Have you ever bought something from a store that used a device plugged into an iPad or iPhone to accept your credit-card payment? If so, your personal information may be at risk, according to a new study.
Mobile point-of-sale apps and accompanying magnetic-stripe card readers are becoming increasingly popular, particularly among small businesses, restaurants, street vendors and retailers who want to seem hip and tech-savvy.
But Mike Park, a managing consultant at Chicago-based information security company Trustwave, said many businesses that use point-of-sale apps do not understand, or don't correctly implement, the security available to them.
MORE: Mobile Security Guide: Everything You Need to Know
That's not to say that all point-of-sale devices are unsafe. The current generation of apps that come with a magnetic-stripe card reader, such as Square and GoPayment, are safe.
Speaking about iOS point-of-sale app security at the AppSec USA Conference in New York yesterday (Nov. 21), Park said that, two years ago, it took him only 10 minutes to access people's credit-card data from an iPod-based device used at a major retailer. All it took was jailbreaking the iPod, or bypassing the restrictions Apple built into the operating system in order to take full control of the device's capabilities.
A lot has changed in two years, of course, but retailers using older mobile operating systems, outdated software, or, especially, in-house apps they build themselves are still at a high risk.
Because large retailers are more likely to use these in-house solutions, they're often less secure than small retailers who use off-the-shelf products, Park said in an interview with eSecurity Planet, an IT security blog.
Park found that with most of the in-house apps, encrypting the stored card data is an option, not a default. Some also require users to enter credit-card information by hand, which Park said customers should take as a warning sign — it means customer data is, at least temporarily, stored in a nonencrypted form on the device.
Many point-of-sale apps that do implement encryption do so in their software, not in their device's physical hardware. That makes it easier to access the stored data from the device.
MORE: 40 Free and Useful iPad Apps
When unencrypted credit-card information is easily accessible, store owners might think that having trustworthy employees is enough to protect their customers' data. But that still doesn't protect against man-in-the-middle attacks, in which cybercriminals capture data while it's in transit.
On the whole, Park said, unless a mobile point-of-sale device is using a magnetic-stripe card reader and can encrypt customer data on its hardware, criminals will find it an easy target.
Email firstname.lastname@example.org or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.
- 25 Free Apps for new iPad Users
- Two-Factor Authentication: An Extra Layer of Security
- 13 Security and Privacy Tips for the Truly Paranoid