Malware-infected mobile devices could compromise mobile POS systems, researchers warn


LAS VEGAS--Mobile devices infected with malware could compromise mobile point-of-sale (POS) terminals, warned researchers with MWR InfoSecurity.

"It might be possible that by compromising the mobile device you are also able then to compromise the payment terminal from the device," explained Jon Butler, who is in charge of MWR InfoSecurity's U.K. research.

"Mobile malware installed on a mobile device could look for a paired payment terminal. If it found one, it could initiate this compromise and create a network of terminals that could capture data input into them," Butler explained.

The researchers examined chip-and-PIN card mPOS terminals that are paired with mobile devices. These terminals are used widely by small businesses, such as a local grocery store, and also by large companies like Apple.

The researchers focused on chip-and-PIN card payment terminals in the U.K. Chip-and-PIN credit cards, also known as EMV cards, use a computer chip along with a PIN to conduct transactions, unlike in the U.S. market where credit cards use magnetic stripes and signatures.

The researchers discovered that 75 percent of the mobile chip-and-PIN card payment terminals were made by the same manufacturer, used the same basic hardware components and ran the same software.

After conducting research into the terminal's vulnerabilities, the researchers found that "in every case of a point of ingress to the terminal, there was some kind of vulnerability, varying in severity.  The outcome was that we were able to gain control over the device completely," Butler said.

Related Articles:
Apple, Google mull Square buy
Yankee Group: Mobile PoS is the new 'must have' for retailers
Customizing the mobile experience: This time it's personal