Jovan Zivanovic

Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities

Security is often an optional, paid feature. Learn how this choice enabled researchers to print fraudulent cash receipts from a supermarket's reverse vending machines.

Reverse Vending Machine (RVM) Security: Real World Exploits / Vulnerabilities
#1about 3 minutes

The financial incentive for hacking reverse vending machines

Reverse vending machines present a security risk because they exchange returned bottles for money, creating an opportunity for financial exploits.

#2about 4 minutes

Understanding the bottle detection and refund process

RVMs use a combination of sensors like barcode scanners, weight sensors, shape detectors, and material analysis to validate and process returned bottles.

#3about 4 minutes

Categorizing common reverse vending machine attack vectors

Attacks on RVMs fall into three main categories: insider manipulation, tricking the bottle acceptance system, and misclassifying bottles for higher payouts.

#4about 4 minutes

Analyzing supermarket receipts to find security flaws

By collecting and comparing receipts from different supermarket chains, researchers identified patterns in barcode generation to find potential vulnerabilities.

#5about 4 minutes

Discovering a predictable and static barcode vulnerability

One supermarket chain used a static EAN-13 barcode on receipts where the refund amount was directly encoded, making it easy to forge.

#6about 2 minutes

Forging a valid receipt with a script and printer

A simple script and a thermal printer can generate a forged receipt with a custom refund amount that is accepted by the store's checkout system.

#7about 2 minutes

The vendor response to the disclosed vulnerability

The RVM manufacturer confirmed the vulnerability and stated that the secure, cloud-validated solution is an optional feature that customers must pay extra for.

#8about 3 minutes

Finding similar and new exploits in Finland's RVMs

An investigation in Finland revealed the same receipt forgery vulnerability, plus a new attack involving swapping barcode stickers on bottles to claim a higher refund.

#9about 2 minutes

Mitigating receipt fraud with a cloud validation system

The most effective way to prevent receipt forgery is to use a centralized data store that generates a unique ID for each receipt and invalidates it after one use.

#10about 9 minutes

Q&A on blockchain, pentesting, and ethical implications

The speaker discusses using blockchain for validation, the importance of early security involvement and pentesting, and the ethics of exploiting recycling systems.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Increasing the value of talk recordings post-event
04:57 MIN

Increasing the value of talk recordings post-event

Cat Herding with Lions and Tigers - Christian Heilmann

Automating video post-production with local scripts
02:54 MIN

Automating video post-production with local scripts

Cat Herding with Lions and Tigers - Christian Heilmann

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

Organizing a developer conference for 15,000 attendees
01:32 MIN

Organizing a developer conference for 15,000 attendees

Cat Herding with Lions and Tigers - Christian Heilmann

Establishing a single source of truth for all data
02:39 MIN

Establishing a single source of truth for all data

Cat Herding with Lions and Tigers - Christian Heilmann

Balancing the trade-off between efficiency and resilience
03:38 MIN

Balancing the trade-off between efficiency and resilience

What 2025 Taught Us: A Year-End Special with Hung Lee

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Automating formal processes risks losing informal human value
03:48 MIN

Automating formal processes risks losing informal human value

What 2025 Taught Us: A Year-End Special with Hung Lee

Featured Partners

Related Videos

See all videos
Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Cracking the Code: Decoding Anti-Bot Systems!57:47

Cracking the Code: Decoding Anti-Bot Systems!

Fabien Vauchelles

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Automotive Security Challenges: A Supplier's View58:59

Automotive Security Challenges: A Supplier's View

Davor Frkat

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders

From learning to earning

Jobs that call for the skills explored in this talk.