Subscribe to our e-newsletter
Follow us on Twitter
Privacy and cookies
Established 1996
Thursday 02 July 2020


Bugs in MPoS devices could expose customers

Written by Hannah McGrath

Security flaws in a number of market-leading mobile point of sale (MPoS) devices could leave customers open to fraudulent charging and vulnerable payment methods, according to researchers.

Leigh-Anne Galloway and Tim Yunusov, researchers from security firm Positive Technologies, looked at seven MPoS devices popular in the US and Europe, including devices sold by Square, iZettle, PayPal and SumUp.

MPoS devices use BlueTooth connections to communicate with mobile applications, which then send payment information to a mobile server.

The pair found a variety of bugs which, they claim, could allow malicious actors to execute man-in-the middle transactions, access the BlueTooth and mobile applications which support the devices, and modify payment values for magnetic stripe (magstripe) transactions.

By intercepting the transaction it is possible to modify the value of magstripe transactions shown on the card reader, the researchers claimed in a summary of their findings.

A number of the mPoS devices were also found to be vulnerable to remote code execution attacks, which would enable attackers to access the card reader’s operating system.

In a statement presenting the findings, the researchers warned merchants and customers paying via an MPos device against using magistripe transactions, but to use chip and pin, chip and signature or contactless instead.

Leigh-Anne Galloway said: "These days it's hard to find a business that doesn't accept faster payments. mPoS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments.

“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

Positive Technologies disclosed their findings to the vendors and manufacturers named in the research and stated that the company was assisting affected parties to close the issues that were identified.

Retail Systems has contacted the vendors named in the research for comment.

Related Articles


RS Winners brochure

Find out how HULFT can help you manage data, integration, supply chain automation and digital transformation across your retail enterprise.

Talking shop: retail technology solutions from Brother
Retail Systems editor Peter Walker sits down with Brother’s senior commercial client manager Jessica Stansfield to talk through the company’s solutions for retailers and hospitality businesses, what’s new in labelling technology, and the benefits of outsourcing printing.
Most read stories...
World Markets (15 minute+ time delay)