Security Threat to Mobile Card Readers

Potential dangers lurk in mobile apps used with credit card readers: Internet Scambusters #584

Retailers and other organizations have started using tablets and cellphones as mobile credit and debit card readers — opening up the way for a new form of fraud.

The weakness is not in the devices themselves but in old or tailor made in-house apps which don’t adequately protect the data they collect.

In this week’s issue, we explain how this vulnerability occurs and what you can do to spot and limit the risks of becoming a victim.

And now for the main feature…

Security Threat to Mobile Card Readers

Things have come a long way in the world of debit and credit card readers — and the crime that goes with them.

Remember those contraptions that merchants used, with a paper triplicate form they laid on top of your card and then swiped a rolling head across to create a carbon impression of your card number?

You still see them sometimes today, but usually only when the electronic digital reader has failed at the cash register, or point of sale (POS) as it’s usually called.

But, as with most things, there’s a price to pay for progress. We’ve previously reported on how scammers hijack POS card readers by replacing them with doctored devices that capture victims’ card information in Gas Pumps Targeted in Latest Card Skimming Scam.

If you want to see one of these remarkably authentic-looking devices, watch this 30-second video, Verifone Point-of-Sale Skimmer, allegedly made by a crooked seller, and posted online by renowned security specialist Brian Krebs.

In other cases, store cashiers and restaurant servers may act as accomplices, purposely swiping cards through modified skimming devices.

However, things have now moved past this stage to attack another type of card reader.

You don’t see too many of them just yet but they likely will become more common as more people accept credit card payments via their cell phones and tablets.

That’s because many small businesses, street vendors and work-from-home self-employed people find it both cheap and convenient to use these new devices. They simply plug into a mobile device either via the headphone socket or another port on the device.

Even restaurants and bigger stores use them because they’re so portable. Now the sales assistant on the store floor can take your payment right at the clothing rack.

The readers are quite small — maybe just an inch or two square — and simply have a slot on the top through which the user swipes a card, which is then read by software (an app) on the mobile device.

A great convenience you might think — and so they are. No need for cash or checks when you pay.

In some cases, vendors don’t even need one of these card readers. They simply key in the card details by hand into an app on the mobile device.

Apps At Fault

So far so good. But, where technology is concerned, there’s always someone looking to find the scammers’ loophole.

First, it’s important to stress that it’s not the devices that are at fault but certain apps and the way they’re used.

Second, many of these mobile POS apps are considered to be secure, but as of this writing, some potentially are not.

And the real trouble is that some of the business people who use them don’t know how to set them up properly and may leave them open to hackers, snoopers and scammers.

Speaking at a security conference in New York a couple months ago, security consultant Mike Park said firms using old software or retailers using apps they’ve had created in-house are especially vulnerable.

We don’t need to go into the technical details here. Suffice it to say the susceptible apps simply don’t encrypt or disguise the data they read from the cards, making it easily available to the crooks.

Can you do anything to avoid this? Sadly, not a lot.

Park later told a blogger on the eSecurity Planet website: “The consumer really has no way of knowing, and they often aren’t handling the device themselves.”

Three Tips

But Park points out that, as far as card swipers go, you’re likely more vulnerable if the seller is using his/her own in-house software, most likely a retailer.

It’s much more likely to be vulnerable than if they’re using an off-the-shelf package.

“This is a juicy target for criminals to go after,” he said. “They’re already going after POS devices, and this is just another form factor that criminals are already attacking at retail stores anyway.”

Second, he cautions against allowing your card details to be manually keyed into a mobile device. There’s a much greater risk that your data will be captured by spyware — use cash or check instead.

And third, as we always advise, keep a regular check on your credit card statement so you can quickly spot any unusual activity.

Certainly, you should always check every item on your monthly statement.

But ideally you should monitor your account daily or at least weekly online. If your card provider offers the service, you should also arrange for a daily email showing your account balance.

The day when we stop using checks and even cash regularly may not be that far off.

Future consumers will probably just be able to wave their mobile devices in front of a scanner.

But for now, we’re going to have to make do with those card readers and the best efforts of the issuers and security specialists to make them safe.

Time to close today, but we’ll be back next week with another issue. See you then!