LAS VEGAS — Security researchers are uncovering widespread vulnerabilities in several popular mobile point-of-sale systems, which have become increasingly popular in recent years among many types of merchants large and small.
With payments increasingly shifting to mobile, the ability to exploit mobile point-of-sale systems that make it possible for merchants to accept card and even cryptocurrency payments on the go is also shifting. Presenting at the Black Hat USA cybersecurity conference last week in Las Vegas, prominent security researchers from U.K.-based Positive Technologies showcased research detailing the inherent vulnerabilities they discovered among four of the most popular mPOS systems operating in both the United States and Europe.
Researchers delved into the mobile payment infrastructure of seven mPOS readers offered by Square, SumUp, PayPal and iZettle and found a host of potential ways to hack these systems. In a live demonstration based off their work, Cyber Security Resilience Lead Leigh-Anne Galloway and Senior Banking Security Expert Tim Yunusov showcased vulnerabilities in these systems that could allow cyber-criminals to conduct man-in-the-middle attacks, send random code through a Bluetooth connection or the system’s mobile application, modify values for transactions authorized with a magnetic stripe card, exploit internal firmware and conduct denial-of-service (DoS) or remote code execution (RCE) exploits.
Most, if not all, of these exploits could be conducted without being detected by conventional anti-fraud or cybersecurity tools or techniques, the researchers said.
The type of attack typically depends on the ultimate goal of the attacker. For example, a cyber-criminal might send an arbitrary command to the mPOS system as part of a larger social-engineering attack that is aimed at getting the cardholder to run their transaction again through a less secure channel. Whereas by tampering with transaction amounts, hackers could make a $5 transaction at point-of-sale look like a $50 transaction to the cardholder’s issuing bank. RCE exploits allow attackers to access the device memory, effectively turning a mPOS reader into a mobile skimmer from which they can electronically collect cardholders’ account information.
“Normally, a [customer] goes into a business and interacts with the payment terminal directly, or hands their card to the merchant,” Galloway said during her Black Hat presentation. “The transaction goes to the merchant acquirer, that talks to the issuer. … But with the mPOS [transaction], there is no relationship directly with the merchant acquirer." Merchants "work with the mPOS provider, who may or may not be assessing security risk.”
Positive Technologies disclosed its findings to the vendors with which it found flaws, and is working with these companies to patch the vulnerabilities. And mPOS providers are already forging ahead to close these security gaps: Since finding out its M010 mobile terminal had serious vulnerabilities, Square moved up existing plans to drop support for this readers and start converting its mobile merchants to a more updated and secure Square contactless and chip reader, according to a release from the company.
Unlike past testing—which has focused on older card standards and systems that tend to utilize magnetic stripe cards and traditional stationary transaction terminals—this attack vector explored how newer payment standards like NFC and EMV, as well as mPOS hardware, software and processes could be exploited.
For smaller merchants, some of whom may not even operate with a traditional storefront, the benefit of these mobile payment systems is ease of use and cost—businesses don’t need to establish a merchant bank account and mPOS devices can cost as little as $50. Overall, the mPOS terminal market is predicted to reach $55 billion by 2024, according to research from strategy consulting firm
Galloway said the research project, which began with the aim of investigating potential flaws in two systems from two vendors and quickly expanded, was initially inspired by reports of a group of Boston-based student hackers in 2015 who were able to exploit mPOS systems.
“We had a basic understanding of the attack vectors,” said Galloway. “But our key question remained: How much security is built in here?”
While mPOS systems in both the U.S. and Europe displayed potential gaps in security, a major concern for U.S.-based mobile merchants is that they currently have less protection from some of these exploits than their European counterparts, since U.S. merchants make less use of EMV chip transactions.
Although 96 percent of credit cards in the U.S. support EMV, in addition to the traditional magnetic stripe, only 13 percent of U.S.-based mPOS devices utilize the chip, according to Visa. In Europe, where chip cards have been the standard for decades, about 95 percent of all mobile point-of-sale transactions are run using the less exploitable chip.
