We’ve all used them in the last few years. While paying for lunch in a small restaurant, buying something in an independently-operated business, or paying for a service, instead of being met with a standard card reader to swipe our card, we’re met with a card reader that’s connected to a smartphone or tablet that swipes our card and asks us to sign for our purchase on the screen with either a stylus or our finger.
You probably won’t be that surprised to find out that mobile payment systems aren’t always trustworthy.
Probe of Mobile Payment Systems
Positive Technologies conducted a nine-month probe led by Leigh-Anne Galloway and Tim Yunusov. They started by just looking at two card readers, but it soon grew to a study of seven card readers from Square, SumUp, iZettle, and PayPal. They examined their use in both the U.S. and Europe.
To be clear, not every mobile payment system was vulnerable to an attack, and the severity of the flaws that were discovered varied from card reader to card reader.
The two researchers reported that they found that after swiping a card through five of the readers, it was possible to make the customer spend more money than they were expecting to.
A seller or some other nearby nefarious individual could eavesdrop on the Bluetooth connection between the card reader and its mobile terminal, then change the dollar amount so that the amount paid is actually higher than the amount that was shown.
And on two of the readers, the researchers found that the reader could be sent commands through software to change what was displayed on the screen. A less secure method of payment could be requested, or it could even display “payment declined” so that the buyer runs their card one or more times, adding to that final amount paid.
There were also two readers, devices built for Square and PayPal, that were seen as vulnerable to having the code changed to allow someone to get into the device’s file system and intercept the confidential data from credit cards before it’s encrypted.
The possibility of fraud varied between vendors, which Galloway chalked up to a lack of maturity in mobile payment technology. “If a product costs less than $100, it’s not going to have some level of [security] development,” she said, noting some vendors only use the minimum requirements.
Square, however, uses a more mature technology, It has used a bug bounty program for the past four years that helped it develop a better anti-fraud system. It can detect if a mobile phone it’s being used with has been compromised.
Future of Mobile Payment Systems
All of the bugs listed here were also reported to the card reader manufacturers and app developers. They’re in the process of patching these bugs, and some have reported they have already fixed the bugs.
That’s really not good enough, though. This is our money we are talking about. These devices have been in play for a few years now, and they are now being widely used. Yet they weren’t secure when they were first put to use. It’s hard to believe them when they acknowledge there were problems but they’re now fixed.
How will this news change how you interact with mobile payment systems? Will you avoid them at all costs? If you get ready to pay for something and realize they have a card reader, will you turn and walk out the door? Or will you keep using them, hoping that the bugs have been fixed? Let us know how you plan to manage use of mobile payment systems in the comments section below.
