Light Dark
August 9, 2016 By Charles Henderson 4 min read
X-Force
Advanced Threats
Endpoint
Retail

Mobile point-of-sale (POS) technology presents easy options to small merchants that used to accept cash only — from hot dog vendors to Girl Scouts selling cookies. Large retail chains have also deployed mobile POS to enable employees to check out customers from anywhere in the store, completely bypassing traditional lines.

Because of these advantages, mobile POS is certain to be very popular at large global sporting competitions. Mammoth events typically attract pop-up merchants hawking souvenirs, drinks or even parking spaces. If they have a smartphone, they can get an inexpensive — or even free — attachment to accept payment cards. However, these same large events may also attract thieves and con artists out to steal card numbers through malware, hardware skimming or anything else that works.

Mobile Point-of-Sale Technology Presents New Risks

A particular risk to small businesses comes from the common practice of doing business on personal phones. The business is only as safe as the riskiest behavior of its employees; any malware infection can impact the business if a compromised personal phone is used as a mobile POS.

The good news is that the technology is improving. Five years ago, every card swiped on a compromised mobile point-of-sale terminal could theoretically be retrieved by criminals. Modern card readers can encrypt the card holder’s data before it ever reaches the mobile device, significantly mitigating the risk of malware.

Of course, technical innovation is never a panacea against criminals. Innovation is only effective if it is implemented; smaller merchants may not adopt the latest and greatest technology. Similarly, while cards with chip-and-PIN technology provide excellent protection against card duplication, using them is not without risk because they don’t encrypt the card number. That is left up to the card reader, just as it is with magnetic stripes.

Consumer Risk: Understanding Liability

A successful attack will affect both the merchant and consumers, but the risks and mitigation strategies are very different for each.

In some countries, consumer liability is capped for fraudulent card transactions and may be entirely waved by the bank that issued the card. In those cases, the consumer’s risk is primarily the inconvenience of documenting fraudulent charges and waiting for a replacement card.

Of course, if you’re traveling, especially internationally, suddenly having your primary payment card canceled can be a major disruption. In other countries, consumer liability may be capped only for card-not-present transactions such as online purchases.

Some regions that have fully adopted chip-and-PIN purchasing have pushed the liability for all fraudulent PIN transactions to the consumer. In those cases, the secrecy of your PIN is paramount.

If you’re unsure about your liability, contact the bank that has issued your payment card. It should be able to explain the policy, allowing you to make an educated risk decision.

Minimizing Consumer Risk

Regardless of your personal liability, there are some steps that you can always take to minimize your risk:

  • Travel with at least two payment cards, ideally from separate banks.
  • Check with your issuing bank to see if you need to notify it about travel. Having your card frozen because you’ve never used it in Brazil might not ruin your entire traveling experience, but it sure won’t help.
  • Be thoughtful about where you use a payment card. On average, major retail chains are more likely to have good security than a small restaurant, and modern POS software is less likely to be vulnerable than legacy software. That being said, some small merchants have great security, many major retailers have been compromised and even an experienced security professional can’t assess the risk of a POS by visual inspection alone.
  • If in doubt, use cash.
  • If you’re using a cash machine, try to find one in an area with better physical security, such as a bank or hotel lobby. Cash machines in areas with minimal human presence are more likely to be tampered with.
  • Check the machine for card skimmers — grab the plastic casing around the card slot and give it a few good pulls. It should never be loose on a legitimate device. The new transparent casings (which are often green) are a good security control, but skimmers have been discovered in them too.
  • When you get home, review your card statements for anomalous activity, but don’t focus just on high-price purchases. Many criminals will first attempt a very low purchase amount to verify the accuracy of the stolen data. Spotting that early can prevent more significant fraud later.

Merchant Risk: Testing Is Key

Addressing mobile point-of-sale risk is very different for merchants. Responsible merchants and POS software providers engage security companies to manually test their solutions. That’s an important step, even for veteran development teams.

A perfect security design can easily be brought down by a simple implementation flaw. Skilled testers can simulate malicious attacks to discover both design and implementation flaws. Hopefully, this will confirm that the solution is secure. However, we have seen even major retail chains fundamentally fail at their mobile POS deployments.

On more than one occasion a merchant’s security plan has boiled down to who is handling the mobile device. That might be viable for a small business, but it can’t scale beyond a few employees. For large deployments, merchants have to assume that someone bad has gotten their hands on the tablet or phone.

That’s true for traditional POS security, but critical for mobile products. A criminal is unlikely to walk out the door with an entire cash register, but could easily put an unused tablet under his shirt, take it to the bathroom, install malware and return it in under five minutes. The staff are more likely to be relieved at having found it than suspicious about its integrity.

Mobile Device Management Can Help

A strong deployment strategy will utilize mobile device management (MDM) software to monitor device security. The MDM policy can require that the operating system is patched, that the device is not rooted or jailbroken, that only authorized software is installed and that security settings like lock passwords are properly configured. Just like any other tool, MDM isn’t perfect, but it can make a successful attack far more complicated for criminals.

Not all MDMs are created equal. We tested one solution that required that all software updates be signed by a specific encryption key — all software updates, but not all configuration updates. For example, no signature was required to update the file containing authorized keys for signing software updates. As a result, the great idea of signed software could be easily bypassed by adding an encryption key controlled by the attacker.

Whether you’re a consumer, merchant or POS provider, payment cards and mobile POS technologies have associated risks. Consumers have security controls, like being thoughtful about where they use cards, and must verify the results by reviewing their account statements. Merchants and POS providers must use controls like MDM and verify the results through penetration testing.

DOWNLOAD THE X-FORCE SPECIAL REPORT: 2016 BRAZILIAN THREAT LANDSCAPE

 |  |  |  | 
Charles Henderson
Global Managing Partner and Head of X-Force

More from X-Force
July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

June 13, 2024

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature