Security researchers have discovered critical vulnerabilities in leading mPOS (mobile point-of-sale) devices which could allow Fraudulent merchants to interfere with payments.
Researchers Leigh-Anne Galloway and Tim Yunusov from Positive Technologies discovered the flaws which allow merchants to interfere with payment and allowing them to change the amount charged to the customers.
“Vulnerabilities in multiple mobile point-of-sale machines allow malicious merchants to take advantage of customers by changing the amount charged and forcing cardholders to use a more vulnerable payment method.” said in the post published by Researchers.
You may be interested in reading: Researchers Discovered Critical Flaws in 4 Smart City System
Multiple Vulnerabilities were discovered which can be exploited by an attacker to execute man-in-the-middle transactions, to send an arbitrary code via Bluetooth and mobile applications, change payment values for magstripe transactions, and exploit a remote code execution vulnerability.
A mPOS device uses a Bluetooth connection to communicate with the mobile application, which then transmits data to the payment provider server.
In the case transaction made through magstripe, attackers can intercept this transaction and modify the amount. The customer not being aware of the issue authorize the transaction.
Another vulnerability discovered is which allows remote code execution. Exploiting this vulnerability allow full access to the whole operating system of the reader.
Attackers can force customers to use a more vulnerable payment system such as magstripe by sending arbitrary commands to the readers, For example, saying that payment was declined.
Researchers have notified the vendors about the vulnerabilities and are working with them to solve the issues.
“These days it’s hard to find a business that doesn’t accept faster payments. mPOS terminals have propelled this growth, making it easier for small and micro-sized businesses to accept non-cash payments. Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can therefore, essentially, steal money from people with relative ease if they have the technical know-how. As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.” said Leigh-Anne Galloway of Positive Technologies.
You may be interested in reading: DeepLocker- a new AI powered Highly Targeted and Evasive Malware