When Souvenirs Cost More Than Pocket Change: Mobile Point-of-Sale Hazards

Mobile point-of-sale (POS) technology presents easy options to small merchants that used to accept cash only — from hot dog vendors to Girl Scouts selling cookies. Large retail chains have also deployed mobile POS to enable employees to check out customers from anywhere in the store, completely bypassing traditional lines.

Because of these advantages, mobile POS is certain to be very popular at large global sporting competitions. Mammoth events typically attract pop-up merchants hawking souvenirs, drinks or even parking spaces. If they have a smartphone, they can get an inexpensive — or even free — attachment to accept payment cards. However, these same large events may also attract thieves and con artists out to steal card numbers through malware, hardware skimming or anything else that works.

Mobile Point-of-Sale Technology Presents New Risks

A particular risk to small businesses comes from the common practice of doing business on personal phones. The business is only as safe as the riskiest behavior of its employees; any malware infection can impact the business if a compromised personal phone is used as a mobile POS.

The good news is that the technology is improving. Five years ago, every card swiped on a compromised mobile point-of-sale terminal could theoretically be retrieved by criminals. Modern card readers can encrypt the card holder’s data before it ever reaches the mobile device, significantly mitigating the risk of malware.

Of course, technical innovation is never a panacea against criminals. Innovation is only effective if it is implemented; smaller merchants may not adopt the latest and greatest technology. Similarly, while cards with chip-and-PIN technology provide excellent protection against card duplication, using them is not without risk because they don’t encrypt the card number. That is left up to the card reader, just as it is with magnetic stripes.

Consumer Risk: Understanding Liability

A successful attack will affect both the merchant and consumers, but the risks and mitigation strategies are very different for each.

In some countries, consumer liability is capped for fraudulent card transactions and may be entirely waved by the bank that issued the card. In those cases, the consumer’s risk is primarily the inconvenience of documenting fraudulent charges and waiting for a replacement card.

Of course, if you’re traveling, especially internationally, suddenly having your primary payment card canceled can be a major disruption. In other countries, consumer liability may be capped only for card-not-present transactions such as online purchases.

Some regions that have fully adopted chip-and-PIN purchasing have pushed the liability for all fraudulent PIN transactions to the consumer. In those cases, the secrecy of your PIN is paramount.

If you’re unsure about your liability, contact the bank that has issued your payment card. It should be able to explain the policy, allowing you to make an educated risk decision.

Minimizing Consumer Risk

Regardless of your personal liability, there are some steps that you can always take to minimize your risk:

  • Travel with at least two payment cards, ideally from separate banks.
  • Check with your issuing bank to see if you need to notify it about travel. Having your card frozen because you’ve never used it in Brazil might not ruin your entire traveling experience, but it sure won’t help.
  • Be thoughtful about where you use a payment card. On average, major retail chains are more likely to have good security than a small restaurant, and modern POS software is less likely to be vulnerable than legacy software. That being said, some small merchants have great security, many major retailers have been compromised and even an experienced security professional can’t assess the risk of a POS by visual inspection alone.
  • If in doubt, use cash.
  • If you’re using a cash machine, try to find one in an area with better physical security, such as a bank or hotel lobby. Cash machines in areas with minimal human presence are more likely to be tampered with.
  • Check the machine for card skimmers — grab the plastic casing around the card slot and give it a few good pulls. It should never be loose on a legitimate device. The new transparent casings (which are often green) are a good security control, but skimmers have been discovered in them too.
  • When you get home, review your card statements for anomalous activity, but don’t focus just on high-price purchases. Many criminals will first attempt a very low purchase amount to verify the accuracy of the stolen data. Spotting that early can prevent more significant fraud later.

Merchant Risk: Testing Is Key

Addressing mobile point-of-sale risk is very different for merchants. Responsible merchants and POS software providers engage security companies to manually test their solutions. That’s an important step, even for veteran development teams.

A perfect security design can easily be brought down by a simple implementation flaw. Skilled testers can simulate malicious attacks to discover both design and implementation flaws. Hopefully, this will confirm that the solution is secure. However, we have seen even major retail chains fundamentally fail at their mobile POS deployments.

On more than one occasion a merchant’s security plan has boiled down to who is handling the mobile device. That might be viable for a small business, but it can’t scale beyond a few employees. For large deployments, merchants have to assume that someone bad has gotten their hands on the tablet or phone.

That’s true for traditional POS security, but critical for mobile products. A criminal is unlikely to walk out the door with an entire cash register, but could easily put an unused tablet under his shirt, take it to the bathroom, install malware and return it in under five minutes. The staff are more likely to be relieved at having found it than suspicious about its integrity.

Mobile Device Management Can Help

A strong deployment strategy will utilize mobile device management (MDM) software to monitor device security. The MDM policy can require that the operating system is patched, that the device is not rooted or jailbroken, that only authorized software is installed and that security settings like lock passwords are properly configured. Just like any other tool, MDM isn’t perfect, but it can make a successful attack far more complicated for criminals.

Not all MDMs are created equal. We tested one solution that required that all software updates be signed by a specific encryption key — all software updates, but not all configuration updates. For example, no signature was required to update the file containing authorized keys for signing software updates. As a result, the great idea of signed software could be easily bypassed by adding an encryption key controlled by the attacker.

Whether you’re a consumer, merchant or POS provider, payment cards and mobile POS technologies have associated risks. Consumers have security controls, like being thoughtful about where they use cards, and must verify the results by reviewing their account statements. Merchants and POS providers must use controls like MDM and verify the results through penetration testing.

DOWNLOAD THE X-FORCE SPECIAL REPORT: 2016 BRAZILIAN THREAT LANDSCAPE

Charles Henderson

Global Head of IBM X-Force Red

Charles Henderson is the Global Head of IBM's X-Force Red. Throughout his career, Charles and the teams he has managed...