Mobile point of sale (MPOS) devices can be easily hacked, leaving banks, retailers and millions of customers around the world exposed to serious fraud, according to global information security firm MWR InfoSecurity.
Security researchers from MWR Labs, the research arm of the company, who in 2012 revealed critical vulnerabilities in Chip-and-Pin devices, demonstrated at the conference that it is possible to compromise MPOS terminals with multiple attacking techniques using micro USBs, Bluetooth and a malicious programmable smart card.
Jon, head of research at MWR InfoSecurity, says: “What we have found reveals that criminals can compromise the MPOS payment terminal and get full control over it. This would allow an attacker to gather PIN and credit card data, and event change the software on the device so that it accepts illegitimate payments.”
“MWR’s researchers demonstrated how an attacker could gain control over the MPOS terminal. This allowed them to display ‘try again’ messages, switch the device into insecure mode, capture the PIN code when entered and even enable it to accept stolen credit cards. They were even able to use the device to play a simplified version of the popular game Flappy Bird.”
Nils, a security researcher at MWR, adds: “MPOS is a promising technology with a growing market uptake, well suited for use in modern payment systems, but current implementations are not well designed from a security perspective. It is critical to get security right early as there is a huge potential for fraud around the world.
“Lessons that have been learned from desktop computers and servers are yet to be applied to embedded systems.”
The team discovered the issues as part of its on-going research programme into secure payment technologies.