Vulnerabilities in mPOS (mobile point-of-sale) machines could allow malicious merchants to defraud customers and attackers to steal payment card data, Positive Technologies researchers have found.
The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money.
The vulnerabilities have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe: Square, SumUp, iZettle, and PayPal.
mPOS devices work by communicating through a Bluetooth connection to a mobile application, which then sends data to the payment provider’s server. By intercepting the transaction it is possible to manipulate the amount value of magstripe transactions.
A fraudulent merchant can gain access to the traffic, modify the amount that is presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. Still only 58.5 percent of debit and credit cards in the U.S. are EMV-enabled, and, lower still, 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat.
A number of the mPOS devices were also vulnerable to Remote Code Execution (RCE) attacks. With this vulnerability, it is possible to gain access to the whole operating system of the reader.
In addition, it is possible to send arbitrary commands to some of the readers and influence the purchaser’s behavior. For example, fraudulent merchants can force customers to use a more vulnerable payment method (such as magstripe) or say that a payment was declined, encouraging the customer to make multiple payments.
What to do?
The vulnerabilities were disclosed to all of the vendors and manufacturers, and Positive Technologies is assisting the affected parties to close the issues that were identified.
“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments,” noted Leigh-Anne Galloway, Cyber Security Lead at Positive Technologies.
“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Fellow researcher Tim Yunusov says that anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless.
“Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority,” he added.