A wrong number at cash machine costs man Rs 49, Yamanappa cited his account number and sought to know why the amount was not credited. The branch responded on August 30 after a second complaint.
By then, he had also gone to the police. View: A cash crunch is the ugly face of India's bank morass Economists say that Indian banking mess runs deeper than they previously thought. Risky cash crunch pushes India to defend its scam-hit banks Reasons for the crunch range from farm spending to looming elections, but its roots lie in DeMo — from where cash levels have never quite fully recovered.
A year after demonetisation: Digital transactions need higher adoption to sustain Bankers say the fact that digital payments are growing even while cash is slowly creeping back to pre-demonetisation levels is proof of changing habits.
Why ATMs will not go extinct anytime soon in India In India, some technocrats have started saying that payment cards would become virtual by and the ATM industry has no future, but cash is still king. RBI Deputy governor R Gandhi plays down fake notes issue, says they are odd cases He also appealed to the public to develop a habit of periodically checking the notes for its genuinity.
Demonetisation: Will bank queues recede in the new year? Maybe, maybe not Modest relaxation on withdrawal limits post December 30 is on cards, but relief depends on how much more currency is pumped into the system. By using a custom app to send a carefully crafted APDU from his NFC-enabled Android phone that's hundreds of times larger than the reader expects, Rodriguez was able to trigger a "buffer overflow," a decades-old type of software vulnerability that allows a hacker to corrupt a target device's memory and run their own code.
Ingenico responded in a statement that due to its security mitigations, Rodriguez's buffer overflow technique could only crash its devices, not gain code execution on them, but that, "considering the inconvenience and the impact for our customers," it issued a fix anyway. Rodriguez counters that he's doubtful that Ingenico's mitigations would actually prevent code execution, but he hasn't actually created a proof of concept to demonstrate this. Verifone, for its part, said that it had found and fixed the point-of-sale vulnerabilities Rodriguez highlighted in , long before he had reported them.
But Rodriguez argues that this only demonstrates the lack of consistent patching in the company's devices; he says he tested his NFC techniques on a Verifone device in a restaurant last year and found that it remained vulnerable. After keeping many of his findings under wraps for a full year, Rodriguez plans to share the technical details of the vulnerabilities in a webinar in the coming weeks, in part to push customers of the affected vendors to implement the patches that the companies have made available.
But he also wants to call attention to the abysmal state of embedded device security more broadly. He was shocked to find that vulnerabilities as simple as buffer overflows have lingered in so many commonly used devices—ones that handle cash and sensitive financial information, no less. Read more. Senior Writer Twitter. Fifteen out of 26 ATMs failed to encrypt communications with processing servers, although some did so over Ethernet rather than wirelessly.
You'd need only to tap into the network traffic, either wired or wirelessly, to grab the card data. Other models secured the traffic using faulty VPNs whose encryption could be cracked. Some had known security flaws in the network hardware or software that could also be exploited, as not all the ATMs had patched the known flaws. On a few machines, the cellular connections to the processing servers could be attacked by using encryption keys found in the modem firmware.
Default administrative credentials -- username and password were both "root" — gave full Telnet access to one machine, and it was possible to brute-force weak administrative credentials on the same model's remote web interface. In both cases, it would be possible to send bogus processor-server responses to the machines, resulting in a cash jackpot.
Some ATM models put the Ethernet port on the outside of the cabinet, making it possible to disconnect the cable and plug in a laptop that spoofed a processing server and told the ATM to spit out cash. Known security flaws in the ATM's network hardware or software could also be exploited, as not all the ATMs had patched known flaws.
Granted, it's not always easy to hang around an ATM and have enough time to pull off an attack. But the report noted that a crook would need only 15 minutes to access the ATM network connection to the processing center — something that might not be as conspicuous at three in the morning.
Once you open up the cabinet and get access to the computer's input ports, there isn't much between you and a cash jackpot. When you use an ATM, it's in "kiosk mode" and you can't switch to another application. But if you plug in a keyboard, or a Raspberry Pi set up to act like a keyboard, you can use the ATM like a regular computer.
Exiting kiosk mode won't cough up the cash, but using a keyboard makes it a whole lot more convenient to run malicious commands on the ATM.
Since more than half the machines examined ran Windows XP, the operating system with lots of known vulnerabilities, this wasn't always hard. The researchers also found that two machines ran digital video recorder applications in the background to record customer activity.
0コメント