This Dark Reading article discusses hacks that were attempted at Black Hat to test POS devices from Square, iZettle, PayPal, and SumUp. The hacks discovered some vulnerabilities such as susceptibility to arbitrary commands and amount tampering via remote code execution, but generally discovered that broader risk management procedures such as onboarding precautions, device protection, and transactional risk monitoring were adequate:
“It’s important, Galloway and Yunusov said, to remember that the MPOS devices are part of an overall financial ecosystem, and that different companies protect devices and transactions in different ways. “We did find some really good examples of anti-fraud protection,” Galloway said in the interview. “Some vendors were carrying out very sophisticated anti-fraud detection using forms of correlation to identify bad devices and readers,” she explained. The researchers also found a wide variety of anti-fraud activities taking place during the device and merchant enrollment process, with some vetting potential merchants much more heavily than others.
In the test results, Galloway and Yunusov found that Square and PayPal had the most active anti-fraud and security checks during the transaction process, with iZettle monitoring less actively. They also found that the Miura devices used in some instances by Square and PayPal were susceptible to arbitrary commands and amount tampering via remote code execution.
In general, though, ‘We were impressed by the level of physical security mechanisms in place generally,’ Galloway said. ‘Most of the readers that we looked at have good internal protection from tampering. It was very good for a product that retails at that price and we were surprised by that, actually.’ ”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group