Positive Technologies Reveals Mobile Point of Sale Device Flaws

Black Hat USA: Attackers could have manipulated a mobile point of sale terminal to have it display a lower amount than what was actually being sent to be authorized for payment, researchers find.

Mobile POS Risks

LAS VEGAS—Mobile point of sale terminals are potentially at risk from multiple vulnerabilities, according to researchers from Positive Technologies.

Leigh-Anne Galloway, cyber-security resilience lead, and Tim Yunusov, senior banking security expert at Positive Technologies, detailed their findings on mobile POS risks in a session at Black Hat USA here on Aug. 9.

In an interview with eWEEK, the researchers provided additional insight into the risks they found across major mPOS providers in the United States and Europe, including Square, SumUp, iZettle and PayPal.

"We found that over 50 percent of the readers that we looked at have some form of vulnerability or are vulnerable to an attack method," Galloway told eWEEK. "All of the vendors that we looked at were affected in some way."

Galloway said the readers used by SumUp and iZettle could accept arbitrary commands such that an attacker could send information to the reader display. So, for example, a message could be sent to ask a card holder to swipe a credit card, instead of using a chip and pin, to carry out a transaction. Magnetic stripes are less secure than credit card chips and can potentially be read by malicious software. Additionally, Galloway said it is possible to modify the amount that is shown on the reader screen for a transaction. As such, a consumer might see a certain amount that is not the same as what is being authorized.

"So we could send a transaction of $1 to the screen and then send a much higher amount to be authorized from a payment server," Galloway said.

Other vulnerabilities discovered by Positive Technologies include remote code execution on certain card readers used by Square and PayPal, including the Miura M010 Reader, that could potentially enable an attacker to capture card holder information. Galloway noted that the underlying firmware on the device has been updated by the hardware vendor to limit that risk.

All of the mPOS attacks discussed by Positive Technologies at Black Hat involved some form of proximity. That is, an attacker has to be physically close to the mPOS device to attack it. Many of the flaws uncovered by Positive Technologies are deployed over Bluetooth, which is often not properly secured, according to Galloway.

Galloway said Positive Technologies has responsibly disclosed all the specific vulnerabilities to the impacted vendors.

For merchants using mobile POS devices, Galloway recommends controlling access to the devices since many of the attacks involve proximity for communication. Additionally, she suggested that merchants choose not to allow magnetic stripe credit card transactions, as they represent more risk than chip and pin.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.