Portable credit card readers are undeniably convenient. All manner of shops, such as famer’s markets, food trucks, or even small market stalls, can use these mobile point-of-sale systems for easy payments using credit cards. But as it turns out, they have serious security flaws that are very concerning.
Devices sold by four of the leading companies – Square, iZettle, SumUp, and Paypal – have all been found to have issues that could leave cardholders’ bank accounts drained.
These issues include bugs that allow handlers to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and gaining full remote control of the said device. Leigh-Anne Galloway and Tim Yunusov of the security firm Positive Technologies looked into seven mobile point-of-sale devices created by the four companies and were responsible for the said findings.
The project began when they began to question the amount of security that can be embedded in devices priced at less than $50.
“With that in mind, we started off quite small by looking at two vendors and two card readers. But it quickly grew to become a much bigger project,” Galloway states.
The findings were very concerning as all four manufacturers were indeed found with vulnerabilities, although not all models were vulnerable to all of the bugs. In particular, the vulnerabilities in Square and PayPal’s mobile POS systems were found in third-party hardware made by a company called Miura.
Researchers found that bugs in Bluetooth and mobile app connectivity could be exploited to intercept transactions or modify commands, allowing attackers to disable chip-based transactions. This forces customers to use the less-secure magstripe swipe method, which makes it easier for hackers to steal a customer’s card information and clone it.
Additionally, rogue merchants could alter the mPOS and make it seem that a transaction was declined. This way, a customer will try to repeat the process multiple times, which will result in multiple payments made on a single card. Traffic can be intercepted and modified to change the value of the payment, getting the customer to approve a seemingly-normal transaction that is really worth so much more.
It was also reported that researchers found issues with firmware validation and possible downgrading that allows an attacker to install outdated or tainted firmware versions, further exposing the devices.
Thankfully, the manufacturers have been notified and are already addressing the issue. Galloway and Yusunov are also happy with proactive responses from vendors that frequently used the terminals. They hope that their findings will raise awareness about the broader issue of making security a development priority for low-cost embedded devices.