For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems

Conference:  BlackHat USA 2018



The presentation discusses the findings of a project that assessed the security of various card readers and vendors. The project found that over half of the readers were affected by vulnerabilities and all vendors were affected by the findings. The presentation recommends that manufacturers implement strong security practices in the development process and that merchants avoid swipe transactions.
  • Over half of the card readers assessed were affected by vulnerabilities
  • All vendors were affected by the findings
  • Manufacturers should implement strong security practices in the development process
  • Merchants should avoid swipe transactions
The project started with just two card readers but quickly grew to encompass seven readers, four vendors, and two regions. The project found that for some readers, it was possible to send arbitrary commands to the display of the devices, allowing fraudulent merchants to socially engineer cardholders to carry out additional payments. Additionally, for certain transaction types, it was possible to modify the value of the transaction, sending a much lower value amount to the screen of the reader and forcing the cardholder to authorize a much higher value.


These days it's hard to find a business that doesn't accept faster payments. Mobile Point of Sales (mPOS) terminals have propelled this growth lowering the barriers for small and micro-sized businesses to accept non-cash payments. Older payment technologies like mag-stripe still account for the largest majority of all in-person transactions. This is complicated further by the introduction of new payment standards such as NFC. As with each new iteration in payment technology, inevitably weaknesses are introduced into this increasingly complex payment eco-system.In this talk, we ask what are the security and fraud implications of removing the economic barriers to accepting card payments; and what are the risks associated with continued reliance on old card standards like mag-stripe? In the past, testing for payment attack vectors has been limited to the scope of individual projects and to those that have permanent access to POS and payment infrastructure. Not anymore!In what we believe to be the most comprehensive research conducted in this area, we consider four of the major mPOS providers spread across the US and Europe; Square, SumUp, iZettle, and Paypal. We provide live demonstrations of new vulnerabilities that allow you to MitM transactions, send arbitrary code via Bluetooth and mobile application, modify payment values for mag-stripe transactions, and a vulnerability in firmware; DoS to RCE. Using this sampled geographic approach, we are able to show the current attack surface of mPOS and, to predict how this will evolve over the coming years.For audience members that are interested in integrating testing practices into their organization or research practices, we will show you how to use mPOS to identify weaknesses in payment technologies, and how to remain undetected in spite of anti-fraud and security mechanisms.