back to article You can't always trust those mobile payment gadgets as far as you can throw them – bugs found by infosec duo

Those gadgets and apps used by small shops and traders to turn their smartphones and tablets into handheld sales terminals? Quite possibly insecure, you'll no doubt be shocked to discover. These mobile terminals are often seen in cafes, gyms, and other modest-sized businesses to take non-cash payments. The merchant taps out a …

  1. Anonymous Coward
    Anonymous Coward

    '....or have finished patching....'

    Do 'Finished-Patching' and 'Payment-Systems' really belong together?

    Everyone just wants tech to work... No one wants to be told it doesn't.

    The hard work to make it secure? That's hardly the stuff of 'Unicorns'!

    And paying for Security talent? Just ship products quickly to suckers!

  2. Neil Barnes Silver badge

    There's a lot to be said for cash...

    as title...

    1. Anonymous Coward
      Anonymous Coward

      Re: There's a lot to be said for cash...

      Because obviously there are no dodgy notes or coins in circulation...

      Actually cash also gets "patched" periodically - witness our plasticky new £5 and £10 notes, and the new multi-sided £1 coin.

  3. Warm Braw

    If a product costs less than $100...

    It rather depends on how many you intend to sell - I don't imagine it's PayPal's goal to deploy only a couple of hundred. It also depends on the potential liability - sadly that's probably the area that will receive the most engineering.

  4. sitta_europea Silver badge

    "Not all of them are or were vulnerable to attack..."

    Correction:

    "Not all of them were vulnerable to the attacks which our heroes so far came up with"

  5. Anonymous Coward
    Anonymous Coward

    My Company's one isn't there

    We have one too, as part of a larger range, but it's not present in the list in the article. I'm not going to claim that it is better than any listed, as I don't work with it myself, but I would be interested in whether it would pass muster here or not (fairly certain it would, that part of the company does a lot of banking products)

  6. Anonymous Coward
    Anonymous Coward

    Payment Space Invaders

    A pen test company did some fuzzing testing on a major brand card payment terminal, and came up with a card which would make the machine play space invaders!

    1. Anonymous Coward
      Anonymous Coward

      Re: Payment Space Invaders

      Most machines can be made to play space invaders. Many years ago, I got Tetris working on one - complete with its earworm. The question is, can they be made to play space invaders whilst still retaining the keys required to connect to the payment networks and process valid transactions?

  7. Anonymous Coward
    Anonymous Coward

    And when the payment is actually sought?

    What then? When the card's cryptogram (generated with a value of 100) fails to match the cryptogram generated by the issuer (with a value of 123), the issuer just declines the transaction. So either the transaction is declined 'online' and the cardholder walks away empty handed, or the transaction is accepted by the merchant 'offline' and later rejected by the issuer after the customer has already walked away with the loot.

    So it's more a potential attack by a cardholder on the merchant than it is that of a dodgy merchant against unsuspecting cardholders.

    1. Jim Mitchell

      Re: And when the payment is actually sought?

      It sounds like only the display on the device reads "100", everything else in the transaction is "123". So not discrepancies that would trigger a declined transaction at the time.

      1. Anonymous Coward
        Anonymous Coward

        Re: And when the payment is actually sought?

        Could be - but the example in the photo shows "The card reader says £1.00, but the payment app will bill the customer £1.23". Of course, if the "two terminals that can be sent arbitrary commands to change what's displayed on their screens" actually allow a different amount to be displayed and presented to the card, then that's another matter. It's not clear from the article whether this is possible; 'proper' terminals generally restrict the display at sensitive points in the transaction process.

        1. Charles 9

          Re: And when the payment is actually sought?

          That's what's happening here. Another scenario descried was telling the customer the transaction was declined when it wasn't, triggering double charges.

  8. onefang

    "to use a less secure method of payment, such as the magnetics-tripe rather than chip'n'PIN,"

    Is magnetics-tripe a Freudian slip, or a comment on how good they are?

  9. vtcodger Silver badge

    Priorities

    Interesting, but as security flaws go, not that big a deal I think. I do question the priorities here. Altering the amount charged in a transaction isn't good, but it's basically no different than a dishonest waiter or merchant altering your credit card paperwork after you sign for the charge. It'll show up on your statement so its risky for the perpetrator. Code execution flaws OTOH probably have a potential for leaking your credit card information via the internet to some of the world's multitude of scoundrels.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon