Abstract
The increasing prevalence of Card Present (CP) transactions has driven the growth of mobile Point-of-Sale (mPoS) terminals. These compact, wireless, and low-cost terminals allow merchants to process transactions conveniently by utilizing a mobile phone. In this paper, we analyze the security implications of mPoS terminals with a focus to study the merchants’ mobile phones as a key component in the mPoS ecosystem. Our examination covers the security aspects of the mobile phone’s communication with the mPoS terminal and the payment provider server, and also the security risks in the mobile phone application itself. We perform an eavesdropping attack to reveal the cryptographic keys in the BLE (Bluetooth Low Energy) communication between the mPoS terminal and the merchant phone, execute a man-in-the-middle (MITM) attack to tamper with the mPoS terminal messages transmitted between the mPoS terminal and the payment provider server, and reverse engineer the mobile phone application to disable the security features that are controlled by the mobile phone.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adafruit. Adafruit Bluefruit BLE Sniffer. https://www.adafruit.com/product/2269. Accessed 10 May 2022
Android. Safetynet attestation API. https://developer.android.com/training/safetynet/attestation. Accessed 12 Mar 2023
Basin, D., Sasse, R., Toro-Pozo, J.: The EMV standard: break, fix, verify. In: 2021 IEEE Symposium on Security and Privacy (SP), Los Alamitos, CA, USA, pp. 1766–1781. IEEE Computer Society (2021)
Basin, D., Sasse, R., Toro-Pozo, J.: Card brand mixup attack: bypassing the PIN in non-visa cards by using them for visa transactions. In: 30th USENIX Security Symposium (USENIX Security 2021), pp. 179–194. USENIX Association (2021)
Basin, D., Schaller, P., Toro-Pozo, J.: Inducing authentication failures to bypass credit card PINs. In: 32rd USENIX Security Symposium (USENIX Security) (2023)
Berlato, S., Ceccato, M.: A large-scale study on the adoption of anti-debugging and anti-tampering protections in Android apps. J. Inf. Secur. Appl. 52, 102463 (2020)
Java Decompiler. Java online decompiler. http://www.javadecompilers.com/apk. Accessed 13 May 2022
EMVCo. Worldwide EMV deployment statistics. https://www.emvco.com/about-us/worldwide-emv-deployment-statistics/. Accessed 11 Jan 2023
Forbes. What is POS and how does it work? https://www.forbes.com/advisor/in/banking/what-is-pos-and-how-does-it-work/. Accessed 11 Jan 2023
Frisby, W., Moench, B., Recht, B., Ristenpart, T.: Security analysis of smartphone point-of-sale systems. In: WOOT, pp. 22–33 (2012)
Galloway, L.-A., Yunusov, T.: For the love of money: finding and exploiting vulnerabilities in mobile point of sales systems. https://leigh-annegalloway.com/for-the-love-of-money/. Accessed 11 Jan 2023
United Kingdom Government. 2021 budget plan. https://www.gov.uk/government/publications/budget-2021-documents. Accessed 01 June 2021
iZettle. In-app pairing guide. https://developer.zettle.com/docs/ios-sdk/user-guides/manage-in-app-pairing. Accessed 12 Mar 2023
iZettle. iZettle card reader. https://www.izettle.com/. Accessed 11 Jan 2023
MWR Labs. Mission mpossible: Mobile card payment security. https://www.youtube.com/watch?v=iwOP1hoVJEE. Accessed 11 Jan 2023
Mastercard. Mastercard tap to pay on iPhone. https://partner.visa.com/site/programs/visa-ready/tap-to-phone.html. Accessed 11 Jan 2023
Nezhad, M.M., Hao, F.: OPay: an orientation-based contactless payment solution against passive attacks. In: Annual Computer Security Applications Conference, pp. 375–384 (2021)
Mellen, A., Moore, J., Losev, A.: Mobile Point of Scam: Attacking the Square Reader. Black Hat, USA (2015)
Mitmproxy. How mitmproxy works. https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/. Accessed 11 Jan 2023
Patrickfav. APK tool-a tool for reverse engineering Android APK files. https://ibotpeaches.github.io/Apktool/. Accessed 13 May 2022
Patrickfav. Uber APK signer. https://github.com/patrickfav/uber-apk-signer. Accessed 13 May 2022
Radu, A.-I., Chothia, T., Newton, C.J.P., Boureanu, I., Chen, L.: Practical EMV relay protection. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 1737–1756 (2022)
Ryan, M.: Crackle. https://github.com/mikeryan/crackle. Accessed 24 May 2022
Ryan, M.: Bluetooth: with low energy comes low security. In: 7th USENIX Workshop on Offensive Technologies (WOOT 2013) (2013)
shroudedcode. apk-mitm. https://github.com/shroudedcode/apk-mitm. Accessed 13 May 2022
Bluetooth SIG. Bluetooth core specification, v5.2. https://www.bluetooth.com/specifications/specs/core-specification-5-2/. Accessed 9 May 2022
Square. Square card reader. https://squareup.com/gb/en. Accessed 11 Jan 2023
Square. What is a card-not-present (CNP) transaction and why does it cost more. https://squareup.com/gb/en/townsquare/what-is-a-card-not-present-transaction. Accessed 11 Jan 2023
Sumup. Sumup card reader. https://www.sumup.com/en-gb/. Accessed 11 Jan 2023
Miura Systems. Miura card reader. https://www.miurasystems.com/. Accessed 11 Jan 2023
Visa. Visa tap to phone. https://partner.visa.com/site/programs/visa-ready/tap-to-phone.html. Accessed 11 Jan 2023
Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in Google Play. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 222–235 (2018)
Acknowledgements
The third author is supported by Royal Society (ICA\(\backslash \)R1\(\backslash \)180226) and EPSRC (EP/T014784/1).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
(See Table 3).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mehr Nezhad, M., Laidlaw, E., Hao, F. (2023). Security Analysis of Mobile Point-of-Sale Terminals. In: Li, S., Manulis, M., Miyaji, A. (eds) Network and System Security. NSS 2023. Lecture Notes in Computer Science, vol 13983. Springer, Cham. https://doi.org/10.1007/978-3-031-39828-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-39828-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-39827-8
Online ISBN: 978-3-031-39828-5
eBook Packages: Computer ScienceComputer Science (R0)