Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Flaws in Mobile Point of Sale Readers Displayed at Black Hat

While security is high overall for mPOS tools from companies like Square, PayPal, and iZettle, some devices have vulnerabilities that attackers could exploit to gather data and cash.

Mobile point of sale (MPOS) systems have changed the way business is done for small vendors around the world. These small devices from companies like Square, PayPal, and iZettle allow the smallest businesses to accept credit and debit cards from customers without having to go through the expense and complication of establishing a merchant account with a bank. With millions of these little devices in the market, though, it's reasonable to ask just how secure transactions can be when they come through a device that costs less (in some cases, far less) than $50.

Leigh-Anne Galloway and Tim Yunusov - Positive Technologies' security researcher and senior banking security expert, respectively - sought to answer that question in research presented at Black Hat USA and DEF CON. Galloway and Yunosov chose four providers - Square, iZettle, PayPal, and SumUp - and seven separate readers for their research. "We now have quite a few different vendors who are operating in the marketplace. And we've also noticed from a personal experience that we're starting to see these terminals in many different small businesses," Galloway said in a pre-Black Hat USA interview. "We really wanted to see what the significant differences are between different vendors and different regions."

There is one key difference between the US and Europe when it comes to reducing fraud: in Europe, EMV chip-enabled cards (created to protect against counterfeiting and card-present fraud) are accepted by roughly 95% of all the MPOS devices in service, while in the US, they're accepted by roughly 13% of MPOS devices, according to data cited by Galloway and Yunusov. It's not that EMV cards aren't present in the US; 96% of credit cards in US circulation support EMV, but less than half of all transactions use the chip, say Yunosov and Galloway.

In testing the devices, the researchers sought to send arbitrary commands to the MPOS device, tamper with the amount of the transaction, and perform remote code execution on the device.

The type of attack changes depending on the aim of the theoretical criminal. Sending arbitrary commands can be part of a social-engineering attack in which the customer is asked to re-try a transaction using a less secure method. Transaction amount tampering amounts to a man-in-the-middle attack in which a $1 transaction at the reader becomes a $50 transaction at the financial institution. And remote code execution can give the attacker access to the memory of the device which then becomes a mobile skimmer for the purpose of stealing credit card account information from customers.

It's important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. "We did find some really good examples of anti-fraud protection," Galloway said in the interview. "Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers," she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.

In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.

In general, though, "We were impressed by the level of physical security mechanisms in place generally," Galloway said. "Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually."

The researchers did have suggestions for merchants using MPOS devices. The suggestions included controlling physical access to devices, moving as quickly as possible to EMV transactions, and choosing a vendor with a robust, secure total payment infrastructure.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.