Researchers have discovered a number of vulnerabilities in mPOS (mobile point-of-sale) devices which affect Square, PayPal, SumUp and, and iZettle. The vulnerabilities reside in the endpoint payment systems and allow attackers to conduct Man-in-the-Middle attacks, transfer arbitrary code via Bluetooth and mobile applications, eavesdropping, and the ability to interfere with payment values for magstripe transactions. These attacks are made possible due to how these mPOS devices work. Attackers are able to intercept transactions since the devices communicate with mobile apps via Bluetooth. They can also manipulate values, gain access to transaction traffic, and execute code remotely on compromised systems. According to researchers, “through this security flaw, hackers can gain access to the full operating system of a card reader, as well as tamper with how a purchase looks — potentially allowing malicious merchants to change the values or make it appear that a transaction has been declined.” The vulnerabilities have been disclosed to the affected vendors.
