For The Love of Money: Finding & Exploiting Vulnerabilities in Mobile Point of Sales Terminals

At the beginning of last year, we had an ambitious project idea, to consider the security of Mobile Point of Sales terminals. This project started with just a two card readers and accounts. This quickly grew into a project involving seven card readers and four vendors across many different regions. During this process we looked at accounts and readers across the US and Europe, to try to understand how secure these devices really are. We surveyed some of the most popular devices and vendors on the market, which included; SumUp, iZettle, PayPal and Square.

The outcome was surprising; We found that more than half of all Mobile Point of Sales terminal are vulnerable to some form of attack method, and that all of the Mobile Point of Sales terminal providers are vulnerable in some way.

We identified two terminals with displays that are vulnerable to the sending of arbitrary commands. This attack vector can be used for social engineering to force a cardholder to use a less secure method of payment, such as mag-stripe. Or it may be used to display a “Payment declined” message as a means to make the cardholder to carry out additional transactions.

We identified five terminals that are vulnerable to amount modification for mag-stripe transactions. This vulnerability can be used by a fraudulent merchant to force a cardholder to approve a much higher value amount. During the transaction, the merchant displays a different, lower amount on the card reader, and another higher amount is sent to the Mobile Point of Sales provider for approval.

We found that two terminals are vulnerable to remote code execution. Once exploited, this vulnerability provides full access to the terminals operating system. After an attacker has obtained full access to the operating system, it is possible to intercept track 2 data before it is encrypted and to enable plain text mode (command mode) on the terminals PIN pad to collect PINs.
Hardware security mechanisms are generally sophisticated in these products, but many other aspects of the payment ecosystem are far less secure, such as the mobile ecosystem and enrolment processes.

Timur Yunusov and I have just completed our last conference presentation of our research on the security of Mobile Point of Sales terminals for this year. So this seems like a good time to upload all the materials associated with this research project.

I'm uploading the whitepaper along with a PDF version of the slides. You can also find links to recordings of presentation at various conferences. If you have any questions, contact me on twitter (@L_AGalloway) or leave your question in the comments below.

Video of presentation at DEFCON



Author image
About LA Galloway