Encryption's Not Enough to Thwart Hackers
The payments industry still has much to do before anyone can claim mobile payments are secure. Many merchants, consumers, and processors are mistakenly comfortable with notion that encryption equals full security.
Since a mobile device hack can lead to the same fines, brand degradation, and headaches as a traditional point of sale compromise, payment industry players should remain wary of promoting mobile point of sale as secure.
Mobile point of sale hardware such as dongles can easily fail through simple attacks. For example, at the recent DefCon hacker conference, an encrypted mobile point of sale system was hacked in less than 20 minutes, thanks to a behind-the-scenes app setting.
The hack happened like this: Many mobile point of sale dongles communicate with a smartphone through the audio port, hear each credit card as a millisecond of encrypted audio, and then transfer those encrypted audio blips to an app for processing.
The attackers created an app that listens to and records any sounds coming from the audio jack. If a merchant used a mobile processing dongle to process a $20 transaction, the mobile point of sale app and hacking app would both hear that credit cards sound blip. The difference is, the hacking app copies the encrypted sound. A hacker can then replay that copied audio to another smartphone with the same brand of mobile point of sale, and it will deposit another $20 into that open account.
Because that mobile point of sale brand's hardware recognizes the same encryption key, no decryption is needed to fraudulently process a second (or third, or fourth, or fifth) transaction.
Since hackers are smart enough to input hacking code into the latest and most popular apps and force the settings to listen to the audio port, an innocent-looking app could unsuspectedly hold malicious card-stealing intentions.
The malware threat is increasing quickly. In July 2013, a study conducted by Juniper found that mobile malware had increased an incredible 614% in a years time, while research from McAfee detailed how easy it is for crooks to abuse mobile app permissions.
The danger calls for extra software that protects mobile devices and commerce. In particular, payment providers and merchant acquirers that offer white label mobile point of sale products should deploy software that certifies no malware exists on the mobile device that can capture credit cards. It would also ensure that no two apps are running at the same time during a transaction, and would confirm the smartphone used in the mobile point of sale transaction has not been jail broken. The best security scenario includes encrypted mobile point of sale hardware in tandem with software-based mobile security.
The extra security is necessary because of the scope of stolen card theat. If a hacker obtains just one set of encryption/decryption keys, he or she has access to all mobile point of sale cardholder data for that point of sale system. Mobile-using merchants around the world could be vulnerable.
Brandon Benson is a SecurityMetrics P2PE QSA. Reach him at email@example.com.