Mobile point of sale (MPOS) systems have changed the way business is done for small vendors around the world. These small devices from companies like Square, PayPal, and iZettle allow the smallest businesses to accept credit and debit cards from customers without having to go through the expense and complication of establishing a merchant account with a bank. With millions of these little devices in the market, though, it's reasonable to ask just how secure transactions can be when they come through a device that costs less (in some cases, far less) than $50.
Leigh-Anne Galloway and Tim Yunusov - Positive Technologies' security researcher and senior banking security expert, respectively - sought to answer that question in research presented at Black Hat USA and DEF CON. Galloway and Yunosov chose four providers - Square, iZettle, PayPal, and SumUp - and seven separate readers for their research. "We now have quite a few different vendors who are operating in the marketplace. And we've also noticed from a personal experience that we're starting to see these terminals in many different small businesses," Galloway said in a pre-Black Hat USA interview. "We really wanted to see what the significant differences are between different vendors and different regions."
There is one key difference between the US and Europe when it comes to reducing fraud: in Europe, EMV chip-enabled cards (created to protect against counterfeiting and card-present fraud) are accepted by roughly 95% of all the MPOS devices in service, while in the US, they're accepted by roughly 13% of MPOS devices, according to data cited by Galloway and Yunusov. It's not that EMV cards aren't present in the US; 96% of credit cards in US circulation support EMV, but less than half of all transactions use the chip, say Yunosov and Galloway.
In testing the devices, the researchers sought to send arbitrary commands to the MPOS device, tamper with the amount of the transaction, and perform remote code execution on the device.
The type of attack changes depending on the aim of the theoretical criminal. Sending arbitrary commands can be part of a social-engineering attack in which the customer is asked to re-try a transaction using a less secure method. Transaction amount tampering amounts to a man-in-the-middle attack in which a $1 transaction at the reader becomes a $50 transaction at the financial institution. And remote code execution can give the attacker access to the memory of the device which then becomes a mobile skimmer for the purpose of stealing credit card account information from customers.
It's important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. "We did find some really good examples of anti-fraud protection," Galloway said in the interview. "Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers," she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.
In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.
In general, though, "We were impressed by the level of physical security mechanisms in place generally," Galloway said. "Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually."
The researchers did have suggestions for merchants using MPOS devices. The suggestions included controlling physical access to devices, moving as quickly as possible to EMV transactions, and choosing a vendor with a robust, secure total payment infrastructure.
- SmartMetric, Report Reveals More Than 32% of Americans Affected by Credit Card Fraud While United States ID Theft Cost More Than $17 Billion
- Adidas US Website Hit by Data Breach
- Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
- Author of TreasureHunter PoS Malware Releases Its Source Code
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.