Researchers have released a report analyzing seven mobile credit card readers from four popular vendors (SumUp, iZettle, PayPal and Square) in the US and Europe. Among the findings, vulnerabilities were found in more than half of the major mobile POS terminals.

The team evaluated the communications security between the device used to process a payment and the server. In addition, the researchers examined the security mechanisms within the POS mobile terminal, the mobile application used with the terminals, and secondary factors that affect security, such as checks made during enrollment.

In all, several attack vectors were found; for example, two of the terminals (which were not specified) allowed a fraudster to perform an arbitrary command to manipulate a message on the screen. “This vector can be used to display a declined payment message as a way to get the cardholder to make additional transactions,” one expert explained.

Two endpoints were also considered vulnerable to remote code execution (RCE), and can give attackers full access to device operating systems and processed payment card data, which includes account numbers and due dates.

.   .   .