Security flaws in mobile point-of-sale systems spell money trouble

More like point-of-fail systems.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Security researchers discovered vulnerabilities in mobile card readers. Square and the other companies involved say they've fixed the holes.

Security researchers discovered vulnerabilities in mobile card readers. Square and the other companies involved say they've fixed the holes.

James Martin/CNET

Cheaper payment systems may cost businesses less, but they could've wound up costing customers more.

That's the word from a pair of security researchers, who discovered that mobile payment systems had vulnerabilities that could let hackers steal credit card info or change the value of what people pay.

Researchers Leigh-Anne Galloway and Tim Yunusov of cybersecurity company Positive Technologies revealed their findings at the Black Hat security conference in Las Vegas on Thursday.

Point-of-sale terminals, such as credit card readers, are increasingly a common target for hackers, since that's where the money is. Cybercriminals can steal troves of financial data from weak cybersecurity on these terminals, and attacks on the systems have affected millions of people at hotels, stores and restaurants.

Attackers are specifically looking at inexpensive card readers, which have exploded in popularity as small businesses like your local food truck use them to accept noncash payments.

These mobile readers often attach to another device, like a smartphone or a tablet. Researchers estimate that 46 percent of all noncash payments will be done through a mobile reader by 2019.

Galloway and Yunusov looked at readers from the most popular mobile point-of-sale, or mPOS, providers in the US and Europe: Square, PayPal, SumUp and iZettle.

The researchers said they wanted to examine how much security there was in mobile readers that cost less than $50. It turns out, Galloway said, physically they were really hard to get into, but as far as cybersecurity goes, they found a few holes.

Three of the readers mentioned had a flaw that could've let a dishonest merchant change what customers see on the screen. That meant the device could show that a transaction failed when it really didn't and prompt customers to pay twice. The vulnerability opened up various possibilities for merchants to steal from customers.

"It's possible, if you were a fraudulent merchant, you could change the transaction value to make it a higher value than what's displayed on the reader," Galloway said in an interview before Black Hat. "The significance is that this a realistic attack vector because so many transactions are carried out through swipes."  

The display could also be adjusted to ask customers to use the magnetic stripe on the credit card, instead of the more secure chip. That would make victims vulnerable to attacks already associated with swiping cards.

Many mPOS terminals use Bluetooth to connect to devices, and the Positive Technologies researchers found that most of them didn't use a secure form of pairing.

In a secure protocol, Galloway said, Bluetooth devices could be associated with a password, or with a notification that lets people know what gadgets they've connected to wirelessly. Galloway and Yunusov said this wasn't being implemented in the readers they looked at.

"You might just never know if someone was an attacker [and] walked into your cafe and connected to your reader," Galloway said.

The vulnerabilities hadn't been used by any attackers yet, the researchers said. If you're concerned, your best bet is to stay away from swiped transactions and stick to the security chips, which offer better protection.

Square said the vulnerabilities were only on the Miura M010 Reader, a third-party sales system that connected to Square's software.

"As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader, and began transitioning all these Square sellers to a free Square Contactless and Chip Reader," a Square spokesperson said.

Miura Systems Chairman Andrew Dark downplayed the attack's potential, saying you'd need "a skilled attacker being present" to pull it off. He also said these vulnerabilities were only on an older version of Miura's readers and have been fixed since 2016.

In a statement, SumUp said there haven't been any attacks because the vulnerabilities relied on magnetic stripes instead of security chips. The company said it's fixed the vulnerabilities mentioned. PayPal and iZettle also said they'd fixed the discovered vulnerabilities.

Yunusov said he and Galloway first informed the affected companies in April.

First published Aug. 9, 4 p.m. PT
Update, 5:29 p.m.: Clarifies information about the Miura M010 Reader.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.