Mobile point-of-sale exploit exposes customers to card fraud

Devices from PayPal, Square, iZettle and SumUp all found to contain critical security flaws

Updated with comments from those companies affected

Mobile point-of-sale machines from some of the industry's leading payment providers have been found to contain vulnerabilities that allow fraudulent merchants to steal credit card information or intercept transactions to steal funds from customers.

Research presented at the Black Hat security conference in Las Vegas revealed that mPOS devices supplied by PayPal, iZettle, SumUp and Square all contained flaws that could lead to customers being tricked into paying more for their purchases.

Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov said that mPOS systems, such as card readers, had become a favoured target among criminals given how easy it is to get their hands on a device.

These systems are usually linked via Bluetooth to a smartphone or tablet mobile app, which then sends data to the payment provider's server. Researchers found that criminals or malicious merchants could intercept this traffic and change the value being transferred during a magstripe payment, without alerting the customer.

"Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can, therefore, essentially, steal money from people with relative ease if they have the technical know-how," said Galloway.

"As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning."

Hackers typically target cheaper devices, those frequently used by smaller businesses and places such as food stalls that require temporary payment systems, that tend not to be compatible with the latest secure payment options, such as EMV-enabled chip and pin.

Only 59% of card readers in the US are compatible with EMV payments, and the majority of payments are still made using a magstripe and signature, according to the researchers.

It was also discovered that it was possible to use remote code execution attacks to gain access to a device's operating system. This means that criminals could manipulate those devices that do use more secure chip and pin methods by making it look as if the payment method wasn't working, forcing the customer to opt for a magstripe instead.

Yunusov added that "merchants should also assess the risk of any device they plan on integrating into their business. There is no need to still be reliant on magstripe transactions".

"While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority."

The researchers said that Square, PayPal, iZettle and SumUp had all been informed of the vulnerabilities and that Positive Technologies was working with them to help secure the devices.

A SumUp spokesperson told us that "there has never been any fraud attempted through its terminals using the magnetic stripe-based method."

"All the same, as soon as the researchers contacted us, our team successfully removed any possibility of such an attempt at fraud in the future. We welcome the magnetic stripe being phased-out, and user behaviour suggests that both vendors and purchasers share our position."

A spokesperson from iZettle said that "the issue flagged to us by the researcher is resolved, and the iZettle service and its community remain unaffected".

PayPal also said there has been no evidence that their devices have been exploited in such a way.

"Security is a top priority at PayPal and we recognize the important role that researchers and our user community play in helping to keep PayPal secure. PayPal's systems were not impacted and our teams have remediated the issues raised by the researcher."

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
Hackers are actively exploiting three Apple iOS flaws
exploits

Hackers are actively exploiting three Apple iOS flaws

27 Jan 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

26 Jan 2021