For the Love of Money: Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems

Presented at ekoparty 14 (2018), Sept. 28, 2018, 9:50 a.m. (50 minutes)

These days it's hard to find a business that doesn't accept faster payments. Mobile Point of Sales (mPOS) terminals have propelled this growth lowering the barriers for small and micro-sized businesses to accept non-cash payments. Older payment technologies like mag-stripe still account for the largest majority of all in-person transactions. This is complicated further by the introduction of new payment standards such as NFC. As with each new iteration in payment technology, inevitably weaknesses are introduced into this increasingly complex payment eco-system. In this talk, we ask, what are the security and fraud implications of removing the economic barriers to accepting card payments; and what are the risks associated with continued reliance on old card standards like mag-stripe? In the past, testing for payment attack vectors has been limited to the scope of individual projects and to those that had permanent access to POS and payment infrastructure. Not anymore! In what we believe to be the most comprehensive research conducted in this area, we consider four of the major mPOS providers spread across the US, Europe, South America and Asia; Square, SumUp, iZettle and Paypal. We provide live demonstrations of new vulnerabilities that allow you to MitM transactions, send arbitrary code via Bluetooth and mobile application, modify payment values for mag-stripe transactions, and a vulnerability in firmware; DoS to RCE. Using this sampled geographic approach, we are able to show the current attack surface of mPOS and, to predict how this will evolve over the coming years. We will demonstrate how anyone can carry out an attack to send arbitrary code to an mPOS device using simple hardware costing less than $10. The automation of this process allows an attacker to select from a variety of pre-generated messages to send to the mPOS during the transaction process. Finally, for audience members that are interested in integrating testing practices into their organization or research practices, we will show you how to use mPOS to identify weaknesses in payment technologies, and how to remain undetected in spite of anti-fraud and security mechanisms.


  • Timur Yunusov
    Tim Yunusov is a Security Expert in the area of banking security and application security. He has authored multiple researches in the field of application security, which include "Apple Pay replay attacks" (Black Hat USA 2017), "7 sins of ATM protection against logical attacks" (PacSec, POC), "Bruteforce of PHPSESSID", "XML Out-Of-Band" (BlackHat EU), and is rated in the Top Ten Web Hacking Techniques by WhiteHat Security. He regular speaks at conferences and has previously spoken at CanSecWest, Black Hat USA, Black Hat EU, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.
  • Leigh-Anne Galloway
    Leigh-Anne Galloway is a Security Researcher who specializes in the areas of application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. Which is where she discovered her passion for security advisory and payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities and has previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, Troopers and Black Hat.


Similar Presentations: