All manner of shops, pop-ups and market stalls are using cheap mobile point-of-sale systems, those card readers that look a little like calculators made for infants.
Hacking them might not be child’s play, but as benevolent hackers from cybersecurity company Positive Technologies revealed Thursday, it’s certainly possible. And their attacks could drain shoppers’ bank accounts.
They tested a range of devices shipped by some of the best-known payment companies in the world, PayPal and Square, as well as up-and-coming players iZettle and SumUp. Two versions of the same reader were found to be vulnerable to hacks that could steal PIN numbers in plain text.
Those two were the PayPal and Square readers based on a model from manufacturer Miura. In particular, Positive researchers Leigh-Anne Galloway and Tim Yunosov discovered an old version of the Miura device’s firmware (the core code at the heart of the reader) contained a vulnerability allowing a hacker to access the card reader’s file system.
The attackers would also have to rely on the terminal failing to update to later, more secure versions. But the researchers said they could stop the device checking for updates or could drop all connections that tried to install newer firmware.
Demonstrating the attacks to Forbes ahead of their talk at the Black Hat conference in Las Vegas this week, Galloway and Yusonov chose not to do anything malicious, but to instead install an image of the Nyan Cat on the Miura M010 reader.
In a real-world scenario, a successful attack where the firmware was downgraded and exploited would take between five and ten minutes, said Yusonov. That may be unrealistic in some settings, especially where the merchant has access to the reader, but Galloway said it would be entirely reasonable in others. “My physio takes place in a posh gym, where they have a Miura reader completely open all the time. You could sit there and completely carry out ... this kind of attack.”
Square said that once it learned of the flaws it accelerated plans to move customers off the Miura device. Though it was only used by a couple of hundred clients in the last month, the Miura machine was being phased out as of August 1 and all affected sellers were being given a free Square-made reader. “As a result, today it is no longer possible to use the Miura Reader on the Square ecosystem. It’s important to note that this is not a vulnerability in any Square hardware or software, and we have no indication that any Square sellers have been impacted by it,” a spokesperson said.
A PayPal spokesperson said the company had updated Miura devices to prevent attacks. “PayPal’s systems were not impacted and our teams have remediated the issues raised by the researcher.”
Miura said it had put measures in place to prevent such attacks and that it had contacted partners to ensure they were running the latest software. “In respect to downgrading of the device, a number of our partners have already implemented controlled processes within their solution that prevent the active downgrade of the Miura hardware application and as standard do not make older versions of application available via online services,” added Andrew Dark, chairman at Miura.
The Miura hack wasn’t the Positive researchers’ only trick. They also detailed hacks that could be used by a fraudulent merchant to surreptitiously alter the amount charged to customers, different to that displayed on the screen of the reader. In such a case a fraudulent seller would have to intercept encrypted traffic going between mobile devices, the reader and the server managing payments. They could then alter the value of a transaction.
“This vulnerability can be used by a fraudulent merchant to force a cardholder to approve a much higher value amount,” the researchers wrote in their paper.
The PayPal and Square Miura devices were affected by that hack, alongside readers from SumUp, Square and iZettle.
Square said it had actually detected the researchers’ attempts to alter the payment amount and blocked the apparent fraud. It would do the same in cases where real fraudsters were trying to do the same, a spokesperson explained.
An iZettle spokesperson said: “The potential issue flagged to us by the researcher was resolved immediately. We are also aware of some other findings, and we are reviewing these. The iZettle service and its community remain unaffected and secure.”
SumUp noted that the attack only worked where mag-stripe transactions were taking place. A spokesperon said SumUp “removed any possibility of such an attempt at fraud in the future” after the flaws were disclosed. “It is clear that this reveals more about the limitations of increasingly obsolete magnetic stripe technology than problems with card terminal systems,” the spokesperson said.
But as long as vulnerable devices remain in use, malicious merchants remain a real threat, according to Galloway. “That’s the real issue with these kinds of attacks: What can a fraudulent merchant do? Will they get caught? The answer is, in some cases, they won’t get caught for a long time.”
Got a tip? Get me on Signal on +447837496820 or use SecureDrop to tip anyone at Forbes. Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail.
Leave a comment