Ever since the infamous and massive security breach at retailer Target nearly five years ago, more and more attention has focused on the potential flaws that can make payment systems vulnerable to digital attack.
And now, with payments increasingly shifting to mobile platforms, it appears that the potential for hacking the mobile point-of-sale (mPOS) systems that make it possible for merchants to accept card and even cryptocurrency payments on-the-go is also shifting.
Presenting at the Black Hat USA information security conference last week in Las Vegas, prominent U.K. security researchers showcased recent research detailing the inherent vulnerabilities they discovered among four of the most popular mPOS systems operating in both the United States and Europe. In what is believed to be the most comprehensive review of mPOS security to-date, security researchers from London-based Positive Technologies plumbed the inner workings of the mobile payment infrastructure of seven mPOS readers offered by Square, SumUp, PayPal and iZettle and found a host of potential ways to hack these systems.
In a live demonstration, based off their work, Positive Technologies Cyber Security Resilience Lead Leigh-Anne Galloway and Senior Banking Security Expert Tim Yunusov showcased vulnerabilities in these systems that could allow cyber-criminals to conduct man-in-the-middle attacks, send random code through a Bluetooth connection or the system’s mobile application, modify payment values for transactions authorized with a magnetic stripe card, exploit internal firmware and conduct denial-of-service (DoS) or remote code execution (RCE) exploits. Furthermore, the presenters point out that most, if not all, of these exploits could be conducted without being detected by conventional anti-fraud or cybersecurity tools or techniques.
The type of attack typically depends on the ultimate goal of the attacker. For example, a cyber-criminal might send an arbitrary command to the mPOS system as part of a larger social engineering attack that is aimed at getting the cardholder to run their transaction again through a less secure channel. Whereas, by tampering with transaction amounts, hackers could make a $5 transaction at point-of-sale look like a $50 transaction to the cardholder’s issuing bank. RCE exploits allow attackers to access the device memory, effectively turning a mPOS reader into a mobile skimmer from which they can electronically thieve cardholders’ account information.
“Normally, a [customer] goes into a business and interacts with the payment terminal directly, or hands their card to the merchant,” Galloway said during her Black Hat presentation, titled ‘For the love of money: finding and exploiting vulnerabilities in mobile point-of-sale systems’. “The transaction goes to the merchant acquirer, that talks to the issuer [bank]… But with the mPOS [transaction], there is no relationship directly with the merchant acquirer. [Merchants] work with the mPOS provider, who may or may not be assessing security risk.”
Unlike past testing that focused on older card standards and systems that tend to utilize magnetic stripe-accepting systems and traditional stationary transaction terminals, this attack vector testing explored how newer payment standards like near-field communications (NFC) and EMV for chip cards, as well as mPOS hardware, software and processes could be exploited. Indeed, for smaller merchants, some of whom may not even operate with a traditional storefront, the benefit of these mobile payment systems is ease of use and cost—businesses don’t need to establish a merchant bank account and mPOS devices can cost as little as $50. In fact, the mPOS terminal market is predicted to reach $55 billion by 2024, according to research from strategy consulting firm Global Market Insights.
Galloway said the research project, which began with the aim of investigating potential flaws in two systems from two vendors and quickly expanded, was initially inspired by reports of a group of Boston-based student hackers in 2015 who were able to exploit mPOS systems. “We had a basic understanding of the attack vectors,” said Galloway. “But our key question remained, ‘how much security is built in here?’”
While mPOS systems in both the States and Europe displayed potential gaps in security, a major concern for U.S.-based mobile merchants is that they currently have less protection from some of these exploits than their European counterparts since they make less use of EMV chip transactions. Although 96 percent of credit cards in the United States now boast a more secure chip, in addition to the traditional magnetic stripe, only 13 percent of U.S.-based mPOS devices utilize the chip. In Europe, where chip cards have been the standard for decades, about 95 percent of all mobile point-of-sale transactions are run using the less exploitable chip.
Positive Technologies disclosed its findings to the vendors with which it found flaws, and is working with these companies to patch the vulnerabilities. And mPOS providers are already forging ahead to close these security gaps: Since finding out its M010 mobile terminal had serious vulnerabilities, Square moved up existing plans to drop support for this reader and start converting its mobile merchants to a more updated and secure Square contactless and chip reader, according to a release from the company.