SBA @ IT-SecX 2022
On October 7th, 2022 the IT-SecX (IT Security Community Exchange) conference took place once again at the UAS St.Pölten. The motto of the event was “Cyber Defense”. The yearly conference IT-SecX is a platform to exchange knowledge and information on trends, technologies and the latest developments in IT security.
National and international security specialists spoke about current security developments at the conference. The keynote on “The Law, Policy and Diplomacy of Critical Infrastructure Protection” was held by Dr. Iur. Eneken Tikk, founder of the Cyber Policy Institute and Associate Fellow of the Erik Castrén Institute for International Law and Human Rights, University of Helsinki.
Not less than four security experts from SBA Research were invited to have a talk:
Talk: Security Research in Austria
by Edgar Weippl, Talk language: German
Talk: The Limits of Digitization – The (Forgotten) Value of Analog Mechanisms and Fallbacks
by Philipp Reisinger, Talk language: German
Talk: Safe or Scam? An Empirical Simulation Study on Trust Indicators in Online Shopping
by Sebastian Schrittwieser, Talk language: German
Talk: Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities
by Jovan Zivanovic, Talk language: English
Abstract
With the plans of increasing the number of reverse vending machines in Europe, it is relevant to take a look at the implemented security mechanisms of such vending machines [1,2]. Currently, in Austria, most stores provide such machines for the return of glass bottles, however, the government wants to also have an addition of vending machines for plastics. Security plays an important role with these machines, as they exchange the bottles for money and an insufficient security mechanism could allow attackers to practically print money. It is not uncommon for such machines to be targets of malicious actors. [3,4,5] We took a look at the vending machines present in most supermarkets in Vienna and figured out that some machines are not secured enough. In many cases, we found that the generated receipts – used at the cash register to be exchanged for money – are not secure enough. By analyzing several previously printed receipts, attackers can use an ESC printer to create forged receipts. Furthermore, we tested our attack with one store and were able to exchange our forged receipt for real goods. Our results show that this is not a single store that is improperly secured, but rather whole supermarket chains. This makes the vulnerability even more severe as, as far as we can tell, it affects whole supermarket chains that provide such reverse vending machines.
[1] https://infothek.bmk.gv.at/pfandsystem-fuer-oesterreich-3-punkte-plan/
[2] https://oesterreich.orf.at/stories/3125584/
[3] https://www.sueddeutsche.de/panorama/pfandbetrug-urteil-kriminalitaet-1.4403519
[4] https://www.spiegel.de/panorama/justiz/koeln-betrueger-erbeutet-mit-einer-pfandflasche-44-000-euro-a-1121633.html
[5] https://www.schwaebische-post.de/welt/verbraucher/aldi-discounter-betrug-pfand-pfandbon-abzocke-flaschen-trick-polizei-kunden-zr-90005672.html
About the event
The conference is aimed at school pupils, students, persons with a research or teaching background, industry experts, and “geeks” in general who work with computer science and IT security.