Bugs in MPoS devices could expose customers
Written by Hannah McGrath
Security flaws in a number of market-leading mobile point of sale (MPoS) devices could leave customers open to fraudulent charging and vulnerable payment methods, according to researchers.
Leigh-Anne Galloway and Tim Yunusov, researchers from security firm Positive Technologies, looked at seven MPoS devices popular in the US and Europe, including devices sold by Square, iZettle, PayPal and SumUp.
MPoS devices use BlueTooth connections to communicate with mobile applications, which then send payment information to a mobile server.
The pair found a variety of bugs which, they claim, could allow malicious actors to execute man-in-the middle transactions, access the BlueTooth and mobile applications which support the devices, and modify payment values for magnetic stripe (magstripe) transactions.
By intercepting the transaction it is possible to modify the value of magstripe transactions shown on the card reader, the researchers claimed in a summary of their findings.
A number of the mPoS devices were also found to be vulnerable to remote code execution attacks, which would enable attackers to access the card reader’s operating system.
In a statement presenting the findings, the researchers warned merchants and customers paying via an MPos device against using magistripe transactions, but to use chip and pin, chip and signature or contactless instead.
Leigh-Anne Galloway said: "These days it's hard to find a business that doesn't accept faster payments. mPoS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments.
“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
Positive Technologies disclosed their findings to the vendors and manufacturers named in the research and stated that the company was assisting affected parties to close the issues that were identified.
Retail Systems has contacted the vendors named in the research for comment.