Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home News

Vendor Delayed Fix for Card Top-Up Hack

September 15, 2025
Reading Time: 2 mins read
in News
Vendor Delayed Fix for Card Top-Up Hack

KioSoft, a Florida-based company, is a global provider of unattended self-service payment machines for businesses like laundromats, arcades, and vending machines. With offices in seven countries and a claim of deploying over 41,000 kiosks and 1.6 million payment terminals, the company has a significant presence. Despite its wide reach, a serious security flaw was recently exposed by the cybersecurity firm, SEC Consult, which is part of Eviden.

In 2023, SEC Consult researchers discovered that some of KioSoft’s stored-value cards, which customers reload for use at payment terminals, were susceptible to a vulnerability. This flaw, tracked as CVE-2025-8699, allows a hacker to add money to a card for free. The root cause of the vulnerability is that the card’s balance is stored locally on the card itself, not on a secure, centralized server. The affected cards used MiFare Classic NFC technology, which is well-known for its security weaknesses.

Leveraging the known vulnerabilities of MiFare cards and analyzing how data is stored, SEC Consult researchers successfully manipulated the card’s data. They were able to read and write information on the card, effectively “creating money out of thin air.” While a single hack can only increase the balance to about $655, the process can be repeated. To perform this hack, an attacker would need a hardware tool like the Proxmark, which is designed for RFID security analysis, and some knowledge of MiFare card vulnerabilities.

SEC Consult has published an advisory detailing its research and a timeline of its communication with KioSoft. The timeline reveals a significant delay in KioSoft’s response, as it took the company more than a year to address the issue. The security firm first contacted KioSoft in October 2023 but received no response until the CERT Coordination Center at Carnegie Mellon University got involved. Throughout this period, SEC Consult’s requests for updates were often ignored, and KioSoft repeatedly asked for extensions to the disclosure deadline.

KioSoft finally released a firmware patch in the summer of 2025 and indicated that new hardware would be rolled out in the future. However, KioSoft refused to provide specific version numbers of the affected and patched software, stating that it would privately notify affected customers. While the company claims that most of its solutions do not use the vulnerable MiFare technology, SEC Consult could not verify the effectiveness of the patch since it no longer had access to the original terminals used for its research.

Reference:

  • Payment System Vendor Took Over Year to Patch Infinite Card Top-Up Hack Says Firm
Tags: Cyber NewsCyber News 2025Cyber threatsSeptember 2025
ADVERTISEMENT

Related Posts

Two Arrested Over Nursery Cyber Attack

Two Arrested Over Nursery Cyber Attack

October 8, 2025
Two Arrested Over Nursery Cyber Attack

Y2K38 Bug Is A Security Vulnerability

October 8, 2025
Two Arrested Over Nursery Cyber Attack

Filigran Raises 58 Million Series C

October 8, 2025
Security Firm Exposes Beijing Institute

Zeroday Cloud Hacking Contest Offers $4.5M

October 7, 2025
Security Firm Exposes Beijing Institute

Security Firm Exposes Beijing Institute

October 7, 2025
Security Firm Exposes Beijing Institute

LinkedIn Sues ProAPIs Over Fake Accounts

October 7, 2025

Latest Alerts

Microsoft Ties Storm 1175 To Medusa

Google Chrome RCE Flaw Details Leak

Redis Use After Free Bug Enables RCE

XWorm 6.0 Returns With New Plugins

Steam And Microsoft Warn Of Unity Flaw

Rhadamanthys Stealer Evolves Again

Subscribe to our newsletter

    Latest Incidents

    DraftKings Warns Of Account Breaches

    Doctors Imaging Data Breach Hits 171K

    Salesforce Refuses To Pay Ransom

    Red Hat Data Breach Escalates Further

    FC Barcelona Instagram Hacked By Scam

    Threat Actors Claim Huawei Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial