Saturday, 4 February 2023
728 x 90

Hack mobile point-of-sale systems? Researchers count the ways

Ever since the infamous and massive security breach at retailer Target nearly five years ago, more and more attention has focused on the potential flaws that can make payment systems vulnerable to digital attack.

And now, with payments increasingly shifting to mobile platforms, it appears that the potential for hacking the mobile point-of-sale (mPOS) systems that make it possible for merchants to accept card and even cryptocurrency payments on-the-go is also shifting.

Presenting at the Black Hat USA information security conference last week in Las Vegas, prominent U.K. security researchers showcased recent research detailing the inherent vulnerabilities they discovered among four of the most popular mPOS systems operating in both the United States and Europe. In what is believed to be the most comprehensive review of mPOS security to-date, security researchers from London-based Positive Technologies plumbed the inner workings of the mobile payment infrastructure of seven mPOS readers offered by Square, SumUp, PayPal and iZettle and found a host of potential ways to hack these systems.

In a live demonstration, based off their work, Positive Technologies Cyber Security Resilience Lead Leigh-Anne Galloway and Senior Banking Security Expert Tim Yunusov showcased vulnerabilities in these systems that could allow cyber-criminals to conduct man-in-the-middle attacks, send random code through a Bluetooth connection or the system’s mobile application, modify payment values for transactions authorized with a magnetic stripe card, exploit internal firmware and conduct denial-of-service (DoS) or remote code execution (RCE) exploits. Furthermore, the presenters point out that most, if not all, of these exploits could be conducted without being detected by conventional anti-fraud or cybersecurity tools or techniques.

The type of attack typically depends on the ultimate goal of the attacker. For example, a cyber-criminal might send an arbitrary command to the mPOS system as part of a larger social engineering attack that is aimed at getting the cardholder to run their transaction again through a less secure channel. Whereas, by tampering with transaction amounts, hackers could make a $5 transaction at point-of-sale look like a $50 transaction to the cardholder’s issuing bank. RCE exploits allow attackers to access the device memory, effectively turning a mPOS reader into a mobile skimmer from which they can electronically thieve cardholders’ account information.

« »

Leave a Reply

Your email address will not be published.

Free Email Updates
Get the latest content first.
We respect your privacy.