Tag Archives: Buyers
The tiny, portable credit card readers you use to pay at farmer’s markets, bake sales, and smoothie shops are convenient for consumers and merchants alike. But while more and more transactions are passing through them, devices from four of the leading companies in the space—Square, SumUp, iZettle, and PayPal—turn out to have a variety of concerning security flaws.
Leigh-Anne Galloway and Tim Yunusov from the security firm Positive Technologies looked at seven mobile point of sale devices in all. What they found wasn’t pretty: bugs that allowed them to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and even gain full remote control of a point of sale device.
“The very simple question that we had was how much security can be embedded in a device that costs less than $ 50?” Galloway says. “With that in mind we started off quite small by looking at two vendors and two card readers, but it quickly grew to become a much bigger project.”
All four manufacturers are addressing the issue, and not all models were vulnerable to all of the bugs. The researchers are presenting their findings Thursday at the Black Hat security conference.
The researchers found that they could exploit bugs in Bluetooth and mobile app connectivity to the devices to intercept transactions or modify commands. The flaws could allow an attacker to disable chip-based transactions, forcing customers to use a less secure magstrip swipe, and making it easier to steal data and clone customer cards.
Alternatively, a rogue merchant could make the mPOS device appear to decline a transaction to get a user to repeat it multiple times, or to change the total of a magstripe transaction up to the $ 50,000 limit. By intercepting the traffic and clandestinely modifying the value of the payment, an attacker could get a customer to approve a normal-looking transaction that is really worth much more. In these types of frauds, customers rely on their banks and credit card issuers to insure their losses, but magstripe is a deprecated protocol, and businesses who continue to use it now hold the liability.
The researchers also reported issues with firmware validation and downgrading that could allow an attacker to install old or tainted firmware versions, further exposing the devices.
The researchers found that in the Miura M010 Reader, which Square and Paypal formerly sold as a third-party device, they could exploit connectivity flaws to gain full remote code execution and file system access in the reader. Galloway notes that a third-party attacker might particularly want to use this control to change the mode of a PIN pad from encrypted to plaintext, known as “command mode,” to observe and collect customer PIN numbers.
The researchers evaluated accounts and devices used in the US and European regions, since they’re configured differently in each place. And while all of the terminals the researchers tested contained at least some vulnerabilities, the worst of it was limited to just a few of them.
“The Miura M010 Reader is a third-party credit card chip reader that we initially offered as a stopgap and today is used by only a few hundred Square sellers. As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader,” a Square spokesperson told WIRED. “Today it is no longer possible to use the Miura Reader on the Square ecosystem.”
“SumUp can confirm that there has never been any fraud attempted through its terminals using the magnetic stripe-based method outlined in this report,” said a SumUp spokesperson. “All the same, as soon as the researchers contacted us, our team successfully removed any possibility of such an attempt at fraud in the future.”
“We recognize the important role that researchers and our user community play in helping to keep PayPal secure,” a spokesperson said in a statement. “PayPal’s systems were not impacted and our teams have remediated the issues.”
iZettle did not return a request from WIRED for comment, but the researchers say that the company is remediating its bugs as well.
Galloway and Yunusov were happy with the proactive response from vendors. They hope, though, that their findings will raise awareness about the broader issue of making security a development priority for low cost embedded devices.
“The kind of issues we see with this market base you can see applying more broadly to IoT,” Galloway says. “With something like a card reader you would have an expectation of a certain level of security as a consumer or a business owner. But many of these companies haven’t been around for that long and the products themselves aren’t very mature. Security isn’t necessarily going to be embedded into the development process.”
More Great WIRED Stories
If you’re planning on buying or receiving a new iPhone 6s tomorrow, you will be asked to upgrade the operating system on the device immediately.
Apple has released a special version of iOS 9.0.1 that’s specifically aimed at the new iPhone 6s and 6s Plus. The OS version was pushed out to the public yesterday, but, oddly, that version didn’t include support for the new phones.
The iPhone 6s and the iPhone 6s Plus will ship with iOS 9.0.
The update is nothing major. It fixes a couple of bugs, including a “Slide to Upgrade” dialog problem that was preventing some users from upgrading to iOS 9. The update also fixes an issue that caused some paused video images in Safari and Photo to appear distorted, and another that cause some alarms and alerts not to sound.
Hat tip: Mac Rumors
By Allison Martell and Alastair Sharp
TORONTO (Reuters) – The owner of adultery website Ashley Madison had already been struggling to sell itself or raise funds for at least three years before the publication of details about its members, according to internal documents and emails also released by hackers as part of their assault on the company in recent weeks.
Some unnamed investors wanted out, multiple attempts to close a deal or raise funds failed, and a public market debut looked increasingly unlikely, the documents show.
Avid Life Media announced on Friday that CEO Noel Biderman, who founded the website in 2001, had left the company with immediate effect, the latest sign of the wrenching impact on the company of the attack that led to the disclosure of sensitive data about millions of clients.
In an April 2015 letter addressed to all its investors, closely-held Avid Life acknowledged that some investors had pressed it to improve liquidity so they could sell shares. The company said it would buy back up to $ 10 million worth of shares.
“Over the last couple of years, we have not been successful in exploring various alternatives including a sale of the business and seeking debt from third parties,” said the letter signed by the board of directors.
Reuters could not independently verify the authenticity of the email messages and internal documents.
Avid Life did not respond to repeated requests for comment. Members of the company’s board also could not be reached for comment. Biderman was not reachable by phone.
Diller’s hopes dashed
The attack has likely sharply lowered the price Avid Life could muster in any sale of assets, assuming it could find a buyer willing to take on a company facing several multi-million dollars lawsuits and the challenge of rebuilding a computer network that has been so badly infiltrated.
Bankers told Reuters last month – before the massive disclosure of its customers’ information – that a full data dump would create a ‘doomsday scenario’ for the company, and kill any IPO plan.
Several messages show that Biderman was trying to secure a meeting with executives at media mogul Barry Diller’s IAC/InterActive Corp, whose biggest online dating assets, including Match.com and Tinder, are being prepared for a public market spinoff. Biderman’s goal was to start acquisition talks with the much larger rival.
“They would be CRAZY not to speak with us,” wrote Biderman in February this year. And in May: “If there was ever a moment to have a ‘private’ meeting with Diller, it is now.”
But in an email message later forwarded to Biderman by an intermediary, one IAC director, Bryan Lourd, was blunt about the chances IAC might buy Ashley Madison: “They don’t want it.”
IAC declined to comment “on rumors and speculation about transactions.”
Avid Life in April said it was considering an initial public offering in London, at a $ 1 billion valuation, with company executives expressing hope in media interviews that European investors would prove more understanding of the controversial business than those in North America.
The emails show that Biderman received an informal approach in May from Cliff Lerner, the CEO of Snap Interactive, which owns the online dating site AYI.com. Lerner suggested a reverse takeover and a Nasdaq listing.
A spokesman for Snap said Lerner had a short back and forth email conversation with Avid Life representatives, but ultimately decided a deal wouldn’t work.
By June, Biderman called the IPO a “long shot” in one email. He told an acquaintance, who helped put other companies’ financing deals together, that he was looking to raise between $ 50 million and $ 75 million in debt.
Similar efforts had fallen through before. Avid Life had a letter of intent from Fortress Credit Corp, part of Fortress Investment Group, to borrow $ 43 million in September 2013, the documents the hackers released show, but the deal never went through.
“I can confirm that the proposed loan you referenced did not close,” Gordon Runté, head of investor and media relations at Fortress, said in response to queries, declining to comment further on the reasons.
Avid Life had intended to use some of that cash to pay a dividend to its shareholders, the proposal, dated September 6, 2013, showed.
It also received a term sheet for a $ 40 million three-year loan from GMP Securities, a Canadian investment bank, in 2012.
GMP said the deal was not completed and it has never loaned Avid Life any money. It declined to specify why.
The emails also show that Avid Life came close to selling itself at least three times in 2012.
In one instance, a deal with Canadian billionaire Alex Shnaider and frozen yogurt mogul Michael Serruya fell apart because of CEO Biderman’s “difficult and very demanding” personality, according to an email from the potential buyers. Two other attempted deals, with a boutique investment bank and a private equity firm, also fell apart.
Shnaider confirmed that he and Serruya wanted to strike a deal to acquire Avid Life and had agreement in principle to buy it. “We didn’t feel comfortable, at the end of the day, going through with the deal,” he said.
A spokesperson for Serruya did not immediately return calls.
(Editing by Amran Abocar and Martin Howell)