For the Love of Money - Finding and Exploiting Vulnerabilities in Mobile Point of Sales Systems

Explore vulnerabilities in mobile point of sales systems through a comprehensive conference talk delivered at 44CON 2018. Dive into the security implications of lowering economic barriers for accepting card payments and the risks associated with relying on older card standards like mag-stripe. Witness live demonstrations of new vulnerabilities affecting major mPOS providers, including Square, SumUp, iZettle, and PayPal. Learn about man-in-the-middle attacks, sending arbitrary code via Bluetooth and mobile applications, modifying payment values for mag-stripe transactions, and firmware vulnerabilities leading to denial of service and remote code execution. Discover how to conduct attacks using simple, low-cost hardware and automate the process of sending pre-generated messages to mPOS devices during transactions. Gain insights into integrating testing practices into organizations and research, identifying weaknesses in payment technologies, and evading detection despite anti-fraud and security mechanisms.

Intro
Point of Sale terminals
Bar in 44CON
Mobile pointofsale terminals
Previous research
Project overview
Security assessment
How payments work
Payment aggregators
Payment methods
EMV adoption
Schematic overview
Findings
Bluetooth
Bluetooth Protocol
Bluetooth Classic
Bluetooth Device Address
Bluetooth Attack Vectors
Maninthemiddle attacks
Enhanced data rates
Sending arbitrary commands
Prerequisites
Wireshark
In practice
In detail
What is fuzzing
The ESP32
Output
Sending
External Devices
Demo
Mac Stripe
Recommendations
Mobile POS
Reverse Engineering
Updating Process
Open Account
Un unencrypted firmware
Remote code execution
Why its important to have full access
Two potential problems
Scenario
Hardware Protection
Secondary Factors
Assessing risk
Conclusions
Vendors
Merchants