Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Flaws in Mobile Point of Sale Readers Displayed at Black Hat

While security is high overall for mPOS tools from companies like Square, PayPal, and iZettle, some devices have vulnerabilities that attackers could exploit to gather data and cash.

Mobile point of sale (MPOS) systems have changed the way business is done for small vendors around the world. These small devices from companies like Square, PayPal, and iZettle allow the smallest businesses to accept credit and debit cards from customers without having to go through the expense and complication of establishing a merchant account with a bank. With millions of these little devices in the market, though, it's reasonable to ask just how secure transactions can be when they come through a device that costs less (in some cases, far less) than $50.

Leigh-Anne Galloway and Tim Yunusov - Positive Technologies' security researcher and senior banking security expert, respectively - sought to answer that question in research presented at Black Hat USA and DEF CON. Galloway and Yunosov chose four providers - Square, iZettle, PayPal, and SumUp - and seven separate readers for their research. "We now have quite a few different vendors who are operating in the marketplace. And we've also noticed from a personal experience that we're starting to see these terminals in many different small businesses," Galloway said in a pre-Black Hat USA interview. "We really wanted to see what the significant differences are between different vendors and different regions."

There is one key difference between the US and Europe when it comes to reducing fraud: in Europe, EMV chip-enabled cards (created to protect against counterfeiting and card-present fraud) are accepted by roughly 95% of all the MPOS devices in service, while in the US, they're accepted by roughly 13% of MPOS devices, according to data cited by Galloway and Yunusov. It's not that EMV cards aren't present in the US; 96% of credit cards in US circulation support EMV, but less than half of all transactions use the chip, say Yunosov and Galloway.

In testing the devices, the researchers sought to send arbitrary commands to the MPOS device, tamper with the amount of the transaction, and perform remote code execution on the device.

The type of attack changes depending on the aim of the theoretical criminal. Sending arbitrary commands can be part of a social-engineering attack in which the customer is asked to re-try a transaction using a less secure method. Transaction amount tampering amounts to a man-in-the-middle attack in which a $1 transaction at the reader becomes a $50 transaction at the financial institution. And remote code execution can give the attacker access to the memory of the device which then becomes a mobile skimmer for the purpose of stealing credit card account information from customers.

It's important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. "We did find some really good examples of anti-fraud protection," Galloway said in the interview. "Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers," she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.

In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.

In general, though, "We were impressed by the level of physical security mechanisms in place generally," Galloway said. "Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually."

The researchers did have suggestions for merchants using MPOS devices. The suggestions included controlling physical access to devices, moving as quickly as possible to EMV transactions, and choosing a vendor with a robust, secure total payment infrastructure.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, le...
CVE-2020-8834
PUBLISHED: 2020-04-09
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc__tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to...
CVE-2020-11668
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVE-2020-8961
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
CVE-2020-7922
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...