"These days it's hard to find a business that doesn't accept faster payments. Mobile Point of Sales (mPOS) terminals have propelled this growth lowering the barriers for small and micro-sized businesses to accept non-cash payments. Older payment technologies like mag-stripe still account for the largest majority of all in-person transactions. This is complicated further by the introduction of new payment standards such as NFC. As with each new iteration in payment technology, inevitably weaknesses are introduced into this increasingly complex payment eco-system. In this talk, we ask, what are the security and fraud implications of removing the economic barriers to accepting card payments; and what are the risks associated with continued reliance on old card standards like mag-stripe? In the past, testing for payment attack vectors has been limited to the scope of individual projects and to those that have permanent access to POS and payment infrastructure. Not anymore! In what we believe to be the most comprehensive research conducted in this area, we consider four of the major mPOS providers spread across the US and Europe; Square, SumUp, iZettle and Paypal. We provide live demonstrations of new vulnerabilities that allow you to MitM transactions, send arbitrary code via Bluetooth and mobile application, modify payment values for mag-stripe transactions, and a vulnerability in firmware; DoS to RCE. Using this sampled geographic approach, we are able to show the current attack surface of mPOS and, to predict how this will evolve over the coming years. For audience members that are interested in integrating testing practices into their organization or research practices, we will show you how to use mPOS to identify weaknesses in payment technologies, and how to remain undetected in spite of anti-fraud and security mechanisms."

1. FOR THE LOVE OF MONEY
Finding and exploiting vulnerabilities in mobile point of sales
systems
LEIGH-ANNE GALLOWAY & TIM YUNUSOV

2. MPOS GROWTH
2010
Single vendor
2018
Four leading vendors
shipping thousands of units per day
Motivations

3. Motivations

4. MWR Labs “Mission mPOSsible” 2014
Related Work

5. Mellen, Moore and Losev “Mobile Point of Scam: Attacking the Square Reader” (2015)
Related Work

6. Research Scope

7. Research Scope

8. PAY PA L S Q U A R E I Z E T T L E
S U M U P
Research Scope

9. “How much security can really be embedded
in a device that is free?”
Research Scope

10. PHONE/SERVER
HARDWARE
DEVICE/PHONE
MOBILE APP
SECONDARY FACTORS
Research Scope

11. MERCHANT ACQUIRER CARD BRANDS ISSUER
Background

12. MPOS
PROVIDER
ACQUIRER CARD BRANDS ISSUERMERCHANT
MERCHANT
Background

13. CARD RISK BY OPERATION TYPE
Chip & PIN
Chip & Signature
Contactless
Swiped
PAN Key Entry
Background

14. EMV enabled POS devices make up between 90-95%
of POS population
E U E M V AC C E P TA N C E
EMV enabled POS devices make up 13% of POS
population and 9% of the ATM population
90%
13%
U S E M V AC C E P TA N C E
GLOBAL ADOPTION OF EMV - POS TERMINALS
Background

15. 96% of credit cards in circulation support EMV as a
protocol
E M V C R E D I T C AR D AD O P T I O N
However less than half of all transactions are made by
chip
E M V C R E D I T C AR D U S AG E
96%
41%
Background

16. 79% of debit cards in circulation support EMV as a
protocol
E M V D E B I T C AR D AD O P T I O N
However less than half of all transactions are made
using chip
E M V D E B I T C AR D U S AG E
79%
23%
Background

17. 46%
52
MILLIO
N
PERCENTAGE OF TRANSACTIONS
MILLIONS OF NUMBER OF UNITS
MPOS TIMELINE 2019
Background
46%
52

18. SCHEMATIC OVERVIEW OF COMPONENTS
Background

19. FINDINGS
SENDING ARBITRARY COMMANDS
AMOUNT MODIFICATION
REMOTE CODE EXECUTION
HARDWARE OBSERVATIONS
SECONDARY FACTORS
Methods & Tools

20. BLUETOOTH
Methods & Tools

21. Host Controller Interface (HCI)
SOFTWARE
BT PROFILES, GATT/ATT
L2CAP
LINK MANAGER PROTOCOL (LMP)
BASEBAND
BLUETOOTH RADIO
HOSTCONTROLLER
BLUETOOTH PROTOCOL
Methods & Tools

22. GATT (Generic Attribute)
/ATT(Attribute Protocol)
RFCOMM
Service
UUID
Characteristic
UUID
Value
Methods & Tools

23. BLUETOOTH AS A COMMUNICATION CHANNEL
NAP UAP LAP
68:AA D2 0D:CC:3E
Org Unique Identifier Unique to device
Methods & Tools

24. BLUETOOTH ATTACK VECTORS
SLAVE
MASTER
1.
2.
Eavesdropping/MITM
Manipulating characteristics
Methods & Tools

25. $120$20,000
Frontline BPA 600 Ubertooth One
Methods & Tools

26. Methods & Tools

27. SENDING ARBITRARY
COMMANDS
Findings

28. • Initiate a function
• Display text
• Turn off or on
MANIPULATING CHARACTERISTICS
User authentication doesn’t exist in the Bluetooth protocol,
it must be added by the developer at the application layer
Findings

29. 1. 2. 3.
Findings

30. Findings

31. Findings

32. LEADING PART MESSAGE TRAILING
PART
CRC END
02001d06010b000000
010013
506c656173652072656d6f76652063
617264
00ff08 3c62 03
“Please remove card”
Findings

33. 1. Force cardholder to use a more
vulnerable payment method such as
mag-stripe
2. Once the first payment is complete,
display “Payment declined”, force
cardholder to authorise additional
transaction.
ATTACK VECTORS
Findings

35. Findings
Data: 0d0501000017010300000c00496e736572742f73776970652063617264440d0a

36. LEADING PART MESSAGE CRC
0d0501000017 010300000c00496e736572742f737769706520636172
64
44
“Insert/swipe card”
Findings

38. AMOUNT TAMPERING
Findings

39. HOW TO GET ACCESS TO
TRANSACTIONS AND COMMANDS
HTTPS
DEVELOPER BLUETOOTH LOGS
RE OF APK ENABLE DEBUG
BLUETOOTH SNIFFER
Findings

40. HOW TO GET ACCESS TO COMMANDS
1. 0x02ee = 7.50 USD 0x64cb = checksum
2. 0100 = 1.00 USD 0x8a = checksum
Findings

41. MODIFYING PAYMENT AMOUNT
1. Modified payment value
2. Original (lower) amount
displayed on card reader
for the customer
3. Card statement showing
higher authorised
transaction amount
1
2
3
Findings

43. MODIFYING PAYMENT AMOUNT
TYPE OF
PAYMENT
AMOUNT
TAMPERING
SECURITY
MECHANISMS
MAG-STRIPE TRACK2 ----
CONTACTLESS POSSIBLE AMOUNT CAN BE
STORED IN
CRYPTOGRAM
CHIP AND PIN ----- AMOUNT IS STORED
IN CRYPTOGRAM
LIMIT PER TRANSACTION: 50,000 USD
Findings

44. ATTACK
Service Provider
$1.00
payment
$1.00
payment
50,000 payment
Customer Fraudulent merchant
Findings

45. MITIGATION ACTIONS FOR SERVICE
PROVIDERS
REQUEST SOLUTION FROM VENDOR
CONTROL YOUR ECOSYSTEM
NO MAG-STRIPE
Findings

46. REMOTE CODE
EXECUTION
Findings

47. RCE = 1 REVERSE ENGINEER + 1 FIRMWARE
@ivachyou
Findings

48. HOW FIRMWARE ARRIVES ON THE READER
https://frw.******.com/_prod_app_1_0_1_5.bin
https://frw.******.com/_prod_app_1_0_1_5.sig
https://frw.******.com/_prod_app_1_0_1_4.bin
https://frw.******.com/_prod_app_1_0_1_4.sig
Header - RSA-2048 signature (0x00 - 0x100)
Body - AES-ECB encrypted
Findings

49. https://www.paypalobjects.com/webstatic/mobile/pph/sw_repo_app/u
s/miura/m010/prod/7/M000-MPI-V1-41.tar.gz
https://www.paypalobjects.com/webstatic/mobile/pph/sw_repo_app/u
s/miura/m010/prod/7/M000-MPI-V1-39.tar.gz
HOW FIRMWARE ARRIVES ON THE READER
Findings

50. HOW FIRMWARE ARRIVES ON THE READER
Findings

51. RCE
HOW FIRMWARE ARRIVES ON THE READER
Findings

52. INFECTED MPOS
PAYMENT ATTACKS
COLLECT TRACK 2/PIN
PAYMENT RESEARCH
Findings

53. DEVICE PERSISTENCE
GAME OVER
REBOOT
Findings

54. ATTACK
Service ProviderReader UPDATES
RCE
Device with
Bluetooth
Fraudulent customer
Merchant
Findings

55. MITIGATIONS
NO VULNERABLE OR OUT-OF-DATE
FIRMWARE
NO DOWNGRADES
PREVENTATIVE MONITORING
Findings

56. Findings

57. HARDWARE OBSERVATIONS
Findings

58. SECONDARY FACTORS
ENROLMENT PROCESS
ON BOARDING CHECKS VS TRANSACTION MONITORING
DIFFERENCES IN GEO – MSD, OFFLINE PROCESSING
WHAT SHOULD BE CONSIDERED AN ACCEPTED RISK?
:(
:0
ACCESS TO HCI LOGS/APP, LOCATION SPOOFING
Findings

59. Reader
Cost reader/Fee
per transaction
Enrollment process
Antifraud +
Security checks
Physical security FW RE Mobile Ecosystem Arbitrary commands Red teaming Amount tampering
Square [EU] $51
1.75-2.5%
Low - no anti
money laundering
checks but some
ID checks
Strict – active
monitoring of
transactions
N/A - strict - - -
Square [USA]
Strict – correlation
of “bad” readers,
phones and acc
info
N/A - medium (dev) - + -
$50
2.5-2.75%
Free
2.5-2.75%
Square mag-stripe
[EU + USA]
Strict (see above) Low - low - + + [no display]
Square miura
[USA]
Strict (see above) N/A + N/A + [via RCE] + + (via RCE)$130
2.5-2.75%
PayPal miura
$60
1-2.75%
High - anti-money
laundering checks
+ credit check (to
take out credit
agreement)
Strict – transaction
monitoring
N/A + low + [via RCE] + + (via RCE)
SumUp
$40
1.69%
Medium - low + + +
iZettle datecs
$40
1.75%
Medium - ant-
money laundering
check + ID checks
Low – limited
monitoring, on
finding suspect
activity block
withdrawal - acc
otherwise active
High - low + - +
Conclusions

60. PAYMENT
PROVIDER
1. Carry out an assessment of reader to gather preliminary data + info from cards.
2. Use data to carry out normal transactions to obtain baseline.
3. Use info obtained during this process to identify potential weaknesses and
vulnerabilities.
4. Carry out “modified” transactions
MPOS FOR RED TEAMING
Conclusions

61. :0
ASSESSING RISK - WHAT DOES THIS MEAN FOR YOUR BUSINESS?
:(
:|
Conclusions

62. Conclusions

63. CONCLUSIONS
RECOMMENDATIONS FOR MPOS MANUFACTURERS
Control firmware versions, encrypt & sign
firmware
Use Bluetooth pairing mode that provides
visual confirmation of reader/phone pairing
such as pass key entry
Integrate security testing into the
development process
Implement user authentication and input
sanitisation at the application level
Conclusions

64. CONCLUSIONS
Protect deprecated protocols such as mag-
stripe
Use preventive monitoring as a best practice
Don’t allow use of vulnerable or out-of-date
firmware, prohibit downgrades
RECOMMENDATIONS FOR MPOS VENDORS
Place more emphasis on enrolment checks
Protect the mobile ecosystem
Implement user authentication and input
sanitization at application level
Conclusions

65. CONCLUSIONS
Control physical access to devices
Do not use mag-stripe transactions
RECOMMENDATIONS FOR MPOS MERCHANTS
Assess the mPOS ecosystem
Choose a vendor who places emphasis on
protecting whole ecosystem
Conclusions

66. THANKS
Hardware and firmware:
Artem Ivachev
Leigh-Anne Galloway
@L_AGalloway
Tim Yunusov
@a66at
Hardware observations:
Alexey Stennikov
Maxim Goryachy
Mark Carney