At yesterday’s final day of Black Hat USA 2018, researchers from Positive Technologies demonstrated how attackers could exploit a flaw in mobile point-of-sale (mPOS) devices to charge fraudulent transactions and alter the amount charged during a transaction.
The flaw enabled attackers to execute man-in-the-middle transactions, send random code through Bluetooth or other mobile applications, and change payment values for magstripe transactions. Researchers Leigh-Anne Galloway and Tim Yunusov also found that the mPOS devices are also vulnerable to remote code execution (RCE), which gave an attacker access to the whole operating system of the reader.
The researchers discovered the vulnerabilities in four market-leading mPOS devices – Square, SumUp, iZettle and PayPal – and have disclosed the vulnerabilities to all of the providers.
The use of mPOS has grown in the last few years. While it is the endpoint of payment infrastructure, there is no barrier to entry for a device to begin accepting card payments. Thus, mPOS providers are attractive targets to criminals.
“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept noncash payments,” Galloway said.
“Currently there are very few checks on merchants before they can start using an mPOS device and less-scrupulous individuals can, therefore, essentially steal money from people with relative ease if they have the technical know-how,” Galloway continued. “As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Even though more than half (58.5%) of debit and credit cards in the US are EMV enabled, only 41% of transactions are made in this way, making attacks against magstripe a very significant threat, according to Positive Technologies.