Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Flaws in Mobile Point of Sale Readers Displayed at Black Hat

While security is high overall for mPOS tools from companies like Square, PayPal, and iZettle, some devices have vulnerabilities that attackers could exploit to gather data and cash.

Mobile point of sale (MPOS) systems have changed the way business is done for small vendors around the world. These small devices from companies like Square, PayPal, and iZettle allow the smallest businesses to accept credit and debit cards from customers without having to go through the expense and complication of establishing a merchant account with a bank. With millions of these little devices in the market, though, it's reasonable to ask just how secure transactions can be when they come through a device that costs less (in some cases, far less) than $50.

Leigh-Anne Galloway and Tim Yunusov - Positive Technologies' security researcher and senior banking security expert, respectively - sought to answer that question in research presented at Black Hat USA and DEF CON. Galloway and Yunosov chose four providers - Square, iZettle, PayPal, and SumUp - and seven separate readers for their research. "We now have quite a few different vendors who are operating in the marketplace. And we've also noticed from a personal experience that we're starting to see these terminals in many different small businesses," Galloway said in a pre-Black Hat USA interview. "We really wanted to see what the significant differences are between different vendors and different regions."

There is one key difference between the US and Europe when it comes to reducing fraud: in Europe, EMV chip-enabled cards (created to protect against counterfeiting and card-present fraud) are accepted by roughly 95% of all the MPOS devices in service, while in the US, they're accepted by roughly 13% of MPOS devices, according to data cited by Galloway and Yunusov. It's not that EMV cards aren't present in the US; 96% of credit cards in US circulation support EMV, but less than half of all transactions use the chip, say Yunosov and Galloway.

In testing the devices, the researchers sought to send arbitrary commands to the MPOS device, tamper with the amount of the transaction, and perform remote code execution on the device.

The type of attack changes depending on the aim of the theoretical criminal. Sending arbitrary commands can be part of a social-engineering attack in which the customer is asked to re-try a transaction using a less secure method. Transaction amount tampering amounts to a man-in-the-middle attack in which a $1 transaction at the reader becomes a $50 transaction at the financial institution. And remote code execution can give the attacker access to the memory of the device which then becomes a mobile skimmer for the purpose of stealing credit card account information from customers.

It's important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. "We did find some really good examples of anti-fraud protection," Galloway said in the interview. "Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers," she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.

In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.

In general, though, "We were impressed by the level of physical security mechanisms in place generally," Galloway said. "Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually."

The researchers did have suggestions for merchants using MPOS devices. The suggestions included controlling physical access to devices, moving as quickly as possible to EMV transactions, and choosing a vendor with a robust, secure total payment infrastructure.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.