Vulnerabilities in Square and PayPal affect mobile points of sale

Share this…

There are bugs in lots of points of sale that compromise mobile payment systems

Several vulnerabilities in the mobile point of sale devices (mPOS) software have been disclosed. These services are used in mobile card readers that have emerged as an alternative payment controller and less expensive option for small and medium-sized business.

Researchers in enterprise network security have revealed security flaws in different mPOS devices from vendors such as Square, SumUp, iZettle and PayPal that would compromise the user’s data privacy.

Last Thursday, enterprise network security experts discussed about vulnerabilities present in mPOS machines that could allow unscrupulous business owners to attack customer accounts or to extract credit card data.

According to the researchers, the attackers operating these devices could not only change the amount charged on a credit card, but could also force customers to use other payment methods, such as the magnetic stripe, which could be compromised easier than a chip to extract payment card data.

The enterprise network security team discovered different types of vulnerabilities in mPOS device systems, including security flaws that allow hackers to perform variants of Man-in-The-Middle (MiTM) attacks, transfers of arbitrary code via Bluetooth and mobile apps, and the option to manipulate payment values for magnetic stripe transactions.

These attacks were possible because of how mPOS systems work. These devices are connected to mobile apps via Bluetooth, then the app sends payment data to the servers; by intercepting transactions, anyone can manipulate values, as well as access transaction traffic data.

As if it were not enough, attackers can also remotely run code on compromised systems. Enterprise network security researchers from the International Institute of Cyber Security say that through this security flaw, hackers can access the full operating system of a card reader, as well as alter the purchase information.

The vulnerabilities have been reported to the involved companies. Consultants in enterprise network security are already working with the enterprises to solve the security issues.

It is believed that these security flaws would have allowed attackers to perform ATM extractions.