Mobile point-of-sale (POS) technology presents easy options to small merchants that used to accept cash only — from hot dog vendors to Girl Scouts selling cookies. Large retail chains have also deployed mobile POS to enable employees to check out customers from anywhere in the store, completely bypassing traditional lines.

Because of these advantages, mobile POS is certain to be very popular at large global sporting competitions. Mammoth events typically attract pop-up merchants hawking souvenirs, drinks or even parking spaces. If they have a smartphone, they can get an inexpensive — or even free — attachment to accept payment cards. However, these same large events may also attract thieves and con artists out to steal card numbers through malware, hardware skimming or anything else that works.

Mobile Point-of-Sale Technology Presents New Risks

A particular risk to small businesses comes from the common practice of doing business on personal phones. The business is only as safe as the riskiest behavior of its employees; any malware infection can impact the business if a compromised personal phone is used as a mobile POS.

The good news is that the technology is improving. Five years ago, every card swiped on a compromised mobile point-of-sale terminal could theoretically be retrieved by criminals. Modern card readers can encrypt the card holder’s data before it ever reaches the mobile device, significantly mitigating the risk of malware.

Of course, technical innovation is never a panacea against criminals. Innovation is only effective if it is implemented; smaller merchants may not adopt the latest and greatest technology. Similarly, while cards with chip-and-PIN technology provide excellent protection against card duplication, using them is not without risk because they don’t encrypt the card number. That is left up to the card reader, just as it is with magnetic stripes.

Consumer Risk: Understanding Liability

A successful attack will affect both the merchant and consumers, but the risks and mitigation strategies are very different for each.

In some countries, consumer liability is capped for fraudulent card transactions and may be entirely waved by the bank that issued the card. In those cases, the consumer’s risk is primarily the inconvenience of documenting fraudulent charges and waiting for a replacement card.

Of course, if you’re traveling, especially internationally, suddenly having your primary payment card canceled can be a major disruption. In other countries, consumer liability may be capped only for card-not-present transactions such as online purchases.

Some regions that have fully adopted chip-and-PIN purchasing have pushed the liability for all fraudulent PIN transactions to the consumer. In those cases, the secrecy of your PIN is paramount.

If you’re unsure about your liability, contact the bank that has issued your payment card. It should be able to explain the policy, allowing you to make an educated risk decision.

Minimizing Consumer Risk

Regardless of your personal liability, there are some steps that you can always take to minimize your risk:

  • Travel with at least two payment cards, ideally from separate banks.
  • Check with your issuing bank to see if you need to notify it about travel. Having your card frozen because you’ve never used it in Brazil might not ruin your entire traveling experience, but it sure won’t help.
  • Be thoughtful about where you use a payment card. On average, major retail chains are more likely to have good security than a small restaurant, and modern POS software is less likely to be vulnerable than legacy software. That being said, some small merchants have great security, many major retailers have been compromised and even an experienced security professional can’t assess the risk of a POS by visual inspection alone.
  • If in doubt, use cash.
  • If you’re using a cash machine, try to find one in an area with better physical security, such as a bank or hotel lobby. Cash machines in areas with minimal human presence are more likely to be tampered with.
  • Check the machine for card skimmers — grab the plastic casing around the card slot and give it a few good pulls. It should never be loose on a legitimate device. The new transparent casings (which are often green) are a good security control, but skimmers have been discovered in them too.
  • When you get home, review your card statements for anomalous activity, but don’t focus just on high-price purchases. Many criminals will first attempt a very low purchase amount to verify the accuracy of the stolen data. Spotting that early can prevent more significant fraud later.

Merchant Risk: Testing Is Key

Addressing mobile point-of-sale risk is very different for merchants. Responsible merchants and POS software providers engage security companies to manually test their solutions. That’s an important step, even for veteran development teams.

A perfect security design can easily be brought down by a simple implementation flaw. Skilled testers can simulate malicious attacks to discover both design and implementation flaws. Hopefully, this will confirm that the solution is secure. However, we have seen even major retail chains fundamentally fail at their mobile POS deployments.

On more than one occasion a merchant’s security plan has boiled down to who is handling the mobile device. That might be viable for a small business, but it can’t scale beyond a few employees. For large deployments, merchants have to assume that someone bad has gotten their hands on the tablet or phone.

That’s true for traditional POS security, but critical for mobile products. A criminal is unlikely to walk out the door with an entire cash register, but could easily put an unused tablet under his shirt, take it to the bathroom, install malware and return it in under five minutes. The staff are more likely to be relieved at having found it than suspicious about its integrity.

Mobile Device Management Can Help

A strong deployment strategy will utilize mobile device management (MDM) software to monitor device security. The MDM policy can require that the operating system is patched, that the device is not rooted or jailbroken, that only authorized software is installed and that security settings like lock passwords are properly configured. Just like any other tool, MDM isn’t perfect, but it can make a successful attack far more complicated for criminals.

Not all MDMs are created equal. We tested one solution that required that all software updates be signed by a specific encryption key — all software updates, but not all configuration updates. For example, no signature was required to update the file containing authorized keys for signing software updates. As a result, the great idea of signed software could be easily bypassed by adding an encryption key controlled by the attacker.

Whether you’re a consumer, merchant or POS provider, payment cards and mobile POS technologies have associated risks. Consumers have security controls, like being thoughtful about where they use cards, and must verify the results by reviewing their account statements. Merchants and POS providers must use controls like MDM and verify the results through penetration testing.

DOWNLOAD THE X-FORCE SPECIAL REPORT: 2016 BRAZILIAN THREAT LANDSCAPE

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today