Is Your Money Safe When You Swipe?

How safe are mobile point-of-sale systems? Every day pay for coffee at a local café using the latest credit card processor; could that action lead to theft or fraudulent charges?

There are several potential flaws that put digital payment systems at risk of cyber-attacks. These vulnerabilities allow unscrupulous merchants to raid customer accounts and steal credit card data. Or, hackers can easily get into the systems of unknowing retailers, gaining access to all their customer’s data.

Before payment systems went mobile, retailers were at risk of traditional attacks to their point-of-sale (POS) systems. For example, Target faced a major cyber breach during the holiday season in 2013 that affected 40 million payment cards. Now, mobile POS systems are being targeted by cybercriminals, especially as the market for these systems is expected to reach $55 billion by 2024. These systems allow customers to make purchases and now cryptocurrency payments on-the-go. Square, SumUp, PayPal and other systems are at risk of being hacked without detection from conventional anti-fraud tools.

An attack can occur in three ways. A customer purchases an item from a story using a mobile POS machine. The criminal will then send an arbitrary command to the machine’s system in hopes of getting the cardholder to be forced to rerun the transaction again, this time through a less secure channel. Or a hacker could tamper with the sale amount to pocket some of the money. Thirdly, a remote code execution allows hackers to remotely access the mobile POS machine’s memory, allowing the hacker to steal cardholders’ account information.

While mobile POS systems provide many benefits to merchants, there are major risks for consumers. Most of these systems don’t utilize EMV chip technology that enhances a user’s security, instead of using a traditional magnetic strip. Currently, 13 percent of US-based mobile-POS machines utilize chip technology. EMV technology has become the gold standard in storing and protecting cardholder data.

The vulnerabilities in mobile-POS machines, often used by small to medium-sized businesses, put customers at great risk of identity theft, fraudulent charges and stolen personal data.