For years, vending machines have allured people who have wanted to enjoy everything these promising tin cans had to offer: without paying. Various methods from shaking them to trying to shove one’s hands up the machine, to even using activation codes of technicians have been deployed.
Now, there’s a different way to get vending machine products for free – and this is on your tab.
From a soda can to dairy products
Amitay Dan, a cyber security researcher, has discovered that with a simple application of fake phone numbers you can cheat vending machines and enjoy different products at innocent people’s expense, including hot drinks, sandwiches, food and dairy items, and other products that are typically found in pharmacy chains.
While many vending machines allow purchases through mobile, this is not a fairly secure technology like NFC (such as contactless payments). Rather, it is based on caller ID phone calls. After the initial registration for the service, which includes entering credit card details, the client can simply call the phone number listed on the machine: This will recognize their number and bill them for the items they want.
The problem starts, however, when users turn to applications like SpoofCard. These services allow every user to disguise their real phone number and instead, enter any other phone number they’d like. Dan demonstrated to us how he calls a vending machine from his phone. The machine then recognized a different number signed to the service, a number he owns that he entered into the application. Within a few seconds, Dan was asked to choose the selected product, which he got immediately, seemingly without paying for it.
Dan explains that in order to get a number, it’s enough to stand close to the person ordering while they use the service; his phone number will be presented clearly on the machine’s display. Another way is through a cheap camera that can be placed in every device or alternatively, human engineering. A significant number of the machines are in closed compounds like army bases, work places or campuses, so you can reach passersby phone numbers and just use them.
According to Dan, who’s done research on attacking strategic infrastructure, this isn’t just a case of getting a free drink. This is a deception of a robotic system that is in charge, among other things, of operating additional devices like electronic gates. When Dan first discovered the problem, he turned to the company. However, it’s been more than a year since then and the problem still hasn’t been dealt with.
We received this response from Dually, who’s in charge of the defrayal system installed in vending machines:
The service at hand doesn’t allow for a new registration to the system. There are some vending machine operators that have chosen to keep the service. For now even though there is presented information, the amount of claims denying the deal in the service at hand are infinitesimal. It’s important to state that the final consumer isn’t hurt and the risk taking is on the vending machines’ operator. Also, who ever does try to fake another person’s subscription still has to verify that the subscriber is registered in the system and the payment details on the back are correct, so whoever is doing it probably has to know the subscriber personally.
It’s important to add that Dually has an anti-fraud system that allows identification and blocking in real-time of forgery attempts and also limits the amounts of deals a subscriber can do per day. Also if there’s a complaint, there’s a collaboration between the cellphone operator to identify the SIM number, which identifies the real phone number of the theft. The service is mostly useful in the army soldiers’ segment.