdorf) of the branch administrator," a blog post on Vulnerability-Lab stated.
After saving the data and reviewing the recording, Benjamin was able to reveal a lot of sensitive information, including the bank’s main branch office:
- Usernames
- Serial numbers
- Firewall settings
- Network information
- Computer name
- Device IDs
- ATM settings
- Two system passwords
- Other hardware related information
"Benjamin reported the critical issue to the Sparkasse Bank, which acknowledged the issue and has now started patching its ATMs and self-service terminals in a pilot program to prevent attacks." Sparkasse Bank said in a statement. The ATM (Automated Teller Machine) analyzed by Benjamin is manufactured by Wincor Nixdorf, one of the most famous company in the retail and banking industry. Therefore, the chances are high that other banks that are using the Wincor Nixdorf ATMs and self-service terminals are also affected, along with Sparkasse Bank. Benjamin reported the critical issue to the Sparkasse Bank, which acknowledged the issue and has now started patching its ATMs and self-service terminals to prevent attacks.
