Square, PayPal POS Hardware Open to Multiple Attack Vectors

Popular card readers like Square and PayPal have various flaws that allow attacks ranging from fraud to card data theft.

Mobile point-of-sale (POS) terminals have revolutionized the retail space in many ways, with devices such as Square offering locations like mall kiosks, small coffee shops and roadside stands a handy and cost-effective way to accept credit cards. Unfortunately, more than half of leading mobile POS terminals tested for flaws were found vulnerable to some form of cyberattack method, according to research delving into various card readers.

The report, from Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, and Timur Yunusov, head of banking systems security at Positive, analyzed seven card readers and four popular vendors (SumUp, iZettle, PayPal and Square) across the U.S. and Europe.

The team assessed the security of the communications between the phone used to process a payment using the POS hardware and the payment server and also between the POS terminal and the phone. Additionally, researchers examined the security mechanisms within the mobile POS terminal; the mobile application used with the terminals; and secondary factors which affect security, such as the checks made during enrollment.

“Hardware security mechanisms are generally sophisticated in these products, but many other aspects of the payment ecosystem are far less secure, such as the mobile ecosystem and enrollment processes,” Galloway said, in a blog posted Monday on the findings.

In all, there were a number of disturbing attack vectors uncovered: For instance, two of the terminals (which were not specified) were found to have displays that an attacker could send and arbitrary command to and manipulate an on screen message.

“This attack vector can be used for social engineering to force a cardholder to use a less secure method of payment, such as mag-stripe,” Galloway explained. “Or it may be used to display a ‘payment declined’ message as a means to make the cardholder carry out additional transactions.”

This can be carried out via device manipulation, the team found. An attacker could connect directly to a Bluetooth-enabled terminal using developer mode, and, armed with enough knowledge (gleaned through reverse engineering) about how the services run on the device, they can simply send interloping commands to the terminal, with no authentication required.

An attacker would “need access to a copy of the target device, such as a mobile POS terminal, a phone which allows for HCI logging and the mobile application,” the report noted. “Once HCI logging is enabled, you can capture the core functionality of the mobile point-of-sale terminal. This can be done by making sample transactions using different payment methods, in order to obtain different results. Once this information has been captured, Wireshark can be used to analyze the communication to and from the phone and mobile point-of-sale terminal. This information, along with information obtained in the mobile application, make it possible to correlate functions with characteristics and their handles.”

The team also found that it’s possible to carry out a man-in-the-middle attack using this Bluetooth access to intercept the HTTPS traffic between the mobile application and the payment server. Because of this, five terminals were vulnerable to fraud in the form of altering the amount of the sale that’s shown to the consumer. This vulnerability, which only works for mag-stripe transactions, can be used by a fraudulent merchant to show the buyer a certain transaction amount on the card reader, while a different, higher amount is actually sent to the mobile POS provider for approval.

The HTTP communications in all of the terminals are protected with SSL pinning; for services that rely on SSL certificates, pinning allows the developer to specify a cryptographic identity that should be accepted by those interacting with the service. Thus, an attacker would need to bypass this in order to eavesdrop successfully.

“To protect the mobile application against HTTPS interception, all vendors we assessed implement SSL pinning protection,” the report noted, adding that there are known options for bypassing it. In the most straightforward approach, an adversary could use a rooted Android phone to install a special application, such as SSLUnpinning from Xposed, to automatically carry out the unpinning for them. Or, if that doesn’t work, an attacker could use another option, such as rebuilding the source code, or APK for the mobile POS terminal application.

Once the HTTPS communications haves been intercepted, an attacker can see the amounts for various transactions, which is sent in plaintext.

“By intercepting the HTTPS traffic, we can modify the amount value for this transaction,” according to the report. “Once the amount has been changed, the checksum will need to be recalculated, then [the attacker can] send this new value to the payment server for approval.”

The researchers added that this attack vector could be prevented by calculating a cryptographic checksum of the transaction, or by implementing the payment’s amount in mag-stripe transaction and comparing the value of the transaction on the reader to that which was initialized by the payment server.

And finally, two terminals were also found to be vulnerable to remote code-execution, giving cyberattackers full access to the terminals’ operating systems and the “Track 2” payment card data that they process, which includes account numbers and expiration dates.

“After an attacker has obtained full access to the operating system, it is possible to intercept Track 2 data before it is encrypted and to enable plaintext mode (command mode) on the terminals’ PIN pad, to collect PINs,” Galloway said. The report didn’t provide additional details on the flaws, but Threatpost reached out to Galloway for additional information.

“This mobile point-of-sales terminal marketplace places an emphasis on usability and enrollment,” the report concluded. “This is key to the business model, but this approach has not taken into account that security should instead be very high in all areas, to counteract the low entry barriers. Without a doubt, fraudulent merchant accounts are a significant issue for mobile point-of-sales providers. Mitigation of this issue can only be dealt with a sophisticated approach to security, which encompasses checks during the enrollment process and stringent transaction monitoring.”

Suggested articles