Vulnerabilities in multiple mobile point-of-sale machines allow malicious merchants to take advantage of customers by changing the amount charged and forcing cardholders to use a more vulnerable payment method.
Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov outlined at Black Hat a number of flaws they have discovered in mobile point-of-sale (mPOS) devices, which can allow fraudulent merchants to interfere with payments, changing the amount charged and forcing customers to use insecure payment methods, such as magstripe. The vulnerabilities have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe—Square, SumUp, iZettle, and PayPal.
The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money. The Positive Technologies researchers found vulnerabilities that allow attackers to execute man-in-the-middle transactions, send arbitrary code via Bluetooth and mobile applications, modify payment values for magstripe transactions, and exploit a remote code execution vulnerability.
mPOS devices work by communicating through a Bluetooth connection to a mobile application, which then sends data to the payment provider's server. The researchers found that by intercepting the transaction it is possible to manipulate the amount value of magstripe transactions. A fraudulent merchant can gain access to the traffic, modify the amount that is presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. Still only 58.5 percent of debit and credit cards in the U.S. are EMV-enabled, and, lower still, 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat.
A number of the mPOS devices were also vulnerable to Remote Code Execution (RCE) attacks. With this vulnerability, it is possible to gain access to the whole operating system of the reader. In addition, it is possible to send arbitrary commands to some of the readers and influence the purchaser's behavior. For example, fraudulent merchants can force customers to use a more vulnerable payment method (such as magstripe) or say that a payment was declined, encouraging the customer to make multiple payments.
Leigh-Anne Galloway of Positive Technologies said: "These days it's hard to find a business that doesn't accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments. Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Tim Yunusov of Positive Technologies further commented: "Anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless. Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority."
The vulnerabilities were disclosed to all of the vendors and manufacturers within the scope of this research. Positive Technologies is assisting the affected parties to close the issues that were identified.