A lot has come out of the Black Hat USA 2018 conference in Las Vegas over these last few days. One critically attention demanding such discovery is the news coming from Positive Technologies’ researchers Leigh-Anne Galloway and Tim Yunusov who have come forward to shed light on growing lower-cost payment method attacks.
According to the two researchers, hackers have found a way to steal credit card information or manipulate transaction amounts to steal funds from users. They have managed to develop card readers for cheap mobile payment cards to carry out these tactics. As people are increasingly adopting this new and simple method of payment, they’re walking in as prime targets for hackers who have mastered theft through this channel.
The two researchers particularly explained that security vulnerabilities in these payment method’s readers could allow someone to manipulate what customers are shown on the payment screens. This could allow a hacker to manipulate the true transaction amount or allow for the machine to display that the payment was unsuccessful the first time, prompting a second payment which could be stolen. The two researchers supported these claims by studying security flaws in readers for four leading point-of-sale companies in the United States and Europe: Square, PayPal, SumUp, and iZettle.
If a merchant doesn’t walk around with mal-intent in this way, another vulnerability found in the readers could allow a remote attacker to steal money as well. Galloway and Yunusov discovered that the way that the readers used Bluetooth to pair was not a secure method as there was no connection notification or password entry / retrieval associated with it. This means that any random attacker in range can manage to intercept the communication of the Bluetooth connection that the device maintains with a mobile application and the payment server to alter the transaction amount.
It’s important to note that the two researchers have explained that remote exploits of this vulnerability have not been carried out yet and that despite these massive vulnerabilities, exploits have not yet picked up momentum in general. The companies responsible for these payment methods were notified in April and it seems that of the four, he company Square has taken quick notice and decided to discontinue support for its vulnerable Miura M010 Reader.
The researchers warn users who choose these cheap cards for payment that they may not be safe bets. They advise that users use chip and pin, chip and signature, or contactless methods instead of the magnetic stripe swipe. In addition to this, users on the sale end of things should invest in better and safer technology to ensure the reliability and security of their business.