The payment terminals of the two largest manufacturers - Verifone and Ingenico - have been identified with multiple vulnerabilities that make it easier to steal bank details. Updates to fix the issues are out now; these should be obtained and installed by contacting your vendor, bank, or service provider. The vulnerabilities were discovered by a team of Positive Technologies experts . The large-scale study was launched two years ago; the results were presented at the just-concluded Black Hat Europe conference, which this year was held as a purely virtual event. In PoS terminals Telium 2 manufactured by Ingenico, researchers discovered ten vulnerabilities of varying degrees of threat; the most dangerous of them, CVE-2018-17773, received 8.3 points on the CVSS scale. It is caused by an incorrect implementation of the NTPT3 protocol causing a buffer overflow error. An attacker could exploit this situation to gain maximum privileges on the system. Other vulnerabilities in Telium 2 are related to the presence of a password embedded in the code, the ability to bypass restrictions on reading files, and the execution of arbitrary code.
Operation of most of them, according to experts, requires physical access to the device. Some flaws can be exploited remotely, and in combination, they all allow you to take complete control over the device. The patches are included in the Telium 2 SDK v9.32.03 patch N. Eight vulnerabilities were found in Verifone POS ; the most dangerous of them (CVE-2019-14711) is estimated at 8.8 points by CVSS. It is caused by a race condition error and allows you to bypass Role Based Access Control (RBAC). The rest of the problems are related to the presence of hard-coded passwords, buffer overflow errors, the ability to escalate privileges, bypass encryption, and the injection of malicious code. In the latter case, the attack is possible only if there is physical access to the device - the attacker will have to connect to the terminal via USB in order to install a sniffer analyzer to select the required information. Such an operation, according to experts, will take from five to ten minutes. The vulnerabilities found are relevant for Verifone MX, VX and UX series devices. Commenting on their findings for Forbes, the researchers presented evidence that a PoS terminal could be completely compromised:
According to experts, the vulnerabilities they found affect millions of payment terminals. According to internal statistics, Verifone does business in more than 150 countries. Its PoS systems process 7.6 billion transactions annually. Another market leader, Ingenico, produces over 12 million PoS devices annually; the company currently has a user base of over 40 million installations. Ingenico services are used by 160 thousand merchants and more than 1,000 acquiring banks.
Card payments are becoming more and more popular. Mobile payment terminals (mPOS-terminals) contribute to the development of this trend, reducing the barriers to entry into the card payment market for small firms and private entrepreneurs. However, under certain conditions, operations can still be carried out in many countries (including Russia) using the magnetic stripe. Each new round of technological progress threatens the payments ecosystem. What security problems can improve access to the card payment market lead to? And what are the risks of continuing to rely on old card technology, in particular magnetic stripe?
In recent years, the number of transactions carried out using mPOS terminals has increased significantly. Intense competition among mPOS providers has made it extremely easy to get such a payment terminal. Signing a contract takes less than five minutes, and the mPOS terminals themselves are often provided free of charge. Now they can be seen everywhere. Like conventional POS terminals, they are the final link in the payment infrastructure. This makes them interesting and easily accessible to attackers.
Field of study
We evaluated the products of the leading mPOS terminals suppliers: PayPal, Square, iZettle and SumUp. Some of them provide services in several regions of the world. We tried to get access to services in different regions where possible, since the payment process, applications and devices, as well as security settings, differ depending on the location.
SupplierManufacturerTerminalRegionSquareSquareTerminal for contactless cards and cards with a chip Square (S8) USA SquareSquare Magnetic card terminal
Square (S4) USASquareSquareProximity card and card terminal with Square (S8) chip EuropeSquareSquareMagnetic card terminal Square (S4) EuropeSquareMiura SystemsMiura M010USA SumUp (not public) AIR1 E001EuropeiZettleDATECSYRWCRAYEuropeiZettleDATECSaRWCRAYEurope
Manufacturers and suppliers of mPOS terminals
mPOS terminals
We analyzed device security in five categories:
The main directions of research
Payment process
We have studied in detail the attack vectors and card payment security issues. The vulnerabilities we have discovered endanger the basic functionality of the mPOS terminal.
The main difference between mPOS and conventional POS terminals is that the merchant is not directly associated with the acquiring bank. Instead, mPOS providers act as payment aggregators that charge a transaction fee. Such payment services cannot always guarantee the level of security provided by the acquiring bank. MPOS providers minimize security risks in their own way, often shifting responsibility for fraud to the acquiring bank. It is important to understand that such payment aggregators are actually sellers themselves who interact with the acquiring bank.
Payment process via mPOS terminal
Risks when paying by card
There are various ways to make card payments. They depend on the payment system, issuer and country of issue. During the transaction, the card transmits a list of supported cardholder verification methods (CVM), which describes the supported methods and their priority. CVM also regulates what should happen if the chosen method doesn't work. The terminal stores a configuration file, which also describes the supported verification methods. The terminal compares the two files and tries to execute the transaction using the first priority method. The priority method should provide a high degree of assurance that the cardholder was present when the transaction was performed.
Some types of payments are obviously more secure than others. Payment with a chip card and PIN is considered the safest method because it provides a high degree of assurance that the transaction has been approved by the cardholder. Magnetic stripe is considered a less secure technology because an attacker can easily clone the magnetic stripe and the Track2 data stored on it and forge the cardholder's signature. Transactions carried out using the magnetic stripe do not provide assurance that the cardholder was actually present at the transaction. Unlike transactions with cards that support the EMV standard, transactions using a magnetic stripe are carried out without a cryptogram. This means that such operations do not ensure the integrity and authenticity of the transaction during its execution.
Adopting EMV standard
More and more payments in the world are carried out according to the EMV standard (Europay, Mastercard, Visa), that is, using chip cards. However, adoption of the standard is slower in some regions than in others. In the United States, EMV transactions account for less than half of all transactions . Most of the operations are still carried out using the magnetic stripe. In Europe, about 90% of all transactions are carried out according to the EMV standard .
Research results
Device manipulation: sending arbitrary commands
An attacker can connect to a device via Bluetooth and perform arbitrary operations. To do this, he needs information about the Bluetooth services running on the device, as well as the corresponding characteristics and functions. This information can be obtained through reverse engineering prior to the attack. An attacker would only need access to an mPOS terminal, a phone that supports host controller interface (HCI) event logging, and a mobile application. By using HCI event logging, an attacker will try to obtain information about the basic functions of an mPOS terminal. To do this, he will conduct trial transactions using different payment methods and comparing the results. When the necessary information is received, the attacker will use Wireshark to analyze the communication between the phone and the mPOS terminal. This information, as well as the data of the mobile application, will allow matching functions with their commands and identifiers. Figure 5 shows the message “Insert (swipe) the card” is sent to the display of the mPOS terminal.
Insert (swipe) card has been sent to the display
If the card is not inserted correctly, the error message “Please take the card” appears on the display. In the HCI log, we can see which UUID is responsible for displaying the text and an example of the data being sent.
The message "Please take the card" on the display of the mPOS terminal
The first Bluetooth packet is responsible for sending the message "Please take the card"
The second Bluetooth packet is responsible for sending the message "Please take the card" (the message is split into two packets due to the small maximum size of one Bluetooth Low Energy packet).
In the figure below, you can see that the value sent to the mPOS terminal consists of five parts. It includes a prefix containing the command identifier, the value of the sent command counter and the size of the payload, the main text in the form of ASCII characters, as well as the postfix, the checksum value and the trailing byte.
Elements of two packages responsible for sending the message "Please take the card"
In the following example, the terminal uses Bluetooth Classic to communicate with the phone. We see the message "Insert (swipe) the card" sent to the terminal display.
The message "Insert (swipe) the card" on the display of the mPOS terminal
Bluetooth package (in the Wireshark window) responsible for sending the message "Insert (swipe) the card" to the display of the mPOS terminal
In the figure below, you can see that this data consists of three parts: a prefix, a message, and a checksum. The prefix also contains counter, command ID and payload size. The message contains the value "Insert (swipe) card" in ASCII encoding. Checksum - XOR of all message bytes.
Elements of the package responsible for sending the message "Insert (swipe) the card"
Using this information, you can create an arbitrary command and send it to the display of the mPOS terminal. Three of the devices we tested were vulnerable to this attack vector.
SupplierManufacturerReaderRegionSumUp (not public) AIR1 E001EuropeiZettleDATECSYRWCRONEEuropeSquareSquareSquare (S8) USA
List of terminals vulnerable to sending arbitrary commands. Even though the Square (S8) reader does not have a display, an attacker can send other arbitrary commands.
This attack vector can be used in conjunction with the exploitation of other vulnerabilities to offer the client less secure types of operations, such as magnetic stripe. This scenario is described in Figures 14-16. In addition, an attacker can send a Payment Rejected message to force the cardholder to conduct multiple transactions.
The cardholder is trying to insert the card
The message "Please swipe the card" sent to the terminal display forces the cardholder to use the magnetic stripe
The operation was successful - for the operation performed using the magnetic stripe, you need to leave a signature.
Counterfeiting the amount
There are different ways to intercept traffic between the mPOS terminal and the payment system server. We have already described one of them - registering HCI events on a mobile phone and analyzing the results. To do this, you need to enable the developer (Android Developer Mode). An attacker can take other routes, for example, intercept HTTPS traffic between the mobile application and the payment system server. This is possible because in most cases the payment system server generates commands and sends them to the mPOS terminal. To protect the mobile application from HTTPS interception, all vendors of the terminals we tested use SSL pinning.
The figure below shows an example of an initialized payment intercepted by two different methods. We were able to intercept HTTPS traffic using a man-in-the-middle attack and enabled debug mode. The amount of the transaction is shown in clear text. A value of 0100 corresponds to £ 1.00.
Initialized payment made using an mPOS terminal
By intercepting HTTPS traffic, we can change the transaction amount. Then you need to recalculate the checksum. After that, we can send the changed value of the amount to the payment system server to confirm the transaction. We found five terminals vulnerable to modification of the amount during transactions using the magnetic stripe.
SupplierManufacturerReaderRegionSumUpAIR1 E001EuropeiZettleDATECSYRWCRONEEuropeSquareMiuraMiura M010USA MiuraMiura M010USAPayPalSquareSquareSquareUSA / EuropeMagstripe Reader (S4)
mPOS terminals vulnerable to counterfeiting
An unscrupulous merchant can trick the cardholder into confirming a much larger transaction. During the operation, the seller displays one amount on the reader's display, but at the same time a larger amount is sent to the mPOS terminal provider for confirmation. This attack is shown in the figure below.
Left: the amount sent to the payment system server (£ 1.23). Right: amount seen by the cardholder (£ 1)
Terminals that support magnetic stripe operations are affected by this vulnerability. During operations, the terminal sends only encrypted Track2 data; the operation itself is not certified. This attack vector will not work if the operation is carried out according to the EMV standard, because in such operations the information about the amount is stored inside the cryptogram. PayPass and payWave contactless payments that support Legacy modes (PayPass MAGSTRIPE and PayWave MSD) do not provide this level of protection, since the information about the amount is also not protected by a cryptogram.
To understand the scale of the problem, it is enough to remember that less than 50% of transactions in the United States are carried out on the EMV standard. In addition, the service providers we verified have the established limits for one operation using the magnetic stripe in Europe and the USA, which are incredibly high, amounting to € 50,000 and $ 50,000, respectively.
This attack can be prevented by using cryptographic control of the integrity of the amount and currency fields and comparing the amount and currency of the transaction on the reader with the amount confirmed by the service provider. It is important to note that the PCI DSS standard (current version 3.2.1), which regulates the storage, processing and transmission of card data, does not require such checks in the case of transactions using the magnetic stripe. The operation only requires the transmission of Track2 data.
Remote code execution
Two of the terminals we tested were vulnerable to remote code execution. Exploitation of this vulnerability provides an attacker with full access to the terminal operating system. After an attacker gains full access to the operating system, he can intercept Track2 data before encryption or enable unencrypted mode (for sending a command) on the terminal keyboard to intercept the PIN code.
SupplierManufacturerReaderRegionSquareMiuraMiura M010USPayPalMiuraMiura M010USA
List of terminals vulnerable to remote code execution
Nyan Cat video on the display of the Miura M010 terminal. Remote code execution gives an attacker full access to the terminal operating system
Physical protection
The physical protection mechanisms of most mPOS terminals are quite reliable. The Square (S4) magnetic card reader does not guarantee the level of security and technological sophistication typical of contactless and chip card readers. However, this should be a standard device requirement that is provided to the vendor free of charge. The rest of the terminals provide an adequate level of physical protection, anti-tampering mechanisms, and other measures to prevent hardware hacking.
Anti-tampering mechanisms
Anti-tampering systems help prevent the terminal from being opened with a drill or other tools. When an attempt is made to open it, the electrical circuit breaks down and the device stops working. In addition, most readers are based on proprietary standards. Without access to the developer's documentation, it is impossible to obtain valuable information by physically opening the device.
Internal structure of iZettle YRWCRONE
System for detecting attempts to tamper with iZettle YRWCRONE
Conclusion
We found that more than half of mPOS terminals are vulnerable to attacks, while in general, all mPOS terminal vendors we analyzed were vulnerable. We have documented numerous serious security issues, including vulnerabilities in arbitrary command execution, sum forgery, and remote code execution.
Hardware mechanisms for protecting terminals are in most cases reliable and well-developed. However, other aspects, such as those related to the mobile application and the registration procedure, are much less secure.
The mPOS terminal developers emphasize the ease of registering and using the devices. These are key elements of the business model, but it does not take into account that lowering barriers to entry into the card payment market must be accompanied by a significant increase in security. There is no doubt that merchant fraudulent activities will remain a major problem for mPOS vendors. A serious approach to security needs to be developed, including verification during registration and strict monitoring of payments.
Operation of most of them, according to experts, requires physical access to the device. Some flaws can be exploited remotely, and in combination, they all allow you to take complete control over the device. The patches are included in the Telium 2 SDK v9.32.03 patch N. Eight vulnerabilities were found in Verifone POS ; the most dangerous of them (CVE-2019-14711) is estimated at 8.8 points by CVSS. It is caused by a race condition error and allows you to bypass Role Based Access Control (RBAC). The rest of the problems are related to the presence of hard-coded passwords, buffer overflow errors, the ability to escalate privileges, bypass encryption, and the injection of malicious code. In the latter case, the attack is possible only if there is physical access to the device - the attacker will have to connect to the terminal via USB in order to install a sniffer analyzer to select the required information. Such an operation, according to experts, will take from five to ten minutes. The vulnerabilities found are relevant for Verifone MX, VX and UX series devices. Commenting on their findings for Forbes, the researchers presented evidence that a PoS terminal could be completely compromised:
According to experts, the vulnerabilities they found affect millions of payment terminals. According to internal statistics, Verifone does business in more than 150 countries. Its PoS systems process 7.6 billion transactions annually. Another market leader, Ingenico, produces over 12 million PoS devices annually; the company currently has a user base of over 40 million installations. Ingenico services are used by 160 thousand merchants and more than 1,000 acquiring banks.
Card payments are becoming more and more popular. Mobile payment terminals (mPOS-terminals) contribute to the development of this trend, reducing the barriers to entry into the card payment market for small firms and private entrepreneurs. However, under certain conditions, operations can still be carried out in many countries (including Russia) using the magnetic stripe. Each new round of technological progress threatens the payments ecosystem. What security problems can improve access to the card payment market lead to? And what are the risks of continuing to rely on old card technology, in particular magnetic stripe?
In recent years, the number of transactions carried out using mPOS terminals has increased significantly. Intense competition among mPOS providers has made it extremely easy to get such a payment terminal. Signing a contract takes less than five minutes, and the mPOS terminals themselves are often provided free of charge. Now they can be seen everywhere. Like conventional POS terminals, they are the final link in the payment infrastructure. This makes them interesting and easily accessible to attackers.
Field of study
We evaluated the products of the leading mPOS terminals suppliers: PayPal, Square, iZettle and SumUp. Some of them provide services in several regions of the world. We tried to get access to services in different regions where possible, since the payment process, applications and devices, as well as security settings, differ depending on the location.
SupplierManufacturerTerminalRegionSquareSquareTerminal for contactless cards and cards with a chip Square (S8) USA SquareSquare Magnetic card terminal
Square (S4) USASquareSquareProximity card and card terminal with Square (S8) chip EuropeSquareSquareMagnetic card terminal Square (S4) EuropeSquareMiura SystemsMiura M010USA SumUp (not public) AIR1 E001EuropeiZettleDATECSYRWCRAYEuropeiZettleDATECSaRWCRAYEurope
Manufacturers and suppliers of mPOS terminals
mPOS terminals
We analyzed device security in five categories:
- communication between the phone and the payment system server;
- communication between the phone and the mPOS terminal;
- physical protection mechanisms of the mPOS terminal;
- mobile app;
- additional factors affecting security, in particular verification at registration.
The main directions of research
Payment process
We have studied in detail the attack vectors and card payment security issues. The vulnerabilities we have discovered endanger the basic functionality of the mPOS terminal.
The main difference between mPOS and conventional POS terminals is that the merchant is not directly associated with the acquiring bank. Instead, mPOS providers act as payment aggregators that charge a transaction fee. Such payment services cannot always guarantee the level of security provided by the acquiring bank. MPOS providers minimize security risks in their own way, often shifting responsibility for fraud to the acquiring bank. It is important to understand that such payment aggregators are actually sellers themselves who interact with the acquiring bank.
Payment process via mPOS terminal
Risks when paying by card
There are various ways to make card payments. They depend on the payment system, issuer and country of issue. During the transaction, the card transmits a list of supported cardholder verification methods (CVM), which describes the supported methods and their priority. CVM also regulates what should happen if the chosen method doesn't work. The terminal stores a configuration file, which also describes the supported verification methods. The terminal compares the two files and tries to execute the transaction using the first priority method. The priority method should provide a high degree of assurance that the cardholder was present when the transaction was performed.
Some types of payments are obviously more secure than others. Payment with a chip card and PIN is considered the safest method because it provides a high degree of assurance that the transaction has been approved by the cardholder. Magnetic stripe is considered a less secure technology because an attacker can easily clone the magnetic stripe and the Track2 data stored on it and forge the cardholder's signature. Transactions carried out using the magnetic stripe do not provide assurance that the cardholder was actually present at the transaction. Unlike transactions with cards that support the EMV standard, transactions using a magnetic stripe are carried out without a cryptogram. This means that such operations do not ensure the integrity and authenticity of the transaction during its execution.
Adopting EMV standard
More and more payments in the world are carried out according to the EMV standard (Europay, Mastercard, Visa), that is, using chip cards. However, adoption of the standard is slower in some regions than in others. In the United States, EMV transactions account for less than half of all transactions . Most of the operations are still carried out using the magnetic stripe. In Europe, about 90% of all transactions are carried out according to the EMV standard .
Research results
Device manipulation: sending arbitrary commands
An attacker can connect to a device via Bluetooth and perform arbitrary operations. To do this, he needs information about the Bluetooth services running on the device, as well as the corresponding characteristics and functions. This information can be obtained through reverse engineering prior to the attack. An attacker would only need access to an mPOS terminal, a phone that supports host controller interface (HCI) event logging, and a mobile application. By using HCI event logging, an attacker will try to obtain information about the basic functions of an mPOS terminal. To do this, he will conduct trial transactions using different payment methods and comparing the results. When the necessary information is received, the attacker will use Wireshark to analyze the communication between the phone and the mPOS terminal. This information, as well as the data of the mobile application, will allow matching functions with their commands and identifiers. Figure 5 shows the message “Insert (swipe) the card” is sent to the display of the mPOS terminal.
Insert (swipe) card has been sent to the display
If the card is not inserted correctly, the error message “Please take the card” appears on the display. In the HCI log, we can see which UUID is responsible for displaying the text and an example of the data being sent.
The message "Please take the card" on the display of the mPOS terminal
The first Bluetooth packet is responsible for sending the message "Please take the card"
The second Bluetooth packet is responsible for sending the message "Please take the card" (the message is split into two packets due to the small maximum size of one Bluetooth Low Energy packet).
In the figure below, you can see that the value sent to the mPOS terminal consists of five parts. It includes a prefix containing the command identifier, the value of the sent command counter and the size of the payload, the main text in the form of ASCII characters, as well as the postfix, the checksum value and the trailing byte.
Elements of two packages responsible for sending the message "Please take the card"
In the following example, the terminal uses Bluetooth Classic to communicate with the phone. We see the message "Insert (swipe) the card" sent to the terminal display.
The message "Insert (swipe) the card" on the display of the mPOS terminal
Bluetooth package (in the Wireshark window) responsible for sending the message "Insert (swipe) the card" to the display of the mPOS terminal
In the figure below, you can see that this data consists of three parts: a prefix, a message, and a checksum. The prefix also contains counter, command ID and payload size. The message contains the value "Insert (swipe) card" in ASCII encoding. Checksum - XOR of all message bytes.
Elements of the package responsible for sending the message "Insert (swipe) the card"
Using this information, you can create an arbitrary command and send it to the display of the mPOS terminal. Three of the devices we tested were vulnerable to this attack vector.
SupplierManufacturerReaderRegionSumUp (not public) AIR1 E001EuropeiZettleDATECSYRWCRONEEuropeSquareSquareSquare (S8) USA
List of terminals vulnerable to sending arbitrary commands. Even though the Square (S8) reader does not have a display, an attacker can send other arbitrary commands.
This attack vector can be used in conjunction with the exploitation of other vulnerabilities to offer the client less secure types of operations, such as magnetic stripe. This scenario is described in Figures 14-16. In addition, an attacker can send a Payment Rejected message to force the cardholder to conduct multiple transactions.
The cardholder is trying to insert the card
The message "Please swipe the card" sent to the terminal display forces the cardholder to use the magnetic stripe
The operation was successful - for the operation performed using the magnetic stripe, you need to leave a signature.
Counterfeiting the amount
There are different ways to intercept traffic between the mPOS terminal and the payment system server. We have already described one of them - registering HCI events on a mobile phone and analyzing the results. To do this, you need to enable the developer (Android Developer Mode). An attacker can take other routes, for example, intercept HTTPS traffic between the mobile application and the payment system server. This is possible because in most cases the payment system server generates commands and sends them to the mPOS terminal. To protect the mobile application from HTTPS interception, all vendors of the terminals we tested use SSL pinning.
The figure below shows an example of an initialized payment intercepted by two different methods. We were able to intercept HTTPS traffic using a man-in-the-middle attack and enabled debug mode. The amount of the transaction is shown in clear text. A value of 0100 corresponds to £ 1.00.
Initialized payment made using an mPOS terminal
By intercepting HTTPS traffic, we can change the transaction amount. Then you need to recalculate the checksum. After that, we can send the changed value of the amount to the payment system server to confirm the transaction. We found five terminals vulnerable to modification of the amount during transactions using the magnetic stripe.
SupplierManufacturerReaderRegionSumUpAIR1 E001EuropeiZettleDATECSYRWCRONEEuropeSquareMiuraMiura M010USA MiuraMiura M010USAPayPalSquareSquareSquareUSA / EuropeMagstripe Reader (S4)
mPOS terminals vulnerable to counterfeiting
An unscrupulous merchant can trick the cardholder into confirming a much larger transaction. During the operation, the seller displays one amount on the reader's display, but at the same time a larger amount is sent to the mPOS terminal provider for confirmation. This attack is shown in the figure below.
Left: the amount sent to the payment system server (£ 1.23). Right: amount seen by the cardholder (£ 1)
Terminals that support magnetic stripe operations are affected by this vulnerability. During operations, the terminal sends only encrypted Track2 data; the operation itself is not certified. This attack vector will not work if the operation is carried out according to the EMV standard, because in such operations the information about the amount is stored inside the cryptogram. PayPass and payWave contactless payments that support Legacy modes (PayPass MAGSTRIPE and PayWave MSD) do not provide this level of protection, since the information about the amount is also not protected by a cryptogram.
To understand the scale of the problem, it is enough to remember that less than 50% of transactions in the United States are carried out on the EMV standard. In addition, the service providers we verified have the established limits for one operation using the magnetic stripe in Europe and the USA, which are incredibly high, amounting to € 50,000 and $ 50,000, respectively.
This attack can be prevented by using cryptographic control of the integrity of the amount and currency fields and comparing the amount and currency of the transaction on the reader with the amount confirmed by the service provider. It is important to note that the PCI DSS standard (current version 3.2.1), which regulates the storage, processing and transmission of card data, does not require such checks in the case of transactions using the magnetic stripe. The operation only requires the transmission of Track2 data.
Remote code execution
Two of the terminals we tested were vulnerable to remote code execution. Exploitation of this vulnerability provides an attacker with full access to the terminal operating system. After an attacker gains full access to the operating system, he can intercept Track2 data before encryption or enable unencrypted mode (for sending a command) on the terminal keyboard to intercept the PIN code.
SupplierManufacturerReaderRegionSquareMiuraMiura M010USPayPalMiuraMiura M010USA
List of terminals vulnerable to remote code execution
Nyan Cat video on the display of the Miura M010 terminal. Remote code execution gives an attacker full access to the terminal operating system
Physical protection
The physical protection mechanisms of most mPOS terminals are quite reliable. The Square (S4) magnetic card reader does not guarantee the level of security and technological sophistication typical of contactless and chip card readers. However, this should be a standard device requirement that is provided to the vendor free of charge. The rest of the terminals provide an adequate level of physical protection, anti-tampering mechanisms, and other measures to prevent hardware hacking.
Anti-tampering mechanisms
Anti-tampering systems help prevent the terminal from being opened with a drill or other tools. When an attempt is made to open it, the electrical circuit breaks down and the device stops working. In addition, most readers are based on proprietary standards. Without access to the developer's documentation, it is impossible to obtain valuable information by physically opening the device.
Internal structure of iZettle YRWCRONE
System for detecting attempts to tamper with iZettle YRWCRONE
Conclusion
We found that more than half of mPOS terminals are vulnerable to attacks, while in general, all mPOS terminal vendors we analyzed were vulnerable. We have documented numerous serious security issues, including vulnerabilities in arbitrary command execution, sum forgery, and remote code execution.
Hardware mechanisms for protecting terminals are in most cases reliable and well-developed. However, other aspects, such as those related to the mobile application and the registration procedure, are much less secure.
The mPOS terminal developers emphasize the ease of registering and using the devices. These are key elements of the business model, but it does not take into account that lowering barriers to entry into the card payment market must be accompanied by a significant increase in security. There is no doubt that merchant fraudulent activities will remain a major problem for mPOS vendors. A serious approach to security needs to be developed, including verification during registration and strict monitoring of payments.
