Skip to main content

Hack mobile point-of-sale systems? Researchers count the ways






Close Ad



consent.ads.queue.push(function()

IDG.GPT.addDisplayedAd("gpt-overlay", "true");
IDG.GPT.displayGoogleTagSlot('gpt-overlay');

);






Close Ad






consent.ads.queue.push(function()

IDG.GPT.addDisplayedAd("gpt-overlay", "true");
IDG.GPT.displayGoogleTagSlot('gpt-overlay');

);



















<!--

-->










$('.signin-register').hide();
$('#welcome-message').hide();








<!--

-->
















Hi! Here are the latest Insider stories.





















































































  • Review: Using AI to outsmart threats with Vectra Cognito



















































  • What is WebAuthN? Possibly the answer to all web authentication



















































  • Why SMS banking is still a bad idea



















































  • Corporate pre-crime: The ethics of using AI to identify future insider threats
















Hi! Here are the latest Insider stories.





















































































  • Review: Using AI to outsmart threats with Vectra Cognito



















































  • What is WebAuthN? Possibly the answer to all web authentication



















































  • Why SMS banking is still a bad idea



















































  • Corporate pre-crime: The ethics of using AI to identify future insider threats














Hi! Here are the latest Insider stories.





















































































  • Review: Using AI to outsmart threats with Vectra Cognito



















































  • What is WebAuthN? Possibly the answer to all web authentication



















































  • Why SMS banking is still a bad idea



















































  • Corporate pre-crime: The ethics of using AI to identify future insider threats








Hi! Here are the latest Insider stories.




Suggestions for you



































































































































consent.ads.queue.push(function()

IDG.GPT.addDisplayedAd("ticker", "true");
$('#ticker').responsiveAd(screenSize:'971 1115', scriptTags: );
IDG.GPT.log("Creating ad: ticker - [971 1115]");

);


























































































































News





Hack mobile point-of-sale systems? Researchers count the ways






Security researchers uncovered widespread vulnerabilities in mobile point-of-sale readers offered by Square, SumUp, PayPal and iZettle.







































































var isValidEmailAddress = isValidEmailAddress || function(emailAddress)
var pattern = new RegExp(/^[+a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+.[a-zA-Z]2,5$/i);
return pattern.test(emailAddress);
;
function encodeQueryData(params)
var ret = ;
for (var paramKey in params)
ret.push(encodeURIComponent(paramKey) + "=" + encodeURIComponent(params[paramKey]));

return ret.join("&");

function bindEmailModal()
$('#emailModal').on("click",".close-btn",function(event)
event.preventDefault();
$('#emailModal').hide();
$("#emailModal .eml-friend").show();
$(".eml-friend-success").hide();
$(".eml-friend-error").hide();
$('#emailModal').fadeOut(200);
$('#email-to').val('');
$('#email-from').val('');
$('#name').val('');
$('#personalization').val('');
$('#eml-from-address-message').html("");
$('#eml-to-address-message').html("");
$('#eml-friend-captcha-message').html("");
);

$('#emailModal').on("submit","form",function(event)
event.preventDefault();
var $form = $(this);
var action = $form.attr('action');
var formData = $form.serialize();
var emailFrom = $('#email-from').val();
var emailTo = $('#email-to').val();
var uresponse=$('#g-recaptcha-response').val();
$('#eml-from-address-message').html("");
$('#eml-to-address-message').html("");
$('#eml-friend-captcha-message').html("");
if (isValidEmailAddress(emailFrom) && isValidEmailAddress(emailTo) && uresponse !="")
// eloqua

var eloquaParam =
AssetCountforCurrentCampaign : "1",
AssetName : "",
AssetTopic : "",
AssetType : "",
BuyingCycle : "",
C_Address1 : "",
C_Address2 : "",
C_BusPhone : "",
C_City : "",
C_Company_Size1 : "",
C_Country : "",
C_EmailAddress : "",
C_FirstName : "",
C_Industry1 : "",
C_Job_Role1 : "",
C_LastName : "",
C_State_Prov : "",
C_Zip_Postal : "",
ClientName : "",
ProgramName : "",
brand : "",
elqFormName : "CentralRegistrationMasterForm",
formId : "3062313",
elqSiteId : 1856,
elqCustomerGUID : elqCustomerGUID,
elqCookieWrite : 0,
friend_email : emailFrom,
friend_article_title : "Hack mobile point-of-sale systems? Researchers count the ways",
friend_taxo : "Mobile",
friend_source : "CSO",
friend_article_url : "https://www.csoonline.com/article/3297702/mobile/hack-a-mobile-point-of-sale-system-researchers-count-the-ways.html",
device_platform : navigator.userAgent
;
$.ajax("https://secure.p01.eloqua.com/e/f2.aspx",
type: 'GET',
data: eloquaParam,
success: function(data, textStatus, xhr)
,
error: function(xhr, textStatus, errorThrown)

);
// eloqua
var eloquaParamMini =
elqCustomerGUID : elqCustomerGUID,
friend_taxo : "Mobile",
friend_source : "CSO",
device_platform : navigator.userAgent
;
formData += "&" +encodeQueryData(eloquaParamMini);

// email
$.ajax(action,
type: 'POST',
data: formData,
success: function(data, textStatus, xhr)
$("#emailModal .eml-friend").hide();
$(".eml-friend-success").fadeIn(800);
,
error: function(xhr, textStatus, errorThrown)
$("#emailModal .eml-friend").hide();
$(".eml-friend-error").fadeIn(800);

);

else
if(uresponse=="")
$('#eml-friend-captcha-message').html("Please verify you're not a robot!");

if(!isValidEmailAddress(emailTo))
$('#eml-to-address-message').html("Please enter a valid email address.");

if(!isValidEmailAddress(emailFrom))
$('#eml-from-address-message').html("Please enter a valid email address.");


);
//bindEmailModal() end

$(document).ready(function()
$(document).on("click","#email-icon",function(event)
event.preventDefault();
bindEmailModal();
$('#emailModal').fadeIn(800);
);
);
























































consent.ads.queue.push(function()

IDG.GPT.addDisplayedAd("topleaderboard", "true");
$('#topleaderboard').responsiveAd(screenSize:'971 1115', scriptTags: );
IDG.GPT.log("Creating ad: topleaderboard - [971 1115]");

);



























credit cards



Thinkstock
















































































































consent.ads.queue.push(function()
if($(window).width() >= 930)
IDG.GPT.addDisplayedAd("topimu", "true");
$('#topimu').responsiveAd(screenSize:'971 1115', scriptTags: );
IDG.GPT.log("Creating ad: topimu - [971 1115]");

);






































consent.ads.queue.push(function()
IDG.GPT.addDisplayedAd("inread", "true");
IDG.GPT.displayGoogleTagSlot('inread');
);















var dataLayer = window.dataLayer = window.dataLayer || ;
dataLayer.push(
'event': 'loadTopCollectionModule'
);


$(document).ready(function() {
$('.articleBloxAd').filter( ":visible" ).each(function(index, item) {
var id = $(item).attr('id');
var divClass = $(item).attr('class');
var adString = IDG.GPT.getLazyAdCode();
$(item).replaceWith("
" + adString + "








































consent.ads.queue.push(function()

IDG.GPT.addDisplayedAd("ticker", "true");
$('#ticker').responsiveAd(screenSize:'971 1115', scriptTags: );
IDG.GPT.log("Creating ad: ticker - [971 1115]");

);






News







































































var isValidEmailAddress = isValidEmailAddress || function(emailAddress)
var pattern = new RegExp(/^[+a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+.[a-zA-Z]2,5$/i);
return pattern.test(emailAddress);
;
function encodeQueryData(params)
var ret = ;
for (var paramKey in params)
ret.push(encodeURIComponent(paramKey) + "=" + encodeURIComponent(params[paramKey]));

return ret.join("&");

function bindEmailModal()
$('#emailModal').on("click",".close-btn",function(event)
event.preventDefault();
$('#emailModal').hide();
$("#emailModal .eml-friend").show();
$(".eml-friend-success").hide();
$(".eml-friend-error").hide();
$('#emailModal').fadeOut(200);
$('#email-to').val('');
$('#email-from').val('');
$('#name').val('');
$('#personalization').val('');
$('#eml-from-address-message').html("");
$('#eml-to-address-message').html("");
$('#eml-friend-captcha-message').html("");
);

$('#emailModal').on("submit","form",function(event)
event.preventDefault();
var $form = $(this);
var action = $form.attr('action');
var formData = $form.serialize();
var emailFrom = $('#email-from').val();
var emailTo = $('#email-to').val();
var uresponse=$('#g-recaptcha-response').val();
$('#eml-from-address-message').html("");
$('#eml-to-address-message').html("");
$('#eml-friend-captcha-message').html("");
if (isValidEmailAddress(emailFrom) && isValidEmailAddress(emailTo) && uresponse !="")
// eloqua

var eloquaParam =
AssetCountforCurrentCampaign : "1",
AssetName : "",
AssetTopic : "",
AssetType : "",
BuyingCycle : "",
C_Address1 : "",
C_Address2 : "",
C_BusPhone : "",
C_City : "",
C_Company_Size1 : "",
C_Country : "",
C_EmailAddress : "",
C_FirstName : "",
C_Industry1 : "",
C_Job_Role1 : "",
C_LastName : "",
C_State_Prov : "",
C_Zip_Postal : "",
ClientName : "",
ProgramName : "",
brand : "",
elqFormName : "CentralRegistrationMasterForm",
formId : "3062313",
elqSiteId : 1856,
elqCustomerGUID : elqCustomerGUID,
elqCookieWrite : 0,
friend_email : emailFrom,
friend_article_title : "Hack mobile point-of-sale systems? Researchers count the ways",
friend_taxo : "Mobile",
friend_source : "CSO",
friend_article_url : "https://www.csoonline.com/article/3297702/mobile/hack-a-mobile-point-of-sale-system-researchers-count-the-ways.html",
device_platform : navigator.userAgent
;
$.ajax("https://secure.p01.eloqua.com/e/f2.aspx",
type: 'GET',
data: eloquaParam,
success: function(data, textStatus, xhr)
,
error: function(xhr, textStatus, errorThrown)

);
// eloqua
var eloquaParamMini =
elqCustomerGUID : elqCustomerGUID,
friend_taxo : "Mobile",
friend_source : "CSO",
device_platform : navigator.userAgent
;
formData += "&" +encodeQueryData(eloquaParamMini);

// email
$.ajax(action,
type: 'POST',
data: formData,
success: function(data, textStatus, xhr)
$("#emailModal .eml-friend").hide();
$(".eml-friend-success").fadeIn(800);
,
error: function(xhr, textStatus, errorThrown)
$("#emailModal .eml-friend").hide();
$(".eml-friend-error").fadeIn(800);

);

else
if(uresponse=="")
$('#eml-friend-captcha-message').html("Please verify you're not a robot!");

if(!isValidEmailAddress(emailTo))
$('#eml-to-address-message').html("Please enter a valid email address.");

if(!isValidEmailAddress(emailFrom))
$('#eml-from-address-message').html("Please enter a valid email address.");


);
//bindEmailModal() end

$(document).ready(function()
$(document).on("click","#email-icon",function(event)
event.preventDefault();
bindEmailModal();
$('#emailModal').fadeIn(800);
);
);









































To


Use commas to separate multiple email addresses








From






































Privacy Policy




Thank you


Your message has been sent.






Sorry


There was an error emailing this page.












































consent.ads.queue.push(function()

IDG.GPT.addDisplayedAd("topleaderboard", "true");
$('#topleaderboard').responsiveAd(screenSize:'971 1115', scriptTags: );
IDG.GPT.log("Creating ad: topleaderboard - [971 1115]");

);

























credit cards



Thinkstock












































More like this




  • mobile phone payment


    What’s next in payment security?

























  • jobs collaboration careers network


    Security executives on the move and in the news

























  • fingerprint scan biometric security system


    N-dimensional behavioral biometrics: a viable solution for digital fraud?









































































































































  • Will LaSala

    Video

    Defending against mobile technology threats | Salted Hash Ep 24
















More like this




What’s next in payment security?



What’s next in payment security?




Security executives on the move and in the news



Security executives on the move and in the news




N-dimensional behavioral biometrics: a viable solution for digital fraud?



N-dimensional behavioral biometrics: a viable solution for digital fraud?



Video

Defending against mobile technology threats | Salted Hash Ep 24



Video


Defending against mobile technology threats | Salted Hash Ep 24
















































consent.ads.queue.push(function()
if($(window).width() >= 930)
IDG.GPT.addDisplayedAd("topimu", "true");
$('#topimu').responsiveAd(screenSize:'971 1115', scriptTags: );
IDG.GPT.log("Creating ad: topimu - [971 1115]");

);








































consent.ads.queue.push(function()
IDG.GPT.addDisplayedAd("inread", "true");
IDG.GPT.displayGoogleTagSlot('inread');
);












Ever since the infamous and massive security breach at retailer Target nearly five years ago, more and more attention has focused on the potential flaws that can make payment systems vulnerable to digital attack.


And now, with payments increasingly shifting to mobile platforms, it appears that the potential for hacking the mobile point-of-sale (mPOS) systems that make it possible for merchants to accept card and even cryptocurrency payments on-the-go is also shifting.


Presenting at the Black Hat USA information security conference last week in Las Vegas, prominent U.K. security researchers showcased recent research detailing the inherent vulnerabilities they discovered among four of the most popular mPOS systems operating in both the United States and Europe. In what is believed to be the most comprehensive review of mPOS security to-date, security researchers from London-based Positive Technologies plumbed the inner workings of the mobile payment infrastructure of seven mPOS readers offered by Square, SumUp, PayPal and iZettle and found a host of potential ways to hack these systems.


In a live demonstration, based off their work, Positive Technologies Cyber Security Resilience Lead Leigh-Anne Galloway and Senior Banking Security Expert Tim Yunusov showcased vulnerabilities in these systems that could allow cyber-criminals to conduct man-in-the-middle attacks, send random code through a Bluetooth connection or the system’s mobile application, modify payment values for transactions authorized with a magnetic stripe card, exploit internal firmware and conduct denial-of-service (DoS) or remote code execution (RCE) exploits. Furthermore, the presenters point out that most, if not all, of these exploits could be conducted without being detected by conventional anti-fraud or cybersecurity tools or techniques.


The type of attack typically depends on the ultimate goal of the attacker. For example, a cyber-criminal might send an arbitrary command to the mPOS system as part of a larger social engineering attack that is aimed at getting the cardholder to run their transaction again through a less secure channel. Whereas, by tampering with transaction amounts, hackers could make a $5 transaction at point-of-sale look like a $50 transaction to the cardholder’s issuing bank. RCE exploits allow attackers to access the device memory, effectively turning a mPOS reader into a mobile skimmer from which they can electronically thieve cardholders’ account information.


“Normally, a [customer] goes into a business and interacts with the payment terminal directly, or hands their card to the merchant,” Galloway said during her Black Hat presentation, titled ‘For the love of money: finding and exploiting vulnerabilities in mobile point-of-sale systems’. “The transaction goes to the merchant acquirer, that talks to the issuer [bank]… But with the mPOS [transaction], there is no relationship directly with the merchant acquirer. [Merchants] work with the mPOS provider, who may or may not be assessing security risk.”


Unlike past testing that focused on older card standards and systems that tend to utilize magnetic stripe-accepting systems and traditional stationary transaction terminals, this attack vector testing explored how newer payment standards like near-field communications (NFC) and EMV for chip cards, as well as mPOS hardware, software and processes could be exploited. Indeed, for smaller merchants, some of whom may not even operate with a traditional storefront, the benefit of these mobile payment systems is ease of use and cost—businesses don’t need to establish a merchant bank account and mPOS devices can cost as little as $50. In fact, the mPOS terminal market is predicted to reach $55 billion by 2024, according to research from strategy consulting firm Global Market Insights. 


Galloway said the research project, which began with the aim of investigating potential flaws in two systems from two vendors and quickly expanded, was initially inspired by reports of a group of Boston-based student hackers in 2015 who were able to exploit mPOS systems. “We had a basic understanding of the attack vectors,” said Galloway. “But our key question remained, ‘how much security is built in here?’”


While mPOS systems in both the States and Europe displayed potential gaps in security, a major concern for U.S.-based mobile merchants is that they currently have less protection from some of these exploits than their European counterparts since they make less use of EMV chip transactions. Although 96 percent of credit cards in the United States now boast a more secure chip, in addition to the traditional magnetic stripe, only 13 percent of U.S.-based mPOS devices utilize the chip. In Europe, where chip cards have been the standard for decades, about 95 percent of all mobile point-of-sale transactions are run using the less exploitable chip.


Positive Technologies disclosed its findings to the vendors with which it found flaws, and is working with these companies to patch the vulnerabilities. And mPOS providers are already forging ahead to close these security gaps: Since finding out its M010 mobile terminal had serious vulnerabilities, Square moved up existing plans to drop support for this reader and start converting its mobile merchants to a more updated and secure Square contactless and chip reader, according to a release from the company.















































































































































































Related:
  • Mobile


  • Security


  • Vulnerabilities








  • Black Hat















SUBSCRIBE! Get the best of CSO delivered to your email inbox.



  







<!--
document.write('
');
consent.ads.queue.push(function()
IDG.GPT.addDisplayedAd("ciu", "true");
IDG.GPT.addLazyloadedAd("ciu", "true");
);
document.write('
');
consent.ads.queue.push(function());
//-->



Sponsored Links










Copyright © 2018 IDG Communications, Inc.




Explore the IDG Network descend

  • CIO


  • CIO Asia


  • Computerworld


  • CSO


  • GameStar


  • Greenbot


  • IDC


  • IDG


  • IDG Connect


  • IDG.TV


  • InfoWorld


  • IT News


  • ITwhitepapers


  • ITworld


  • JavaWorld


  • Macworld


  • Network World


  • PCWorld


  • TechConnect


  • TechHive


  • The Full Nerd











Explore the IDG Network descend

  • CIO


  • CIO Asia


  • Computerworld


  • CSO


  • GameStar


  • Greenbot


  • IDC


  • IDG


  • IDG Connect


  • IDG.TV


  • InfoWorld


  • IT News


  • ITwhitepapers


  • ITworld


  • JavaWorld


  • Macworld


  • Network World


  • PCWorld


  • TechConnect


  • TechHive


  • The Full Nerd








Explore the IDG Network descend

  • CIO


  • CIO Asia


  • Computerworld


  • CSO


  • GameStar


  • Greenbot


  • IDC


  • IDG


  • IDG Connect


  • IDG.TV


  • InfoWorld


  • IT News


  • ITwhitepapers


  • ITworld


  • JavaWorld


  • Macworld


  • Network World


  • PCWorld


  • TechConnect


  • TechHive


  • The Full Nerd





Explore the IDG Network descend














The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

Popular posts from this blog

Rothschild family

Cinema of Italy