Light Dark
August 9, 2016 By Charles Henderson 4 min read
X-Force
Advanced Threats
Endpoint
Retail

Mobile point-of-sale (POS) technology presents easy options to small merchants that used to accept cash only — from hot dog vendors to Girl Scouts selling cookies. Large retail chains have also deployed mobile POS to enable employees to check out customers from anywhere in the store, completely bypassing traditional lines.

Because of these advantages, mobile POS is certain to be very popular at large global sporting competitions. Mammoth events typically attract pop-up merchants hawking souvenirs, drinks or even parking spaces. If they have a smartphone, they can get an inexpensive — or even free — attachment to accept payment cards. However, these same large events may also attract thieves and con artists out to steal card numbers through malware, hardware skimming or anything else that works.

Mobile Point-of-Sale Technology Presents New Risks

A particular risk to small businesses comes from the common practice of doing business on personal phones. The business is only as safe as the riskiest behavior of its employees; any malware infection can impact the business if a compromised personal phone is used as a mobile POS.

The good news is that the technology is improving. Five years ago, every card swiped on a compromised mobile point-of-sale terminal could theoretically be retrieved by criminals. Modern card readers can encrypt the card holder’s data before it ever reaches the mobile device, significantly mitigating the risk of malware.

Of course, technical innovation is never a panacea against criminals. Innovation is only effective if it is implemented; smaller merchants may not adopt the latest and greatest technology. Similarly, while cards with chip-and-PIN technology provide excellent protection against card duplication, using them is not without risk because they don’t encrypt the card number. That is left up to the card reader, just as it is with magnetic stripes.

Consumer Risk: Understanding Liability

A successful attack will affect both the merchant and consumers, but the risks and mitigation strategies are very different for each.

In some countries, consumer liability is capped for fraudulent card transactions and may be entirely waved by the bank that issued the card. In those cases, the consumer’s risk is primarily the inconvenience of documenting fraudulent charges and waiting for a replacement card.

Of course, if you’re traveling, especially internationally, suddenly having your primary payment card canceled can be a major disruption. In other countries, consumer liability may be capped only for card-not-present transactions such as online purchases.

Some regions that have fully adopted chip-and-PIN purchasing have pushed the liability for all fraudulent PIN transactions to the consumer. In those cases, the secrecy of your PIN is paramount.

If you’re unsure about your liability, contact the bank that has issued your payment card. It should be able to explain the policy, allowing you to make an educated risk decision.

Minimizing Consumer Risk

Regardless of your personal liability, there are some steps that you can always take to minimize your risk:

  • Travel with at least two payment cards, ideally from separate banks.
  • Check with your issuing bank to see if you need to notify it about travel. Having your card frozen because you’ve never used it in Brazil might not ruin your entire traveling experience, but it sure won’t help.
  • Be thoughtful about where you use a payment card. On average, major retail chains are more likely to have good security than a small restaurant, and modern POS software is less likely to be vulnerable than legacy software. That being said, some small merchants have great security, many major retailers have been compromised and even an experienced security professional can’t assess the risk of a POS by visual inspection alone.
  • If in doubt, use cash.
  • If you’re using a cash machine, try to find one in an area with better physical security, such as a bank or hotel lobby. Cash machines in areas with minimal human presence are more likely to be tampered with.
  • Check the machine for card skimmers — grab the plastic casing around the card slot and give it a few good pulls. It should never be loose on a legitimate device. The new transparent casings (which are often green) are a good security control, but skimmers have been discovered in them too.
  • When you get home, review your card statements for anomalous activity, but don’t focus just on high-price purchases. Many criminals will first attempt a very low purchase amount to verify the accuracy of the stolen data. Spotting that early can prevent more significant fraud later.

Merchant Risk: Testing Is Key

Addressing mobile point-of-sale risk is very different for merchants. Responsible merchants and POS software providers engage security companies to manually test their solutions. That’s an important step, even for veteran development teams.

A perfect security design can easily be brought down by a simple implementation flaw. Skilled testers can simulate malicious attacks to discover both design and implementation flaws. Hopefully, this will confirm that the solution is secure. However, we have seen even major retail chains fundamentally fail at their mobile POS deployments.

On more than one occasion a merchant’s security plan has boiled down to who is handling the mobile device. That might be viable for a small business, but it can’t scale beyond a few employees. For large deployments, merchants have to assume that someone bad has gotten their hands on the tablet or phone.

That’s true for traditional POS security, but critical for mobile products. A criminal is unlikely to walk out the door with an entire cash register, but could easily put an unused tablet under his shirt, take it to the bathroom, install malware and return it in under five minutes. The staff are more likely to be relieved at having found it than suspicious about its integrity.

Mobile Device Management Can Help

A strong deployment strategy will utilize mobile device management (MDM) software to monitor device security. The MDM policy can require that the operating system is patched, that the device is not rooted or jailbroken, that only authorized software is installed and that security settings like lock passwords are properly configured. Just like any other tool, MDM isn’t perfect, but it can make a successful attack far more complicated for criminals.

Not all MDMs are created equal. We tested one solution that required that all software updates be signed by a specific encryption key — all software updates, but not all configuration updates. For example, no signature was required to update the file containing authorized keys for signing software updates. As a result, the great idea of signed software could be easily bypassed by adding an encryption key controlled by the attacker.

Whether you’re a consumer, merchant or POS provider, payment cards and mobile POS technologies have associated risks. Consumers have security controls, like being thoughtful about where they use cards, and must verify the results by reviewing their account statements. Merchants and POS providers must use controls like MDM and verify the results through penetration testing.

DOWNLOAD THE X-FORCE SPECIAL REPORT: 2016 BRAZILIAN THREAT LANDSCAPE

 |  |  |  | 
Charles Henderson
Global Managing Partner and Head of X-Force

More from X-Force
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

March 6, 2024

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature