Mobile point-of-sale terminals or devices (also referred to simply as MPOS) make it possible for businesses to accept payments from their smartphones or tablets. Not only does this convenient option allow entrepreneurs to run their operations without buying heavy and expensive cash registers, it is also a major boon for people working in mobile businesses like taxi service or food delivery, where remote payments are the name of the game.
Unfortunately, the convenience of mobile point-of-sale terminals doesn’t equate to safety and security, and an MPOS can easily be hacked and customer payment information stolen, including card numbers, PIN information, and more. That was proved recently by researchers from the data security firm MWR Labs, who created a program called “Chippy Pin” to prove just how easily a mobile payment system could be compromised.
Chippy Pin itself was a bit of a joke, a simplified version of the popular “Flappy Bird” mobile game that could be played using MPOS payment terminals. At first glance, MWR Labs’ ability to upload a pixelated game to a payment terminal doesn’t seem like that big of a deal. After all, what’s the harm in playing a game like “Flappy Bird” – which requires players to navigate a small bird through narrow openings in walls – on an MPOS? If so many players use the game on their mobile devices, what is wrong with playing the game on a payment gadget that attaches to said mobile devices?
The problem, though, isn’t the game itself, but the ease with which MWR Labs representatives were able to upload it into the framework of an MPOS payment terminal. It goes without saying than an MPOS is not designed to play a challenging mobile game. Mobile point-of-sale systems have one main application, and that is to register customer card payments just like a cash register would.
But the ability of MWR Labs to upload their simplified “Flappy Bird” application to an MPOS – using various covert methods like USB, Bluetooth, and even “smart” cards to get the game’s code into the terminal system – shows hitherto unexplored vulnerabilities with the MPOS concept. If data security experts can manipulate an MPOS to the point where it plays a game that it was never designed to play, then it’s frightening to think of the ways in which a malicious hacker could take advantage of the same vulnerabilities.
With the right attack method, a hacker could take full control of an MPOS payment terminal, stealing payment information, fooling the terminal into thinking a payment has cleared when it hasn’t, or perhaps even redirecting payments to an anonymous account. The implications are varied and scary, and they’re enough to give every customer and business pause over the use of mobile point-of-sale devices.