Risk of Fraud in Mobile Point-of-Sale Device Flaw: Yesterday the Final day of Black Hat USA 2018, researchers from Positive Technologies demonstrated how attackers could exploit a flaw in mobile point-of-sale (mPOS) devices to charge fraudulent transactions and alter the amount charged during a transaction.
This flaw allow the attackers to execute man in the middle transactions, which can send various types of code via Bluetooth or other mobile applications, and could easily change the payment values for magstripe transactions. Researchers Leigh-Anne Galloway and Tim Yunusov also have found that the mPOS devices are also vulnerable to remote code execution (RCE), which can give you an attacker access to the whole operation system of the reader.
The researchers have successfully discovered the vulnerabilities in four market leading mPOS devices – Square, SumUp, iZettle and PayPal – and have disclosed the vulnerabilities to all of the providers.
Sure the use of mPOS has grown so much in just few years from now. While it is the endpoint of payment infrastructure, there is no barrier to entry for a device to begin accepting card payments. Thus, mPOS providers are attractive targets to criminals.
“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept noncash payments,” Galloway said.
“Currently there are very few checks on merchants before they can start using mPOS device and less-scrupulous individuals can, therefore, essentially steal money from people with relative ease if they have the technical know-how,” Galloway continued. “As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Well more than half (58.5%) of debit and credit cards in the U.S are EMV enabled, and around only 41% of transactions are made in this way, which is making attacks against magstripe a very significant threats, according to Positive Technologies.
“Anyone who is making a payment on an mPOS device should not make the transaction via magstripe but instead use chip and pin, chip and signature, or contactless,” Yunusov said.
“Merchants should also assess the risk of any device they plan on integrating into their business. Those using the cheaper devices need to take the steps to mitigate the risk. There is no need to still be relieant on magstripe transactions. Whiel the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority.”