UPDATED (see bottom of article)
Positive Technologies has published a list of vulnerabilities in mobile point-of-sale (mPOS) technology. The vulnerabilities allow malicious merchants to change the amount customers think they are paying. They can also force a customer to use magstripe rather than chip and pin.
The details were unveiled at hacker conference Black Hat by researchers Leigh-Anne Galloway and Tim Yunusov. This is not just an isolated instance with one particular mPOS device. The researchers revealed that mPOS devices from Square, SumUp, iZettle, and PayPal are all affected.
mPOS devices have become popular with some types of small businesses. Market traders, plumbers, window cleaners and even ticket collectors on railway trains use them. A mPOS device allows them to take card payments from customers rather than handle large amounts of cash. This allows them to take payments when a customer lacks the amount of cash necessary. This also lessens the risk of being attacked and having the cash stolen.
Leigh-Anne Galloway of Positive Technologies said: “These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments.
“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
How do the mPOS device vulnerabilities work?
The mPOS devices use Bluetooth to connect to a mobile application. This is typically on the mobile phone of the merchant. The phone then connects to the payment providers server to complete the transaction. It is a simple and effective solution to old paper card machines that often left the merchant open to fraud from stolen cards.
The mPOS devices are susceptible to a man-in-the-middle (MitM) attack. This allows the malicious merchant to intercept the traffic passing between the mPOS device and the server. As a result, the customer sees one amount on the device and authorises it. The intercepted traffic substitutes the amount to be paid for a higher amount that is not displayed to the customer.
Another attack uses a Remote Code Execution (RCE) attack. This gives the hacker complete access to the operating system on the mPOS device. It means that they can disable the chip and pin forcing the customer to use the magstripe. Galloway and Yunusov say that the mPOS device could be configured to say that a payment was declined. This would allow the merchant to get the customer to try the payment multiple times.
What does this mean
Governments are pushing for digital payments over cash to eliminate fraud. They see mobile businesses as a key target group that operate on the fringe of the black economy. Simpler accounting software and the use of mPOS terminals are part of the solution. This is more than just reducing fraud. It provides another way to take small payments from customers who might also be reducing their reliance on cash.
This hack could be seen as a setback. The mPOS providers need to respond quickly and close these vulnerabilities. They won’t, however, be the last. The access to the devices means that the hackers will be able to continue to investigate and develop new ways of breaking into the devices.
This creates a challenge for the payment card issuers. They take a share of every payment that goes through the machines. The industry has to show that it is responding more positively than in the past. It was recently criticised for its overreliance on fining small businesses who had payment issues. That is not a sustainable approach. It needs a better testing and approval process for mPOS terminals. The payments industry could fund this and there is no reason why it wouldn’t be self-funding through the reduction in fraud.
For now, Positive Technologies is working with the mPOS providers to help fix the current issues and create more secure solutions
A Square Spokesperson has provided the following statement:
“Square has a variety of systems in place to detect if the Square app has been tampered with and block related transactions. In fact, we detected the researchers’ actions on our network early on and automatically blocked their ability from taking additional payments. We thank the researchers for their report, as this type of work helps us strengthen our systems, and we’ve already updated our defenses based on their findings.”
With regard to the Square device mentioned by Positive Technologies the spokesperson added:
“The Miura M010 Reader is a third-party credit card chip reader that we initially offered as a stopgap and today is used by only a few hundred Square sellers. As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader, and began transitioning all these Square sellers to a free Square Contactless and Chip Reader. As a result, today it is no longer possible to use the Miura Reader on the Square ecosystem. It’s important to note that this is not a vulnerability in any Square hardware or software, and we have no indication that any Square sellers have been impacted by it.”