mPOS systems are vulnerable to MitM attacks

Think twice before using a Magstripe Card to make payments Via Mobile Point Of Sale System (mPOS). Researchers at Black Hat 2018 demonstrated how a man-in-the-middle attack (Mitm) can be executed to manipulate and change the value of amount being transacted through a mPOS system. The remote code execution vulnerability can only be exploited if the payment is done using magstripe cards. 

In the era when magstripe cards have largely been replaced by EMV (chip based) cards and contactless cards in Australia, its less likely to see many magstripe card users. However, there could be possibilities that a user still use magstripe cards to make payments in many cases. Although the Australian payment system has adopted the chip based EMV cards as a major shift focused on discouraging fraud, many banks are still issuing magstripe cards.  

As demonstrated by researcher, Tim Yunusov and Leigh-Anne Galloway, by just sending arbitrary code via Bluetooth, payment values can be altered while a magstripe card is used to pay via mPOS. The exploit enumerated by the researchers has exposed a serious flaw in the mPOS devices which are widely used across the world and by Australian merchants and small businesses.  

Some of the world leaders in mPOS technology such as Square, SumUp, iZettle and Paypal.also offer their products in Australia. The researchers disclosed the mPOS offered by these companies were affected by the vulnerability. This threat creates opportunities of direct monetization capabilities for threat actors which increases the possibilities of its occurrences. 

mPOS devices could be a cheaper substitute for small businesses, however a thorough risk assessment must be done by merchants before adopting such systems. It is also important that customers avoid using magstripe cards while making payments via mPOS.  

It is the need of the hour that the entire payment system is reviewed and such loopholes are closed before an upscale in exploiting such vulnerabilities.

Don’t leave yourself exposed. Find your vulnerabilities before cybercriminals do. Contact us for Vulnerability Assessment and Penetration Testing.

Date Published
August 11, 2018