Two separate discoveries found in ATM machines and mobile point of sale devices (MPOS) such as those used by iZettle and Square have uncovered new security vulnerabilities which could expose sensitive personal financial information that could lead to theft.

ATM Encryption Flawed

ATM maker NCR has issued software security updates after researchers discovered flaws in the encryption of communications between the ATM computers and dispensers that could enable attackers to steal cash. The primary goal of ATM malware is to connect to and control peripheral devices inside the ATM to withdraw stored cash and/or collect information from bank customers previous studies have found.

However, Positive Technologies researchers Vladimir Kononovich and Alexey Stennikov told attendees of the Black Hat USA security conference in Las Vegas this week they had found that attackers could install obsolete insecure software on the controller of an ATM cash dispenser and issue commands to dispense cash. Tech savvy criminals could steal cash in this way by taking advantage of poor physical security to connect a computer to the dispenser.

“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted,” said Alexey Stennikov, head of hardware security analysis at Positive Technologies.

“Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous.”

Security experts advise that in order to deal with the wide variety of possible attacks, ATM security measures should be two-fold to counteract any potential criminal activity;

Physical – perimeter surveillance, access control, intrusion detection, central monitoring and ensuring that ATMs are well-lit, secure and alarmed locations.

Logical – firewalls, a tracking and monitoring system, encryption technologies, logical access control, fraud detection systems and protection of communication links.

MPOS Devices Not Secure

In a separate security probe by Positive Technologies, mobile point of sale machines from payment providers such as PayPal, iZettle, and Square have been found to contain vulnerabilities that allow credit card information or intercepted transactions to fall into the hands of unscrupulous merchants bent on stealing funds from customers.

These systems are usually linked via Bluetooth to a smartphone or tablet mobile app, which then sends data to the payment provider’s server. Their researchers found that criminals or malicious merchants could intercept this data and change the value being transferred during a swiped payment, without alerting the customer.

“Currently there are very few checks on merchants before they can start using an mPOS device and less scrupulous individuals can, therefore, essentially, steal money from people with relative ease if they have the technical know-how,” said Leigh-Anne Galloway, another researcher at Positive.

“As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

They also discovered that it was possible to use remote attacks to gain access to a device’s operating system. This means that criminals could manipulate those devices that use secure chip and pin methods by making it look as if the payment method wasn’t working, forcing the customer to opt to swipe instead, allowing them to read the magnetic strip on the back for information.

Like this: Like Loading...