According to research presented at the Black Hat security conference in Las Vegas, these vulnerabilities allow fraudulent merchants to steal credit card information or intercept transactions to steal funds from customers.
Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov said that mPOS devices supplied by PayPal, iZettle, SumUp and Square all contained flaws that could lead to customers being tricked into paying more for their purchases.
These systems are usually linked via Bluetooth to a smartphone or tablet mobile app, which then sends data to the payment providers server. Researchers found that criminals could intercept this traffic and change the value being transferred during a magstripe payment, without alerting the customer.
Hackers typically target cheaper devices, which tend not to be compatible with the latest secure payment options, such as EMV-enabled chip and pin. Only 59% of card readers in the US are compatible with EMV payments, and the majority of payments are still made using a magstripe and signature, according to the researchers.
It was also discovered that it was possible to use remote code execution attacks to gain access to a device’s operating system. As a result, criminals could manipulate those devices that do use more secure chip and pin methods by making it look as if the payment method wasn’t working, forcing the customer to opt for a magstripe instead.
The researchers said that Square, PayPal, iZettle and SumUp had all been informed of the vulnerabilities and that Positive Technologies was working with them to help secure the devices.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now