All manner of shops, pop-ups and market stalls are using cheap mobile point-of-sale systems, those card readers that look a little like calculators made for infants
They tested a range of devices shipped by some of the best-known payment companies in the world, PayPal and Square, as well as up-and-coming players iZettle and SumUp. Two versions of the same reader were found to be vulnerable to hacks that could steal PIN numbers in plain text.
Those two were the PayPal and Square readers based on a model from manufacturer Miura. In particular, Positive researchers Leigh-Anne Galloway and Tim Yunosov discovered an old version of the Miura device’s firmware (the core code at the heart of the reader) contained a vulnerability allowing a hacker to access the card reader’s file system.
There were some limitations to the attack on the Miura M010 model. For starters, the hackers would have to find a way to downgrade the firmware to the older, vulnerable version. That was possible through another hack discovered and detailed by Galloway and Yusonov in a paper released Thursday.
The attackers would also have to rely on the terminal failing to update to later, more secure versions. But the researchers said they could stop the device checking for updates or could drop all connections that tried to install
Demonstrating the attacks to Forbes ahead of their talk at the Black Hat conference in Las Vegas this week, Galloway and Yusonov chose not to do anything malicious, but to instead install an image of the Nyan Cat on the Miura M010 reader.
In a real-world scenario, a successful attack where the firmware was downgraded and exploited would take between five and ten minutes, said Yusonov. That may be unrealistic in some settings, especially where the merchant has access to the reader, but Galloway said it would be entirely reasonable in others. “My physio takes place in a posh gym, where they have a Miura reader completely open all the time. You could sit there and completely carry out ... this kind of attack.”
Square said that once it learned of the flaws it accelerated plans to move customers off the Miura device. Though it was only used by a couple of hundred clients in the last month, the Miura machine was being phased out as of August 1 and all affected sellers were being given a free Square-made reader. “As a result, today it is no longer possible to use the Miura Reader on the Square ecosystem. It’s important to note that this is not a vulnerability in any Square hardware or software, and we have no indication that any Square sellers have been impacted by it,” a spokesperson said.
A PayPal spokesperson said the company had updated Miura devices to prevent attacks. “PayPal’s systems were not impacted and our teams have remediated the issues raised by the researcher.”
Miura said it had put measures in place to prevent such attacks and that it had contacted partners to ensure they were running the latest software. “In respect to
The Miura hack wasn’t the Positive researchers’ only trick. They also detailed hacks that could be used by a fraudulent merchant to surreptitiously alter the amount charged to customers, different to that displayed on the screen of the reader. In such a case a fraudulent seller would have to intercept encrypted traffic going between mobile devices, the reader and the server managing payments. They could then alter the value of a transaction.
“This vulnerability can be used by a fraudulent merchant to force a cardholder to approve a much higher value amount,” the researchers wrote in their paper.
The PayPal and Square Miura devices were affected by that hack, alongside readers from SumUp, Square and iZettle.
Square said it had actually detected the researchers’ attempts to alter the payment amount and blocked the apparent fraud. It would do the same in cases where real fraudsters were trying to do the same, a spokesperson explained.
An iZettle spokesperson said: “The potential issue flagged to us by the researcher was resolved immediately. We are also aware of some other findings, and we are reviewing these. The iZettle service and its community remain unaffected and secure.”
SumUp noted that the attack only worked where mag-stripe transactions were taking place. A
But as long as vulnerable devices remain in use, malicious merchants remain a real threat, according to Galloway. “That’s the real issue with these kinds of attacks: What can a fraudulent merchant do? Will they get caught? The answer is, in some cases, they won’t get caught for a long time.”