Skip to main content
SpringerLink
Log in

Security Analysis of Mobile Point-of-Sale Terminals

  • Conference paper
  • First Online:
Network and System Security (NSS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13983))

Included in the following conference series:

Abstract

The increasing prevalence of Card Present (CP) transactions has driven the growth of mobile Point-of-Sale (mPoS) terminals. These compact, wireless, and low-cost terminals allow merchants to process transactions conveniently by utilizing a mobile phone. In this paper, we analyze the security implications of mPoS terminals with a focus to study the merchants’ mobile phones as a key component in the mPoS ecosystem. Our examination covers the security aspects of the mobile phone’s communication with the mPoS terminal and the payment provider server, and also the security risks in the mobile phone application itself. We perform an eavesdropping attack to reveal the cryptographic keys in the BLE (Bluetooth Low Energy) communication between the mPoS terminal and the merchant phone, execute a man-in-the-middle (MITM) attack to tamper with the mPoS terminal messages transmitted between the mPoS terminal and the payment provider server, and reverse engineer the mobile phone application to disable the security features that are controlled by the mobile phone.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Adafruit. Adafruit Bluefruit BLE Sniffer. https://www.adafruit.com/product/2269. Accessed 10 May 2022

  2. Android. Safetynet attestation API. https://developer.android.com/training/safetynet/attestation. Accessed 12 Mar 2023

  3. Basin, D., Sasse, R., Toro-Pozo, J.: The EMV standard: break, fix, verify. In: 2021 IEEE Symposium on Security and Privacy (SP), Los Alamitos, CA, USA, pp. 1766–1781. IEEE Computer Society (2021)

    Google Scholar 

  4. Basin, D., Sasse, R., Toro-Pozo, J.: Card brand mixup attack: bypassing the PIN in non-visa cards by using them for visa transactions. In: 30th USENIX Security Symposium (USENIX Security 2021), pp. 179–194. USENIX Association (2021)

    Google Scholar 

  5. Basin, D., Schaller, P., Toro-Pozo, J.: Inducing authentication failures to bypass credit card PINs. In: 32rd USENIX Security Symposium (USENIX Security) (2023)

    Google Scholar 

  6. Berlato, S., Ceccato, M.: A large-scale study on the adoption of anti-debugging and anti-tampering protections in Android apps. J. Inf. Secur. Appl. 52, 102463 (2020)

    Google Scholar 

  7. Java Decompiler. Java online decompiler. http://www.javadecompilers.com/apk. Accessed 13 May 2022

  8. EMVCo. Worldwide EMV deployment statistics. https://www.emvco.com/about-us/worldwide-emv-deployment-statistics/. Accessed 11 Jan 2023

  9. Forbes. What is POS and how does it work? https://www.forbes.com/advisor/in/banking/what-is-pos-and-how-does-it-work/. Accessed 11 Jan 2023

  10. Frisby, W., Moench, B., Recht, B., Ristenpart, T.: Security analysis of smartphone point-of-sale systems. In: WOOT, pp. 22–33 (2012)

    Google Scholar 

  11. Galloway, L.-A., Yunusov, T.: For the love of money: finding and exploiting vulnerabilities in mobile point of sales systems. https://leigh-annegalloway.com/for-the-love-of-money/. Accessed 11 Jan 2023

  12. United Kingdom Government. 2021 budget plan. https://www.gov.uk/government/publications/budget-2021-documents. Accessed 01 June 2021

  13. iZettle. In-app pairing guide. https://developer.zettle.com/docs/ios-sdk/user-guides/manage-in-app-pairing. Accessed 12 Mar 2023

  14. iZettle. iZettle card reader. https://www.izettle.com/. Accessed 11 Jan 2023

  15. MWR Labs. Mission mpossible: Mobile card payment security. https://www.youtube.com/watch?v=iwOP1hoVJEE. Accessed 11 Jan 2023

  16. Mastercard. Mastercard tap to pay on iPhone. https://partner.visa.com/site/programs/visa-ready/tap-to-phone.html. Accessed 11 Jan 2023

  17. Nezhad, M.M., Hao, F.: OPay: an orientation-based contactless payment solution against passive attacks. In: Annual Computer Security Applications Conference, pp. 375–384 (2021)

    Google Scholar 

  18. Mellen, A., Moore, J., Losev, A.: Mobile Point of Scam: Attacking the Square Reader. Black Hat, USA (2015)

    Google Scholar 

  19. Mitmproxy. How mitmproxy works. https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/. Accessed 11 Jan 2023

  20. Patrickfav. APK tool-a tool for reverse engineering Android APK files. https://ibotpeaches.github.io/Apktool/. Accessed 13 May 2022

  21. Patrickfav. Uber APK signer. https://github.com/patrickfav/uber-apk-signer. Accessed 13 May 2022

  22. Radu, A.-I., Chothia, T., Newton, C.J.P., Boureanu, I., Chen, L.: Practical EMV relay protection. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 1737–1756 (2022)

    Google Scholar 

  23. Ryan, M.: Crackle. https://github.com/mikeryan/crackle. Accessed 24 May 2022

  24. Ryan, M.: Bluetooth: with low energy comes low security. In: 7th USENIX Workshop on Offensive Technologies (WOOT 2013) (2013)

    Google Scholar 

  25. shroudedcode. apk-mitm. https://github.com/shroudedcode/apk-mitm. Accessed 13 May 2022

  26. Bluetooth SIG. Bluetooth core specification, v5.2. https://www.bluetooth.com/specifications/specs/core-specification-5-2/. Accessed 9 May 2022

  27. Square. Square card reader. https://squareup.com/gb/en. Accessed 11 Jan 2023

  28. Square. What is a card-not-present (CNP) transaction and why does it cost more. https://squareup.com/gb/en/townsquare/what-is-a-card-not-present-transaction. Accessed 11 Jan 2023

  29. Sumup. Sumup card reader. https://www.sumup.com/en-gb/. Accessed 11 Jan 2023

  30. Miura Systems. Miura card reader. https://www.miurasystems.com/. Accessed 11 Jan 2023

  31. Visa. Visa tap to phone. https://partner.visa.com/site/programs/visa-ready/tap-to-phone.html. Accessed 11 Jan 2023

  32. Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in Google Play. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 222–235 (2018)

    Google Scholar 

Download references

Acknowledgements

The third author is supported by Royal Society (ICA\(\backslash \)R1\(\backslash \)180226) and EPSRC (EP/T014784/1).

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Warwick, Coventry, UK

    Mahshid Mehr Nezhad, Elliot Laidlaw & Feng Hao

Authors
  1. Mahshid Mehr Nezhad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elliot Laidlaw
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Feng Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mahshid Mehr Nezhad .

Editor information

Editors and Affiliations

  1. University of Kent, Canterbury, UK

    Shujun Li

  2. Universität der Bundeswehr München, München, Germany

    Mark Manulis

  3. Osaka University, Suita, Osaka, Japan

    Atsuko Miyaji

A Appendix

A Appendix

(See Table 3).

Table 3. List of Acronyms
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mehr Nezhad, M., Laidlaw, E., Hao, F. (2023). Security Analysis of Mobile Point-of-Sale Terminals. In: Li, S., Manulis, M., Miyaji, A. (eds) Network and System Security. NSS 2023. Lecture Notes in Computer Science, vol 13983. Springer, Cham. https://doi.org/10.1007/978-3-031-39828-5_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-39828-5_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-39827-8

  • Online ISBN: 978-3-031-39828-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation