[BreachExchange] Hack mobile point-of-sale systems? Researchers count the ways

[Destry Winant]

https://www.csoonline.com/article/3297702/mobile/hack-a-mobile-point-of-sale-system-researchers-count-the-ways.html

Ever since the infamous and massive security breach at retailer Target
nearly five years ago, more and more attention has focused on the
potential flaws that can make payment systems vulnerable to digital
attack.

And now, with payments increasingly shifting to mobile platforms, it
appears that the potential for hacking the mobile point-of-sale (mPOS)
systems that make it possible for merchants to accept card and even
cryptocurrency payments on-the-go is also shifting.

Presenting at the Black Hat USA information security conference last
week in Las Vegas, prominent U.K. security researchers showcased
recent research detailing the inherent vulnerabilities they discovered
among four of the most popular mPOS systems operating in both the
United States and Europe. In what is believed to be the most
comprehensive review of mPOS security to-date, security researchers
from London-based Positive Technologies plumbed the inner workings of
the mobile payment infrastructure of seven mPOS readers offered by
Square, SumUp, PayPal and iZettle and found a host of potential ways
to hack these systems.

In a live demonstration, based off their work, Positive Technologies
Cyber Security Resilience Lead Leigh-Anne Galloway and Senior Banking
Security Expert Tim Yunusov showcased vulnerabilities in these systems
that could allow cyber-criminals to conduct man-in-the-middle attacks,
send random code through a Bluetooth connection or the system’s mobile
application, modify payment values for transactions authorized with a
magnetic stripe card, exploit internal firmware and conduct
denial-of-service (DoS) or remote code execution (RCE) exploits.
Furthermore, the presenters point out that most, if not all, of these
exploits could be conducted without being detected by conventional
anti-fraud or cybersecurity tools or techniques.

The type of attack typically depends on the ultimate goal of the
attacker. For example, a cyber-criminal might send an arbitrary
command to the mPOS system as part of a larger social engineering
attack that is aimed at getting the cardholder to run their
transaction again through a less secure channel. Whereas, by tampering
with transaction amounts, hackers could make a $5 transaction at
point-of-sale look like a $50 transaction to the cardholder’s issuing
bank. RCE exploits allow attackers to access the device memory,
effectively turning a mPOS reader into a mobile skimmer from which
they can electronically thieve cardholders’ account information.

“Normally, a [customer] goes into a business and interacts with the
payment terminal directly, or hands their card to the merchant,”
Galloway said during her Black Hat presentation, titled ‘For the love
of money: finding and exploiting vulnerabilities in mobile
point-of-sale systems’. “The transaction goes to the merchant
acquirer, that talks to the issuer [bank]… But with the mPOS
[transaction], there is no relationship directly with the merchant
acquirer. [Merchants] work with the mPOS provider, who may or may not
be assessing security risk.”

Unlike past testing that focused on older card standards and systems
that tend to utilize magnetic stripe-accepting systems and traditional
stationary transaction terminals, this attack vector testing explored
how newer payment standards like near-field communications (NFC) and
EMV for chip cards, as well as mPOS hardware, software and processes
could be exploited. Indeed, for smaller merchants, some of whom may
not even operate with a traditional storefront, the benefit of these
mobile payment systems is ease of use and cost—businesses don’t need
to establish a merchant bank account and mPOS devices can cost as
little as $50. In fact, the mPOS terminal market is predicted to reach
$55 billion by 2024, according to research from strategy consulting
firm Global Market Insights.

Galloway said the research project, which began with the aim of
investigating potential flaws in two systems from two vendors and
quickly expanded, was initially inspired by reports of a group of
Boston-based student hackers in 2015 who were able to exploit mPOS
systems. “We had a basic understanding of the attack vectors,” said
Galloway. “But our key question remained, ‘how much security is built
in here?’”

While mPOS systems in both the States and Europe displayed potential
gaps in security, a major concern for U.S.-based mobile merchants is
that they currently have less protection from some of these exploits
than their European counterparts since they make less use of EMV chip
transactions. Although 96 percent of credit cards in the United States
now boast a more secure chip, in addition to the traditional magnetic
stripe, only 13 percent of U.S.-based mPOS devices utilize the chip.
In Europe, where chip cards have been the standard for decades, about
95 percent of all mobile point-of-sale transactions are run using the
less exploitable chip.

Positive Technologies disclosed its findings to the vendors with which
it found flaws, and is working with these companies to patch the
vulnerabilities. And mPOS providers are already forging ahead to close
these security gaps: Since finding out its M010 mobile terminal had
serious vulnerabilities, Square moved up existing plans to drop
support for this reader and start converting its mobile merchants to a
more updated and secure Square contactless and chip reader, according
to a release from the company.