At yesterday’s final day of Black Hat USA 2018, researchers from Positive Technologies demonstrated how attackers could exploit a flaw in mobile point-of-sale (mPOS) devices to charge fraudulent transactions and alter the amount charged during a transaction.
The flaw enabled attackers to execute man-in-the-middle transactions, send random code through Bluetooth or other mobile applications, and change payment values for magstripe transactions. Researchers Leigh-Anne Galloway and Tim Yunusov also found that the mPOS devices are also vulnerable to remote code execution (RCE), which gave an attacker access to the whole operating system of the reader.
The researchers discovered the vulnerabilities in four market-leading mPOS devices – Square, SumUp, iZettle and PayPal – and have disclosed the vulnerabilities to all of the providers.
The use of mPOS has grown in the last few years. While it is the endpoint of payment infrastructure, there is no barrier to entry for a device to begin accepting card payments. Thus, mPOS providers are attractive targets to criminals.
“These days it's hard to find a business that doesn't accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept noncash payments,” Galloway said.
“Currently there are very few checks on merchants before they can start using an mPOS device and less-scrupulous individuals can, therefore, essentially steal money from people with relative ease if they have the technical know-how," Galloway continued. "As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Even though more than half (58.5%) of debit and credit cards in the US are EMV enabled, only 41% of transactions are made in this way, making attacks against magstripe a very significant threat, according to Positive Technologies.
“Anyone who is making a payment on an mPOS device should not make the transaction via magstripe but instead use chip and pin, chip and signature, or contactless,” Yunusov said.
“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority.”