A point-of-sale security vulnerability impacting mobile payment services across the globe was discovered by researchers from Positive Technologies.
Thursday, during the Black Hat USA conference that was held in Las Vegas, NV, security researchers stated that vulnerabilities in mobile point-of-sale or mPOS devices could essentially enable devious merchants to invade their customers’ accounts and/or hackers to pilfer credit and other payment card info.
Researchers Tim Yunusov and Leigh-Anne Galloway said that hackers could both alter the amount of money charged to a customer’s payment card and force their consumers to pay with other methods, like Magstripe. It’s is actually easier for Magstripe to be compromised for data extraction purposes than chips.
Numerous flaws were discovered in commonly-used mobile PoS services. The software is used in mobile payment card readers that have become popular as less costly and alternative payment methods among small businesses as well as medium-sized businesses.
An array of vulnerabilities in endpoint payment services were discovered by the security team. These include security flaws that permit hackers to carry out MiTM or Man-in-the-middle eavesdropping and other attacks. Vulnerabilities were also found in the transmission of arbitrary code via mobile and Bluetooth apps and the ability to interfere with payment amounts of transactions made via magstripe.
The way that mPOS services function is what makes the attacks possible. They communicate through Bluetooth to mobile applications that send info to the servers of the payment provider. But, payment amounts can possibly be manipulated by intercepting the transactions. Also, access to transaction traffic can be gained by an attacker.
“Currently there are very few checks on merchants before they can start using a mPOS device and less scrupulous individuals can, therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”
These vendors have been notified of these vulnerabilities and they are working with Positive Technologies to patch these security flaws.
Comments on this article? Please leave them below: