How the latest mPOS hacks made vendors more secure
After researchers exposed how hackable mobile point of sale systems are, vendors quickly shored up their defenses — while also blaming some vulnerabilities on payment methods they characterize as outdated.
iZettle, PayPal, SumUp, and Square all countered researchers' contention of security vulnerabilities via unattributed statements saying they have fixed the vulnerability in question and minimized the scope of any threat.
Researchers from Positive Technologies demonstrated at this month's Black Hat conference ways to hack seven mobile point of sale readers from Square, SumUp, PayPal and IZettle, which PayPal expects to own by the third quarter. The contention of security problems comes as billions in investments flow through the mobile point of sale industry.
Mobile point of sale terminals have been a lifeline for micromercants and small businesses for most of the category's existence, but the companies behind this technology are taking on debt or shelling out billions of dollars in acquisitions to diversify services and reach a larger range of retailers. There's also security pressure on the industry, since PCI scope reduction is part of the appeal for mobile point of sale hardware.
The researchers demonstrated vulnerabilities that allow man-in-the-middle attacks, fake code, the ability to alter transaction values via magnetic stripe and remote attacks such as denial of service. Square did not provide an executive for an interview, but confirmed it has dropped Miura M010 readers in favor of contactless and chip card readers. Miura did not return a request for comment.
In a statement, Square said the M010 was offered as a stopgap, adding Square accelerated plans to drop support for the M010 and transfer to a free Square reader for contactless and chip."It's important to note that this is not a vulnerability in any Square hardware or software, and we have no indication that any Square sellers have been impacted by it.”
PayPal would not comment beyond a statement saying: "Security is a top priority at PayPal and we recognize the important role that researchers and our user community play in helping to keep PayPal secure. PayPal’s systems were not impacted and our teams have remediated the issues raised by the researcher."
iZettle, a Stockholm-based mPOS company that PayPal is in the process of buying, provided a similar response: "Security is paramount to iZettle. The issue flagged to us by the researcher is resolved, and the iZettle service and its community remain unaffected...At iZettle, we comply with the highest security standards in our industry. We perform thorough security checks of every merchant who wishes to use the iZettle service."
Like PayPal and iZettle, SumUp also issued an unattributed statement: "SumUp can confirm that there has never been any fraud attempted through its terminals using the magnetic stripe-based method outlined in this report."
SumUp added more detail, saying the "magnetic stripe" trick uses an obsolete technology that relies on signatures rather than PINs. It noted that less than 0.22% of SumUp's current transactions involve the magnetic stripe on cards. SumUp says it has "successfully" removed any possibility of such an attempt at fraud in the future.
The researchers partly place the blame on lower prices for mobile point of sale hardware, which are offered at less than $100 for some models, affecting the level of security that is put into the devices.
"Commonly the manufacturer and the vendor of the mobile point of sale terminal are separate." said Leigh-Anne Galloway, the cybersecurity resilience lead for Positive Technologies. "With an outside provider, there's less consideration for the ecosystem." There's also a compliance factor, in that companies rarely do more than protect their systems beyond what's required, Galloway said.
Square manufactures its own hardware, softening the risk, according to Galloway (Square confirmed it manufactures its hardware in-house). "If you manufacture your own product, there's more of a holistic consistency across the board," Galloway said.
Square faced similar allegations dating back to when its only product was a small magstripe reader that plugged into the audio jack of a smartphone. The rival terminal maker Verifone demonstrated how a rogue application paired with Square's device could turn it into a card skimmer; shortly thereafter, Square received an investment from Visa and began talking openly about plans to add encryption.
But there is some good news, since unlike retailer data breaches over the past few years, it wasn’t real crooks exploiting vulnerabilities in mobile point of sale systems.
“Mobile point of sale certainly has seen its share of security challenges over the years, which is not surprising given the pace of innovation here,” said Julie Conroy, a research director at Aite Group. “I think what you have to keep in mind is that the Black Hat revelations were mostly based on lab exercises—we haven’t seen a lot of these exploits in the wild yet."