The tiny, portable credit card readers you use to pay at farmer's markets, bake sales, and smoothie shops are convenient for consumers and merchants alike. But while more and more transactions are passing through them, devices sold by four of the leading companies in the space—Square, SumUp, iZettle, and PayPal—turn out to have a variety of concerning security flaws.
Leigh-Anne Galloway and Tim Yunusov from the security firm Positive Technologies looked at seven mobile point of sale devices in all. What they found wasn't pretty: bugs that allowed them to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and even gain full remote control of a point of sale device.
"The very simple question that we had was how much security can be embedded in a device that costs less than $50?" Galloway says. "With that in mind we started off quite small by looking at two vendors and two card readers, but it quickly grew to become a much bigger project."
All four manufacturers are addressing the issue, and not all models were vulnerable to all of the bugs. In the case of Square and PayPal, the vulnerabilities were found in third-party hardware made by a company called Miura. The researchers are presenting their findings Thursday at the Black Hat security conference.
The researchers found that they could exploit bugs in Bluetooth and mobile app connectivity to the devices to intercept transactions or modify commands. The flaws could allow an attacker to disable chip-based transactions, forcing customers to use a less secure magstrip swipe, and making it easier to steal data and clone customer cards.
'How much security can be embedded in a device that costs less than $50?'
Leigh-Anne Galloway, Positive Technologies
Alternatively, a rogue merchant could make the mPOS device