The researcher leaked security holes of point-of-sale (POS) mobile devices from vendors such as Square, SumUp, iZettle, PayPal.
Security experts at Positive Technologies said Thursday at the Black Hat Conference in Las Vegas the vulnerability of mPOS machines could allow malicious merchants to steal customer and attacker accounts and steal data Credits card.
According to researchers Leigh-Anne Galloway and Tim Yunusov, an attacker behind the mobile fund not only needs to change the amount charged to the credit card but also need to use other payment methods such as magnetic tape there is. It is used for data exclusion purposes.
Several flaws have been found in common mobile PoS software. These services are used in mobile card readers that appeared as alternative and cheap payment managers for SMEs.
The team found a vulnerability in the terminal payment system, including a security vulnerability that allows attackers to conduct eavesdropping and man-in-the-middle attacks (MiTM). ), Transferring arbitrary code via Bluetooth and mobile application. Forge the payment amount of magnetic tape transactions.
These attackers were made possible thanks to the operation of the mPOS system. These devices communicate with the mobile application via Bluetooth and the mobile application then sends the data to the provider's server.
However, by intercepting transactions, you can manipulate values to access transactional traffic.
In addition, hackers can also execute remote code on an invaded system. Thanks to this security vulnerability, hackers can access the card reader's complete operating system to change the appearance of purchase, a fraudulent trader may change the rejected value.
"There is currently little control of the merchant before starting to use the mPOS device, so basically it can not steal thorough staff from people with technical know-how, so readers' It is necessary to guarantee that security is very high and integrated into the development process from the beginning.
The vulnerability was disclosed to the above provider. Positive Technologies works with enterprises to fix security vulnerabilities.
As sister site CNETSquare reported, the third-party Miura M010 Reader sales system connecting to Square's software said it was vulnerable to attacks.
According to the company's spokeswoman, "We have accelerated our existing plan to abandon the support of the M010 leader and began to transfer the sellers of all these plazas to a contactless and smart square card reader"
In addition to mPOS results, cyber security companies also unveiled two vulnerabilities, CVE-2017-17668 and CVE-2018-5717, which affect ATM manufactured by NCR.
Security breaches have enabled attackers to perform black box attacks by breaching the network by using malicious physical security and paying ATM money.
NCR has released a firmware patch to address vulnerabilities.
Hope you like the news PayPal, Vulnerabilities Square Impact Mobile POS Machines. Stay Tuned For More Updates!