Glass, plastic, cans: The announcement[1] of the Austrian government to introduce a deposit on plastic bottles and beverage cans in 2025[2] has pushed the topic of reverse vending back into the spotlight. As a tried and tested method for the prevention and separation of waste, it is an attractive method to curb the spread of unwanted remains, particularly as society becomes more conscious of its impact on the environment.
As a new investigation by the CST team of MATRIS research group at the Viennese COMET center SBA Research shows, the topic of security should not be ignored in this context. Using a common off-the-shelf receipt printer, they were able to manipulate deposit receipts. “An inadequate security concept in this area could result in criminals being able to effectively print money. In contrast to known scams such as the manipulation of reverse vending machines[3] [4], the use of fishing lures or even the theft of bottles or crates[5], our attack requires only freely available office equipment, a bit of know-how and some spare time”, says security researcher Jovan Zivanovic, who leads the investigation regarding this vulnerability.
In one Viennese supermarket, the researchers were able to redeem fraudulent reverse vending receipts.
However, according to their inquiry, it seems likely that not just individual stores, but entire supermarket chains could be vulnerable against this technique. Dimitris Simos, head of MATRIS research group, confirms: “Reverse vending fraud is a known problem. Particularly old machines may have issues in identifying bottles and confirming whether they are acceptable for reverse vending. Classifying containers based on their shape, material, and weight allows modern models to detect attempts to defraud the reverse vending system. However, we suspect that these mechanisms are not always implemented effectually.”
“This is not an unfixable vulnerability”, as Manuel Leithner, CST team lead, points out. “The vendor offers a mitigation for newer models of their reverse vending machines. However, this might lead to additional costs for supermarkets, particularly if older machines are still in use and must be replaced. The introduction of a deposit on plastic bottles and beverage cans seems like a good opportunity to enact this change. In principle, the use of proprietary mechanisms to identify fraud would be a viable alternative, too.”
The affected vendor and supermarket chains were informed about the vulnerability throughout the past months. As this example shows, security should not be a mere afterthought in the development of reverse vending systems.
[1] https://infothek.bmk.gv.at/pfandsystem-fuer-oesterreich-3-punkte-plan/
[2] https://oesterreich.orf.at/stories/3125584/
[3] https://www.sueddeutsche.de/panorama/pfandbetrug-urteil-kriminalitaet-1.4403519
[4] https://www.spiegel.de/panorama/justiz/koeln-betrueger-erbeutet-mit-einer-pfandflasche-44-000-euro-a-1121633.html
[5] https://www.schwaebische-post.de/welt/verbraucher/aldi-discounter-betrug-pfand-pfandbon- abzocke-flaschen-trick-polizei-kunden-zr-90005672.html
Location
Vienna, Austria
Date
28.02.2022
contact
SBA Research
E-Mail: presse@sba-research.org