Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Positive Technologies details flaws in mPOS devices that could lead to fraud and theft

by The Gurus
August 13, 2018
in Editor's News
Banking security
Share on FacebookShare on Twitter

Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov today outlined at Black Hat a number of flaws they have discovered in mobile point-of-sale (mPOS) devices, which can allow fraudulent merchants to interfere with payments, changing the amount charged and forcing customers to use insecure payment methods, such as magstripe. The vulnerabilities have been discovered in a number of market-leading mPOS devices popular in both the U.S. and Europe—Square, SumUp, iZettle, and PayPal.

 

The use of mPOS devices has seen huge growth over the last few years as the barriers to entry to be provided a device and start accepting card payments are effectively zero. Like ATMs and traditional POS, they are at the end point of payment infrastructure, meaning they are very attractive and accessible to criminals for both the testing of these devices and in the movement of fraudulent money. The Positive Technologies researchers found vulnerabilities that allow attackers to execute man-in-the-middle transactions, send arbitrary code via Bluetooth and mobile applications, modify payment values for magstripe transactions, and exploit a remote code execution vulnerability.

 

mPOS devices work by communicating through a Bluetooth connection to a mobile application, which then sends data to the payment provider’s server. The researchers found that by intercepting the transaction it is possible to manipulate the amount value of magstripe transactions. A fraudulent merchant can gain access to the traffic, modify the amount that is presented to the customer on the card reader, forcing the customer to authorize an entirely different amount without being aware. Still only 58.5 percent of debit and credit cards in the U.S. are EMV-enabled, and, lower still, 41 percent of transactions are made in this way, making attacks against magstripe a very significant threat.

 

A number of the mPOS devices were also vulnerable to Remote Code Execution (RCE) attacks. With this vulnerability, it is possible to gain access to the whole operating system of the reader. In addition, it is possible to send arbitrary commands to some of the readers and influence the purchaser’s behavior. For example, fraudulent merchants can force customers to use a more vulnerable payment method (such as magstripe) or say that a payment was declined, encouraging the customer to make multiple payments.

 

Leigh-Anne Galloway of Positive Technologies said: “These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments. Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

 

Tim Yunusov of Positive Technologies further commented: “Anyone who is making a payment on an mPOS device should not make the transaction via magstripe, but instead use chip and pin, chip & signature, or contactless. Merchants should also assess the risk of any device they plan on integrating into their business. Those using cheaper devices need to take steps to mitigate the risk. There is no need to still be reliant on magstripe transactions. While the market for most of these products is currently not very mature, the popularity is growing so it is imperative that security is made a priority.”

 

The vulnerabilities were disclosed to all of the vendors and manufacturers within the scope of this research. Positive Technologies is assisting the affected parties to close the issues that were identified.

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweetShare
Previous Post

Phantom menace: mobile banking Trojan modifications reach all-time high

Next Post

Making the Cloud a Safe Space

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information