MPOS is an emerging technology that enables retailers to process card payments using mobile phones or tablets, instead of traditional cash registers and point-of-sale terminals. It is currently used in Apple Stores and mainly small retailers.
But at Singapore's SyScan security conference on 4 April, two MWR InfoSecurity researchers showed how MPOS terminals can be comprised via multiple attack techniques using micro USBs, Bluetooth and a malicious programmable smartcard.
The researchers – Jon Butler, head of research at MWR, and a security researcher who prefers to be known as ‘Nils' – displayed how an attacker could gain full control of the MPOS terminal, allowing them to display ‘try again' messages, switch the device into insecure mode, capture PIN and credit card data, and even enable the device to accept illegitimate payments from stolen credit cards.
Butler explained: ““This shows that card holders paying at MPOS terminals worldwide are potentially at risk. Banks and retailers should also be wary when implementing this technology as it could leave them open to serious fraud.”
MWR said the vulnerabilities affect “the most popular” MPOS device but declined to provide more specific details on the flaws, as the devices concerned are currently in use at thousands of retail outlets in the UK and elsewhere.
MWR has notified the vendors concerned and provided information to address the issues. Because MPOS is typically used by smaller businesses, it said it is difficult to ascertain the numbers affected.
MWR's two researchers even used a hijacked MPOS device to play a simplified version of the game Flappy Bird. A video of the game, dubbed ‘Chippy Pin', is available here: http://mwr.to/chippy-bird.
Butler explained the purpose in an email to SCMagazineUK.com: “Aside from being entertaining, the Flappy Bird game demo showed that the attacker would have full control over the device, including the screen and the input from the keypad. A malicious attacker is likely to require this level of control to leverage these issues for financial gain - we wanted to demonstrate this level of control without fully weaponising the exploit.”
UK cyber security specialist Adrian Culley confirmed the scale of problems exposed by MWR, telling SCMagazineUK.com via email: “MPOS devices will soon be ubiquitous. It's rare to find any business which only accepts cash anymore. Whilst the attack found by MWR requires some detailed specialist knowledge and insider access, those are both within the grasp of organised crime and hostile foreign governments.”
Security expert Brian Honan, head of BH Consulting, agreed about threat level, telling us via email: “MPOS systems are vulnerable to various unique attacks due to their size and mobility, that would not be associated with traditional POS systems. Typically as the technology becomes more widespread, it will become more of a target for criminals – especially technology that processes financial details such as MPOS devices. As these systems become more popular, the importance of ensuring consistent and effective security across all these devices will grow.”
Culley advised: “Those using and administering MPOS systems should make sure they are using the latest firmware, and that they also have physical security measures around the device – i.e., CCTV, kept under lock and key when not in use. MPOS is not of itself insecure, this situation just reflects that all security is an ongoing arms race, and a determined third party with sufficient skills, motivation and resources may often find flaws.”
Jon Butler, meanwhile, said that retailers need to asses if the MPOS solution being deployed is suitable for its environment.
“Those assessing or implementing MPOS systems should be aware that the underlying platform is not guaranteed to be free of vulnerabilities. It is important to appropriately assess the platform to ensure it is well-suited to provide a secure base for any payment application being developed.”
Nils added: “MPOS is a promising technology with a growing market uptake, but current implementations are not well-designed from a security perspective. It is critical to get security right early as there is a huge potential for fraud around the world. Lessons that have been learned from desktop computers and servers are yet to be applied to embedded systems."
MWR found the MPOS flaws during ongoing research into secure payment technologies. In 2012, it revealed critical vulnerabilities in chip-and-pin devices.
Problems with traditional POS systems gained global attention at the start of this year when major US retailer Target and others were hacked, and payment card and other data on tens of millions of customers was stolen.