A flaw in some of the most popular brands of mobile point of sales (MPOS) devices can allow hackers to grab control of the machines and harvest customer personal identification numbers (PIN) and credit card information, according to security researchers at a penetration testing firm.
“What we have found reveals that criminals can compromise MPOS payment terminals and get full control over it,” said Jon Butler, head of research at MWR InfoSecurity, in a statement. “This would allow an attacker to gather PIN and credit card data and even change the software on the device so that it accepts illegitimate payments.”
MWR Labs, the research arm of the company, was the organization that revealed in 2012 critical vulnerabilities in chip-and-PIN devices.
Researchers from MWR demonstrated at the Black Hat Security conference in Las Vegas how hackers can gain entry into a POS device by inserting a specially programed card that allowed them install and run a simplified version of the popular game Flappy Bird on the payment terminal. It was a demonstration that MWR previously conducted at the SyScan security conference in Singapore.
On a real-world scenario, Butler said, hackers can pretend to purchase something and insert the card in a MPOS device to load a code that can capture credit card details and customer PINs. An associate of the attacker can use the machine later on and insert a different card that will harvest the information.
MWR tested six popular MPOS devices that support the Europay, MasterCard and Visa (EMV) global standard for inter-operation of integrated circuit cards (IC cards or chip cards used for POS terminals) and credit and debit card transactions. The devices have a smart card reader and a PIN input pad and use micro USB and Bluetooth to communicate with payment apps on smart phones.
While the devices have different cases, many of the devices use the same platform, according to MWR. Butler said this potentially puts millions of customers worldwide at risk and said bankers and retailers should be wary of implementing the technology.
“MPOS is a promising technology with a growing market uptake, well suited for use in modern payment systems, but current implementations are now well designed from a security perspective,” a cording to an MWR researcher identified only as Nils. “It is critical to get security right early as there is a huge potential for fraud around the world.”