With consumers forming snaking, long lines in stores before the holidays, businesses are adding more and more mobile terminals so their customers can buy directly from salespeople on the floor.
This may speed up the lines – but it may also mean more chances for hackers to steal credit card numbers, says Mike Park, a managing consultant for SpiderLabs at Trustwave Holdings Inc.
What he’s found is that retailers’ mobile point of sales (POS) terminals may be convenient, but they’re also badly set up, with many of them processing unencrypted transactions. Park regularly performs mobile penetration tests for clients in the retail industry, and he soon showed some of them that he was able to grab the credit card numbers of hundreds of customers in about 20 minutes.
“Their main job is being a retailer. They’re not an IT shop, and what they want to do is solve the problem is that we’ve got two cashes, and 10 people on the floor, and we’ve got a huge lineup at the cash. They say, how do we get people in and out of the store faster and make more money, so hey, let’s have a mobile POS,” Park says.
Right now, many of these retailers are using iPads and other Apple devices as their mobile POS terminals because they’re trendy, and also because they seem to feel Apple’s ecosystem is more secure.
But with one of his clients, Park took a mobile POS device, hooked the function that was supposed to encrypt credit cards, since that’s where credit card numbers come in while they’re unencrypted. Then he stole the credit card data and allowed the encrypt function to run. That makes it very difficult for a user to know there’s any difference to his or her transaction.
And while this isn’t something a script kiddie could do, Park says, it’s definitely a possibility for a hacker who knows how to reverse engineer Apple iOS.
“The attack that we envisioned was when an attacker gets physical access to one of these devices by stealing it, or by coercing or convincing an insider to swap a device out for a short period of time,” he says. “[For a] jailbreak, you’re looking at 10 to 15 minutes tops to get all the software you want on there, and then hide the fact that it’s jailbroken, which is very easy to do. And then you’d install your custom malware.”
The problem is two-fold, Park says. It usually starts with poor decisions and assumptions. For example, some large retailers will buy POS devices out of the box, but they don’t bother to ensure they’re encrypting transactions or that the devices themselves are kept secure.
The other piece of the problem is that developers working for these retailers might be familiar with coding for business applications, but aren’t as knowledgeable about securing customized software on mobile devices.
And while regulators at the PCI Security Standards Council have given directions on how businesses should process mobile payments, they haven’t set up any specific rules on how businesses should set up mobile POS device applications, according to Trustwave compliance experts.
“You’ve got a situation where large retailers want to get the stuff out fast, they turn around and ask their developers to develop it, but then they make some poor choices and assumptions in the beginning, during the design and architecture phase, that sort of cascade down into poor choices and design later,” Park says, recalling seeing one client who didn’t bother to encrypt transactions at the head, even though the card reader they bought was fully capable of doing so.
“So it’s a little bit of management, a little bit of coding … And with mobile and iOS, it’s a relatively new technology. Developers and users think it’s magic.”
These poor choices can be costly later on. After all, if there is a breach, neither the customers nor the banks are responsible – that falls on the business that processed the transaction.
Still, it’s not just retailers who need to be concerned – a lot of small to mid-sized businesses (SMBs), like restaurants, are also starting to bring mobile POS terminals into their environments.
Ironically enough, however, smaller businesses tend to have less problems than bigger ones, he Park says, because they tend to get a full mobile POS solution from a vendor that has done its own testing and uses its own software. Bigger companies are the ones who need to customize their software to fit into the rest of their environments.
However, if these devices use a PIN pad, or rely on chip and pin, they’re most likely fairly safe, Park says. He’s most wary of iOS-based POS devices that allow users to punch in their credit card information through the user interface, rather than through a PIN pad.
The best advice is to be vigilant, Park says. SMBs looking to install mobile POS terminals need to ensure the company providing them with the terminal does a lot of testing – and that everything stays encrypted.
