Risk

Flaws in Mobile Point of Sale Readers Displayed at Black Hat

While security is high overall for mPOS tools from companies like Square, PayPal, and iZettle, some devices have vulnerabilities that attackers could exploit to gather data and cash.

Mobile point of sale (MPOS) systems have changed the way business is done for small vendors around the world. These small devices from companies like Square, PayPal, and iZettle allow the smallest businesses to accept credit and debit cards from customers without having to go through the expense and complication of establishing a merchant account with a bank. With millions of these little devices in the market, though, it's reasonable to ask just how secure transactions can be when they come through a device that costs less (in some cases, far less) than $50.

Leigh-Anne Galloway and Tim Yunusov - Positive Technologies' security researcher and senior banking security expert, respectively - sought to answer that question in research presented at Black Hat USA and DEF CON. Galloway and Yunosov chose four providers - Square, iZettle, PayPal, and SumUp - and seven separate readers for their research. "We now have quite a few different vendors who are operating in the marketplace. And we've also noticed from a personal experience that we're starting to see these terminals in many different small businesses," Galloway said in a pre-Black Hat USA interview. "We really wanted to see what the significant differences are between different vendors and different regions."

There is one key difference between the US and Europe when it comes to reducing fraud: in Europe, EMV chip-enabled cards (created to protect against counterfeiting and card-present fraud) are accepted by roughly 95% of all the MPOS devices in service, while in the US, they're accepted by roughly 13% of MPOS devices, according to data cited by Galloway and Yunusov. It's not that EMV cards aren't present in the US; 96% of credit cards in US circulation support EMV, but less than half of all transactions use the chip, say Yunosov and Galloway.

In testing the devices, the researchers sought to send arbitrary commands to the MPOS device, tamper with the amount of the transaction, and perform remote code execution on the device.

The type of attack changes depending on the aim of the theoretical criminal. Sending arbitrary commands can be part of a social-engineering attack in which the customer is asked to re-try a transaction using a less secure method. Transaction amount tampering amounts to a man-in-the-middle attack in which a $1 transaction at the reader becomes a $50 transaction at the financial institution. And remote code execution can give the attacker access to the memory of the device which then becomes a mobile skimmer for the purpose of stealing credit card account information from customers.

It's important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. "We did find some really good examples of anti-fraud protection," Galloway said in the interview. "Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers," she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.

In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.

In general, though, "We were impressed by the level of physical security mechanisms in place generally," Galloway said. "Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually."

The researchers did have suggestions for merchants using MPOS devices. The suggestions included controlling physical access to devices, moving as quickly as possible to EMV transactions, and choosing a vendor with a robust, secure total payment infrastructure.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: On the SS7 network, nobody knows you're a dog.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18812
PUBLISHED: 2019-01-16
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the S...
CVE-2018-18813
PUBLISHED: 2019-01-16
The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire...
CVE-2018-18814
PUBLISHED: 2019-01-16
The TIBCO Spotfire authentication component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability in the handling of the authentication that theoretically may allow an attacker to gain full access to a target account, indep...
CVE-2018-5740
PUBLISHED: 2019-01-16
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is i...
CVE-2018-5741
PUBLISHED: 2019-01-16
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update ...