With Black Friday right around the corner, many retailers will consider using iPhones and iPads as point-of-sale (POS) terminals. Some of those implementations will be safe – but others will not.
Trustwave Managing Consultant Mike Park, who has been evaluating mobile POS solutions, has uncovered a few disturbing trends. He is presenting his findings at the AppSec USA conference in New York this week in a session titled "PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale Gone Wrong."
In an interview with eSecurity Planet, Park said retailers increasingly use mobile POS on Apple iOS devices as a way to accelerate and improve the checkout process during busy periods.
Mobile POS on iOS devices involves the use of physical card readers as well as application software that resides on the devices. Some of the early implementations of the card readers did not provide the ability to encrypt users' credit card information in the physical hardware, Park said. While higher-end devices now provide hardware-based encryption for credit card data, retailers sometimes use devices that lack the capability.
Encryption and User Error
When retailers relied on software-based encryption and did not encrypt credit card data in hardware, Park found he was able to get access to the data.
"We found that some people were using a store-and-forward approach for transactions where the transactions were stored in unencrypted SQLite databases on the devices," he said.
The root cause of the insecurity does not directly stem from the card readers, Park stressed, but is a retailer implementation issue. In one of his evaluations, a retailer enabled the entry of credit card information by hand rather than requiring a magnetic stripe card reader.
"When you do something like that, it doesn't matter if you have the world's best mag-stripe reader, because at some point when you type in user information into the software it is unencrypted," Park said.
According to Park, the current generation of credit card mag-stripe readers are safe. Custom-designed software stacks, however, tend to be less secure. In an ironic twist, Park said the biggest retailers often build their own applications to interface with POS devices instead of using pre-built stacks from mag-stripe reader vendors. In contrast, smaller retailers are more likely to use more secure off-the-shelf software.
"The consumer really has no way of knowing, and they often aren't handling the device themselves," Park said. "One thing a consumer can do is that if they see an Apple iOS POS device that allows retailers to input credit card data by hand, instead of just a card swipe, that's a device you shouldn't trust."
Consumer mobile devices used as POS terminals obviously represent a target for attackers, Park said.
"This is a juicy target for criminals to go after," he said. "They're already going after POS devices, and this is just another form factor that criminals are already attacking at retail stores anyway."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.