PayPal, Square vulnerabilities impact mobile point-of-sale machines

Researchers have disclosed the existence of point-of-sale bugs which impact mobile payment services worldwide.

Security flaws in mobile point-of-sale (mPOS) devices from vendors including Square, SumUp, iZettle, and PayPal have been disclosed by researchers.

On Thursday at the Black Hat conference in Las Vegas, security experts from Positive Technologies said that vulnerabilities present in mPOS machines could allow unscrupulous merchants to raid the accounts of customers or attackers to steal credit card data.

According to researchers Leigh-Anne Galloway and Tim Yunusov, attackers behind the mobile till could not only change the amount charged to a credit card but also force customers to use other payment methods, such as magstripe, which can also be compromised more easily than chips for the purpose of data exfiltration.

A number of flaws were uncovered in popular mobile PoS software. These services are utilized in mobile card readers which have sprung up as an alternative and less expensive payment handler for small and medium-sized businesses.

The team discovered a set of vulnerabilities in the endpoint payment systems, including security flaws which permitted attackers to perform Man-in-The-Middle (MiTM) eavesdropping and attacks, the transfer of arbitrary code through Bluetooth and mobile applications, and the option to tamper with payment values for magstripe transactions.

These attackers were made possible due to how mPOS systems work. These devices communicate via Bluetooth to mobile apps, which then send data to payment provider servers.

However, by intercepting transactions, it is possible to manipulate values, as well as gain access to transaction traffic.

In addition, attackers are also able to remotely execute code on compromised systems. The researchers say that through this security flaw, hackers can gain access to the full operating system of a card reader, as well as tamper with how a purchase looks -- potentially allowing malicious merchants to change the values or make it appear that a transaction has been declined.

See also: Nigelthorn malware steals Facebook credentials, mines for cryptocurrency

"Currently there are very few checks on merchants before they can start using a mPOS device and less scrupulous individuals can, therefore, essentially, steal money from people with relative ease if they have the technical know-how," Galloway said. "As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning."

The vulnerabilities have been disclosed to the vendors mentioned. Positive Technologies is working with the companies to fix the security holes.

As reported by sister site CNET, Square said third-party sales system Miura M010 Reader, which connects to Square's software, was vulnerable to attack.

As a result, Square has "accelerated existing plans to drop support for the M010 Reader, and began transitioning all these Square sellers to a free Square Contactless and Chip Reader," according to a company spokesperson.

In addition to the mPOS findings, the cybersecurity firm also revealed two vulnerabilities, CVE-2017-17668 and CVE-2018-5717 which impact ATMs manufactured by NCR.

TechRepublic: POS 2.0 the New Era of Smart Point-of-Sale

The security flaws permitted attackers to conduct black box attacks by taking advantage of poor physical security to compromise the network and force ATMs to spew cash.

NCR has released firmware patches to address the vulnerabilities.

Previous and related coverage