Tag Archives: Readers’
The tiny, portable credit card readers you use to pay at farmer’s markets, bake sales, and smoothie shops are convenient for consumers and merchants alike. But while more and more transactions are passing through them, devices from four of the leading companies in the space—Square, SumUp, iZettle, and PayPal—turn out to have a variety of concerning security flaws.
Leigh-Anne Galloway and Tim Yunusov from the security firm Positive Technologies looked at seven mobile point of sale devices in all. What they found wasn’t pretty: bugs that allowed them to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and even gain full remote control of a point of sale device.
“The very simple question that we had was how much security can be embedded in a device that costs less than $ 50?” Galloway says. “With that in mind we started off quite small by looking at two vendors and two card readers, but it quickly grew to become a much bigger project.”
All four manufacturers are addressing the issue, and not all models were vulnerable to all of the bugs. The researchers are presenting their findings Thursday at the Black Hat security conference.
The researchers found that they could exploit bugs in Bluetooth and mobile app connectivity to the devices to intercept transactions or modify commands. The flaws could allow an attacker to disable chip-based transactions, forcing customers to use a less secure magstrip swipe, and making it easier to steal data and clone customer cards.
Alternatively, a rogue merchant could make the mPOS device appear to decline a transaction to get a user to repeat it multiple times, or to change the total of a magstripe transaction up to the $ 50,000 limit. By intercepting the traffic and clandestinely modifying the value of the payment, an attacker could get a customer to approve a normal-looking transaction that is really worth much more. In these types of frauds, customers rely on their banks and credit card issuers to insure their losses, but magstripe is a deprecated protocol, and businesses who continue to use it now hold the liability.
The researchers also reported issues with firmware validation and downgrading that could allow an attacker to install old or tainted firmware versions, further exposing the devices.
The researchers found that in the Miura M010 Reader, which Square and Paypal formerly sold as a third-party device, they could exploit connectivity flaws to gain full remote code execution and file system access in the reader. Galloway notes that a third-party attacker might particularly want to use this control to change the mode of a PIN pad from encrypted to plaintext, known as “command mode,” to observe and collect customer PIN numbers.
The researchers evaluated accounts and devices used in the US and European regions, since they’re configured differently in each place. And while all of the terminals the researchers tested contained at least some vulnerabilities, the worst of it was limited to just a few of them.
“The Miura M010 Reader is a third-party credit card chip reader that we initially offered as a stopgap and today is used by only a few hundred Square sellers. As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader,” a Square spokesperson told WIRED. “Today it is no longer possible to use the Miura Reader on the Square ecosystem.”
“SumUp can confirm that there has never been any fraud attempted through its terminals using the magnetic stripe-based method outlined in this report,” said a SumUp spokesperson. “All the same, as soon as the researchers contacted us, our team successfully removed any possibility of such an attempt at fraud in the future.”
“We recognize the important role that researchers and our user community play in helping to keep PayPal secure,” a spokesperson said in a statement. “PayPal’s systems were not impacted and our teams have remediated the issues.”
iZettle did not return a request from WIRED for comment, but the researchers say that the company is remediating its bugs as well.
Galloway and Yunusov were happy with the proactive response from vendors. They hope, though, that their findings will raise awareness about the broader issue of making security a development priority for low cost embedded devices.
“The kind of issues we see with this market base you can see applying more broadly to IoT,” Galloway says. “With something like a card reader you would have an expectation of a certain level of security as a consumer or a business owner. But many of these companies haven’t been around for that long and the products themselves aren’t very mature. Security isn’t necessarily going to be embedded into the development process.”
More Great WIRED Stories
Good morning and happy cyber Cinco de Mayo, dear readers.
I received an abundance of thoughtful responses to my essay on rejecting consumer DNA tests last weekend. In lieu of a column, I’ve reproduced a selection of the several dozen well-considered comments that landed in my inbox. I hope you enjoy the variety of perspectives and insights as much as I did. (I have stripped out the identities of the authors—for privacy reasons, of course.)
KA: “While I understand your reticence, I believe as a human race we need to share genomic and other data to move forward. I’ve been in the precision medicine space for 18 years, and the only way to see it reach maximum potential is if we break down silos for information sharing globally.”
EM: “I think it is likely too late for you to refuse. It is most likely that a relative of yours—whether close or distant—has already chosen to test his or her DNA, and has shared the extended family tree that includes you.”
MP: “I don’t blame you. I do however believe that sooner or later we all will have to do it if only to have access to future healthcare (personalized medicine is coming faster than anyone thought would) and that somewhere a national genetic repository will soon exist.”
KS: “I was a fencesitter veering towards disagreeing until I read your mention of TOS [Terms of Service]. Decoding TOS can often be harder than decoding the DNA. DNA Testing is simply not worth the effort. So, now I agree!”
ML: “I did ancestry.com about a year ago and have had several moments of regret since—especially on the heels of this story. Maybe I’m a little paranoid too but I often think about what things could look like if someone like Hitler had access to our DNA records. Yikes.”
JP: “I can think of no more elegant way for the NSA (or similar group) to collect DNA information on millions of people than to own one of the ‘23 and me’ type companies.”
JR: “Just take the implications of this data in the hands of a totalitarian government, a greedy and maligned corporation, a foreign power. Bad, bad, bad.”
EF: “Everyone keeps asking me why I don’t want to know my ancestry and now I will forward them this newsletter.”
In case you didn’t catch last weekend’s essay (or EF’s forward), you may read the piece here. Thank you to everyone who wrote in and offered an astute viewpoint, personal experience, or opinion. What a pleasure it is to have so many attentive, engaged subscribers to this newsletter. I wonder if there’s a gene behind that.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
1105 Public Sector Media Group is pleased to announce that voting for the 2016 THE Journal Readers’ Choice Awards is now open
(PRWeb August 05, 2016)
Read the full story at http://www.prweb.com/releases/2016/08/prweb13594611.htm