Skip to main content

Vulnerabilities discovered in mPOS devices

(Image credit: Image Credit: Centtrip)

During this year's Black Hat conference in Las Vegas, researchers at Positive Technologies Leigh-Anne Galloway and Tim Yunusov outlined a number of flaws they discovered in mobile point-of-sale (mPOS) devices that could allow fraudulent merchants to interfere with payments.

The vulnerabilities were discovered in a number of mPOS devices popular in both the US and Europe including Square, SumUp, iZettle and PayPal.

Over the last few years, mPOS devices have seen huge growth as the barriers to entry to be provided a device and start accepting card payments are basically zero. These devices are similar to both ATMs and traditional POS, in that they are at the end point of payment infrastructure which makes them quite attractive to hackers and other cyber criminals.

Positive Technologies' researchers found vulnerabilities in mPOS devices that allow attackers to carry out man-in-the-middle transactions, send code via Bluetooth and mobile apps, modify payment values for magstripe transactions and exploit a remote code execution vulnerability.

By intercepting a transaction, it is possible to manipulate the amount value of magstripe transactions. A fraudulent merchant could gain gain access to the traffic, modify the amount shown to the customer on the card reader and then force them to authorise a different amount without their knowledge.  

Attacks against magstripe present a significant threat because only 58.5 per cent of debit and credit cards in the US are EMV-enabled with only 41 per cent of transactions caried out this way.

Tim Yunusov offered further insight on the threat magstripe transactions pose, saying:

"Anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless. Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority." 

The vulnerabilities were disclosed to all of the vendors and manufacturers affected and NCR has already released a patch addressing the issue.

Image Credit: Jarmoluk / Pixabay

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.