Even though Bitcoin ATMs offer a convenient way for consumers to purchase cryptocurrencies, Kraken Security Labs claims that ease of use can sometimes come at the expense of security.
Kraken uncovered multiple hardware and software vulnerabilities in a commonly used cryptocurrency ATM: The General Bytes BATMtwo (GBBATM2).
Multiple attack vectors were found through the default administrative QR code, the Android operating software, the ATM management system, and even the hardware case of the machine.
Kraken’s crew discovered that numerous ATMs are built on the same default admin QR code, which allows anyone with this QR code to walk up to an ATM and jeopardize it.
Most of the BATM ATMs are located in the United States and Canada, with a combined figure tallying in at around 5,300, while Europe has around 824 ATMs installed.
Now Kraken Security Labs wants to create awareness for users around potential security flaws and alert the ATM producers so they can fix these problems.
Kraken Security Labs reported all problems and suspicions to General Bytes on April 20, 2021, they released patches to their backend system (CAS) and alerted their customers, but full fixes for some of the issues may still require hardware revisions.
Bitcoin ATM scams happen pretty often nowadays. In July this year, in Berkeley, California, two women lost a total of $15,000.
Both women received a phone call from a person claiming to be a public safety officer in the city and were told that they had arrest warrants out for them on serious charges including tax evasion and money laundering.
The two women were then instructed to stay on the phone, go to the bank, take all the money from their bank accounts and transfer it via Bitcoin ATMs.
In one case, the victim transferred 10,000 dollars to the fraudsters, whereas in the other case, 5,000 dollars were transferred.
In Winnipeg, Canada, when criminals tacked up a printed notice to a Bitcoin ATM, claiming that the machine was undergoing maintenance while a new software upgrade was being installed.
As a result, users were advised to deposit the coins they bought not in their own wallets, but rather use a QR code provided on the paper. Of course, if any user sends the crypto to that account associated with the QR code, he loses Bitcoin.
Of Winnipeg’s 20 Bitcoin ATMs, police found posters on two of them, but no victims came forward. The main problem is that it is really difficult to trace the money.
Internet security company Malwarebytes warned about a new trend of petrol station Bitcoin ATM scams in which threat actors would post fake jobs listings to dupe applicants into money laundering.
The company warned: “If you’re dealing with QR codes in public, on ads or posters, check that they haven’t been tampered with (look for stickers with a new QR code placed over an original). And if anyone tries to steer you towards a Bitcoin ATM, move swiftly in the opposite direction.