News

Chance discovery averts ATM-based data breach

Purely by happenstance, a German security researcher recently discovered a flaw in the ATM update systems of Germany's Sparkasse bank.

November 13, 2015

Purely by happenstance, a German security researcher recently discovered a flaw in the ATM update systems of Sparkasse bank.

According to a blog post by Germany-based security firm Vulnerability Lab, the company's chief exec and founder Benjamin Kunz-Mejri was attempting to make a cash withdrawal at a Sparkasse ATM, when the problem occurred:

The screen went to temporarily not available mode. In this mode Benjamin used a special keyboard combination to trick the ATM into another mode. By usage of the special combination, the console became available ahead to the maintenance message on top of the screen after the card came out of the ATM. At that moment the researcher realizes that there is a gap and used his iPhone to capture the bootChkN console output of the branch administrator.

According to a report by the U.K. publication, The Register, the machine, a Wincor Nixdorf model, displayed "a substantial amount of sensitive information including the bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs and more."

The report also said that Bank Sparkasse corrected the problem immediately after being notified of Kunz-Mejri's findings.