Press Release

Mobile Point of Sale devices could leave millions worldwide open to attack

News

Mobile Point of Sale (MPOS) devices can be easily hacked, leaving banks, retailers and millions of customers exposed to serious fraud around the world, global information security firm MWRInfoSecurity has revealed at the SyScan security conference in Singapore today.

Security researchers from MWR Labs, the research arm of the company, who in 2012 revealed critical vulnerabilities in Chip-and-Pin devices, demonstrated at the conference that it is possible to compromise MPOS terminals with multiple attacking techniques using micro USBs, Bluetooth and a malicious programmable smart card.

Jon, Head of research at MWR InfoSecurity, said: “What we have found reveals that criminals can compromise the MPOS payment terminal and get full control over it. This would allow an attacker to gather PIN and credit card data, and event change the software on the device so that it accepts illegitimate payments.”

He added: “This shows that card holders paying at MPOS terminals worldwide are potentially at risk. Banks and retailers should also be wary when implementing this technology as it could leave them open to serious fraud.”

MWR’s researchers demonstrated how an attacker could gain control over the MPOS terminal. This allowed them to display ‘try again’ messages, switch the device into insecure mode, capture the PIN code when entered and even enable it to accept stolen credit cards. They were even able to use the device to play a simplified version of the popular game Flappy Bird.

Nils, a security researcher at MWR, said: “MPOS is a promising technology with a growing market uptake, well suited for use in modern payment systems, but current implementations are not well designed from a security perspective. It is critical to get security right early as there is a huge potential for fraud around the world.”

He added: “Lessons that have been learned from desktop computers and servers are yet to be applied to embedded systems.”

The team discovered the issues as part of its ongoing research programme into secure payment technologies. Companies use MWR to understand how they may be vulnerable to fraud and attack by criminals using advance and sophisticated attacks.

The company has notified the vendors involved and has assisted with the relevant information needed to address the identified issues. They are unable to provide any specific details on the vulnerabilities found as the devices concerned are currently being used at thousands of retail outlets in the UK and around the world.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.