At yesterday’s final day of
Black Hat USA 2018, researchers from
Positive Technologies demonstrated how attackers could exploit a flaw in mobile point-of-sale (mPOS) devices to charge fraudulent transactions and alter the amount charged during a transaction.
The flaw enabled attackers to execute man-in-the-middle transactions, send random code through Bluetooth or other mobile applications, and change payment values for magstripe transactions. Researchers Leigh-Anne Galloway and Tim Yunusov also found that the mPOS devices are also vulnerable to remote code execution (RCE), which gave an attacker access to the whole operating system of the reader.
The researchers discovered the vulnerabilities in four market-leading mPOS devices – Square, SumUp, iZettle and PayPal – and have disclosed the vulnerabilities to all of the providers.
The use of mPOS has grown in the last few years. While it is the endpoint of payment infrastructure, there is no barrier to entry for a device to begin accepting card payments. Thus, mPOS providers are attractive targets to criminals.
“These days it's hard to find a business that doesn't accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept noncash payments,” Galloway said.