Floragasse 7 – 5th floor, 1040 Vienna

News

SBA @ IT-SecX 2022

On October 7th, 2022 the IT-SecX (IT Security Community Exchange) conference took place once again at the UAS St.Pölten. The motto of the event was “Cyber Defense”. The yearly conference IT-SecX is a platform to exchange knowledge and information on trends, technologies and the latest developments in IT security.

IT SecX 2022 Booth

National and international security specialists spoke about current security developments at the conference. The keynote on “The Law, Policy and Diplomacy of Critical Infrastructure Protection” was held by Dr. Iur. Eneken Tikk, founder of the Cyber Policy Institute and Associate Fellow of the Erik Castrén Institute for International Law and Human Rights, University of Helsinki.

Not less than four security experts from SBA Research were invited to have a talk:

Talk: Security Research in Austria

by Edgar Weippl, Talk language: German

IT-SecX 2022 Edgar Weippl

Talk: The Limits of Digitization – The (Forgotten) Value of Analog Mechanisms and Fallbacks

by Philipp Reisinger, Talk language: German

IT-SecX 2022 Philipp Reisinger

Talk: Safe or Scam? An Empirical Simulation Study on Trust Indicators in Online Shopping

by Sebastian Schrittwieser, Talk language: German

IT-SecX 2022 Sebastian Schrittwieser

Talk: Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities

by Jovan Zivanovic, Talk language: English

IT-SecX 2022 Jovan Zivanovic2

Abstract

With the plans of increasing the number of reverse vending machines in Europe, it is relevant to take a look at the implemented security mechanisms of such vending machines [1,2].  Currently, in Austria, most stores provide such machines for the return of glass bottles, however, the government wants to also have an addition of vending machines for plastics. Security plays an important role with these machines, as they exchange the bottles for money and an insufficient security mechanism could allow attackers to practically print money. It is not uncommon for such machines to be targets of malicious actors. [3,4,5] We took a look at the vending machines present in most supermarkets in Vienna and figured out that some machines are not secured enough. In many cases, we found that the generated receipts – used at the cash register to be exchanged for money – are not secure enough. By analyzing several previously printed receipts, attackers can use an ESC printer to create forged receipts.  Furthermore, we tested our attack with one store and were able to exchange our forged receipt for real goods.  Our results show that this is not a single store that is improperly secured, but rather whole supermarket chains. This makes the vulnerability even more severe as, as far as we can tell, it affects whole supermarket chains that provide such reverse vending machines. 

[1] https://infothek.bmk.gv.at/pfandsystem-fuer-oesterreich-3-punkte-plan/
[2] https://oesterreich.orf.at/stories/3125584/
[3] https://www.sueddeutsche.de/panorama/pfandbetrug-urteil-kriminalitaet-1.4403519
[4] https://www.spiegel.de/panorama/justiz/koeln-betrueger-erbeutet-mit-einer-pfandflasche-44-000-euro-a-1121633.html
[5] https://www.schwaebische-post.de/welt/verbraucher/aldi-discounter-betrug-pfand-pfandbon-abzocke-flaschen-trick-polizei-kunden-zr-90005672.html

About the event

The conference is aimed at school pupils, students, persons with a research or teaching background, industry experts, and “geeks” in general who work with computer science and IT security. 

Link to the conference

Video of the conference