If you use your credit or debit cards multiple times a day, you might be under the assumption that the mobile point of sale machine (mPOS) used by the store or vendor is safe and you will be debited only the amount you shopped for.
However, this may not be the case as found by a set of researchers from Positive Technologies, a cybersecurity firm.
They made a presentation explaining mPOS security vulnerability at the Black Hat USA conference in Las Vegas recently.
mPOS Machines Could be Compromised
Detailing the vulnerability in the mPOS devices, the Positive Technologies researchers explained that when a credit card or a debit card is used to swipe on the device, it relies on a Bluetooth connection to transmit the data to the bank or the card issuer, to obtain the approval and issue a receipt.
This is the duration that is exploited by a typical hacker to intercept and cause damages.
This kind of “man in the middle” (MITM) attack can be used to modify the amount being requested, or to simply extract the data, including the card details.
Machines of Specific Device Suppliers Named
The Positive Technologies research team even singled out a few names in their presentation—PayPal, Square, SumUp and iZettle.
Individual vendors themselves can also be involved in this manipulation and it is up to the customers to be vigilant and take the due precautions.
The other finding by the research team is that the devices which use the magstripe process for transactions are more vulnerable to security breaches.
The EMV process—where your card has an embedded chip inserted in the slot on the mPOS device to read and accept payment instruction—is considered safer than the older way of swiping the card—when the magnetic strip on the card is swiped through a slot and the device reads the data in the strip.
This magstripe process is still being employed across the United States in more than half the card transactions carried out.
There have been cases detected of merchants using certain tricks to dupe customers. They may swipe the card a few times and tell the customer the mPOS machine is not accepting their card.
The act of swiping the card multiple times allows the criminal to steal the card data that can be misused elsewhere.
Even remote code execution is feasible with some of the older generation machines. Many small shop owners try to cut corners and go for cheaper alternatives when it comes to their mPOS machine and end up paying a heavy price later for their decision.
The Solutions out of This Problem
Having identified the vulnerability, it is essential to let people know how this can be mitigated as well. It is not anybody’s case that the mPOS machines should not be used or that people switch to the conventional cash payments at retail outlets instead of paying by card. However, there are a few steps each stakeholder in this ecosystem has to take.
The best way is if the payment could be made through a contact-less method. The use of a PIN to go with the chip-embedded card can possibly be an ideal solution if the vendor or the merchant establishment is equipped to handle it.
That brings the onus of the merchants into focus. They must insist on the machine providers to ensure that a safe and secure mPOS device is given to them and the hardware must be thoroughly checked.
The possibility to confirm that the data is transmitted in an encrypted form will be quite useful.
Finally, can the authorities look the other way when such fraudulent activities are happening on mPOS devices? As things stand, there is absolutely no way to verify that the merchant establishments are using devices that provide protection to the personal card data that is transmitted through the devices they own.
The least that could be done is to deploy some kind of a flash squad that is entrusted with making surprise checks on vendors and if they are found guilty, the penalties must be severe.
That’s the only way the losses due to mPOS machines’ vulnerabilities can be minimized.