03 December 2016
visit http://www.wolterskluwerfs.com

Researchers hack mPOS devices, play Flappy Bird

07 April 2014  |  17641 views  |  2 izettle chipandpin

Mobile point-of-sale (mPOS) devices can be easily hacked, leaving banks, retailers and customers open to fraud, claims MWR InfoSecurity, which has even managed to play Flappy Bird on one reader.

Led by names such as Square, PayPal and iZettle, the mPOS market has mushroomed over the last couple of years, bringing card payments to small- and medium-sized businesses.

Outside of the US, manufacturers have built chip and PIN readers which have been certified as secure by the major card firms.

However, researchers at MWR Labs say that crooks can easily gain control over terminals, display 'try again' messages, switch to insecure mode and capture PINs.

The company's head of research says: "What we have found reveals that criminals can compromise the mPOS payment terminal and get full control over it. This would allow an attacker to gather PIN and credit card data, and event change the software on the device so that it accepts illegitimate payments."

Reporting their findings at the SyScan security conference in Singapore, the team showed that they were even able to use an iZettle-branded card reader built by Miura Systems - which provides devices to PayPal, Payleven and Worldpay, among others - to play a simplified version of the popular game Flappy Bird:

Chippy Pin from Nils on Vimeo.


MWR is refusing to provide any details on how it hacked the readers but says that it has notified the vendors involved.

In a statement, device maker Miura says: "It has come to our attention that at the Syscan '14 Conference currently being held in Singapore certain vulnerabilities were identified in a number of mPOS PIN entry solutions, from a variety of manufacturers.

"An mPOS PIN entry solution designed by Miura Systems Limited was mentioned as having potential vulnerabilities, despite there being no evidence or indication that any loss has been suffered from any historical attack on these perceived weaknesses.

"Miura continues to maintain and invest in providing advances in preventing fraudulent activity and its solutions are independently tested by PCI (Payment Card Industry) against whose standards all Miura solutions are validated. As such, Miura's mPOS PIN entry solutions remain fully compliant with PCI PTS 3.0 & are UKCC Certified."
KeywordsEFTPOS

Comments: (2)

A Finextra member
A Finextra member | 07 April, 2014, 15:31

There's an app for that:  

http://tinyurl.com/k6st67s


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Niraj Singh
Niraj Singh - ICIC Bank Ltd - Mumbai | 08 April, 2014, 03:56

MWR should publish the result in detail for benefit of Merchants and banks.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

AmEx invests in Indian mPOS startup Ezetap

AmEx invests in Indian mPOS startup Ezetap

20 March 2014  |  6580 views  |  0 comments | 4 tweets | 5 linkedin
Handelsbanken chooses VeriFone tech for mPOS foray

Handelsbanken chooses VeriFone tech for mPOS foray

25 February 2014  |  4293 views  |  0 comments | 3 tweets | 2 linkedin
Barclaycard enters mPOS fray

Barclaycard enters mPOS fray

18 February 2014  |  11476 views  |  3 comments | 18 tweets | 11 linkedin
Sweden's homeless turn to mPOS as cash payments dry up

Sweden's homeless turn to mPOS as cash payments dry up

18 October 2013  |  9117 views  |  1 comments | 11 tweets | 13 linkedin
MPos start-up Leaf scores $20m investment from Heartland

MPos start-up Leaf scores $20m investment from Heartland

01 October 2013  |  4448 views  |  0 comments | 2 tweets | 3 linkedin
John Lewis to sell WorldPay Mpos readers

John Lewis to sell WorldPay Mpos readers

27 June 2013  |  13733 views  |  1 comments | 8 tweets | 14 linkedin
Mpos firms join Visa Ready Program

Mpos firms join Visa Ready Program

05 June 2013  |  7867 views  |  1 comments | 7 tweets | 8 linkedin
Monitise launches white label mPOS system

Monitise launches white label mPOS system

14 May 2013  |  9843 views  |  0 comments | 20 tweets | 13 linkedin
Hacker plays Angry Birds on ATM

Hacker plays Angry Birds on ATM

22 February 2013  |  19264 views  |  2 comments | 27 tweets | 6 linkedin
IZettle ships chip and PIN reader

IZettle ships chip and PIN reader

20 February 2013  |  12626 views  |  2 comments | 21 tweets | 10 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
http://www.financialcrimerisk.fiserv.com/aml?r=finextraFind out moreVisit capgemini.com

Top topics

Most viewed Most shared
Royal Mint to issue digital goldRoyal Mint to issue digital gold
6223 views comments | 22 tweets | 21 linkedin
ING pulls plug on P2P payments app TwypING pulls plug on P2P payments app Twyp
5501 views comments | 16 tweets | 15 linkedin
R3 and Calypso to develop blockchain trade confirmation systemR3 and Calypso to develop blockchain trade...
5432 views comments | 13 tweets | 12 linkedin
EBA told that tougher authentication will have a "chilling" effect on single marketEBA told that tougher authentication will...
5407 views comments | 18 tweets | 20 linkedin
UK challenger bank Masthaven opens for businessUK challenger bank Masthaven opens for bus...
5407 views comments | 15 tweets | 13 linkedin

Featured job

Find your next job