Technology has evolved immensely over the past few years. Smartphones and tablets have become a staple in today’s society and people are transitioning towards mobile everything. This is especially true seeing as how about half of people who have mobile phones in the U.S. have a smartphone. One mobile technology in particular that has made drastic changes in society is mobile payment options. Mobile card reader terminals are popping up in more and more stores, allowing for convenient payment options. But according to a recent study, these card readers aren’t as trustworthy as we may like to think.
A nine-month study by Positive Technologies looked at the accountability of several different card reader models. Leigh-Anne Galloway and Tim Yunusov headed the study, starting off with just two card readers. But the project increased in size when they decided to look into seven card readers in total from four different vendors: Square, SumUp, iZettle, and PayPal.
Upfront, there were no signs that any of the card readers had any flaws that would make them open to being used in an adverse way. But after using a card with five of the card readers, Galloway and Yunusov found that is was indeed possible to increase the amount of money the customer was spending — without the customer knowing.
Using the encrypted Bluetooth connection that allows consumers to pay with these mobile terminals, anyone nearby could actually change the values the customer is being charged. Furthermore, there is also the possibility that malicious software could be used to actually change what’s shown on the screen.
“It’s possible, if you were a fraudulent merchant, you could change the transaction value to make it a higher value than what’s displayed on the reader,” Galloway explained. “The significance is that this a realistic attack vector because so many transactions are carried out through swipes.”
Messing with mobile payment devices isn’t the first we’ve seen of illegally paying or charging for items. Legislation such as the Counterfeit Detection Act of 1992, which is in place to ensure that reproduced bills aren’t mistaken for real currency, were created to prevent faulty payments.
There are a variety of factors that make card readers susceptible to attack. The researchers noted that the spotty security is mainly due to the fact that mobile payment technology is fairly new and is still developing.
Any issues the researchers found with the card readers have been reported to the companies responsible for the apps and readers, who immediately began to fix any security problems that were found during the study. But card readers and mobile payment technology still have a long way to go before they’re as secure as other technology.