Skip to main content

iOS Point-of-Sale Apps Have Hidden Security Risks

PayPal and Square (above) are secure, but most other iOSpoint-of-sale apps are security risks, researcher says.

PayPal and Square (above) are secure, but most other iOSpoint-of-sale apps are security risks, researcher says.

Have you ever bought something from a store that used a device plugged into an iPad or iPhone to accept your credit-card payment? If so, your personal information may be at risk, according to a new study.

Mobile point-of-sale apps and accompanying magnetic-stripe card readers are becoming increasingly popular, particularly among small businesses, restaurants, street vendors and retailers who want to seem hip and tech-savvy.

But Mike Park, a managing consultant at Chicago-based information security company Trustwave, said many businesses that use point-of-sale apps do not understand, or don't correctly implement, the security available to them.

MORE: Mobile Security Guide: Everything You Need to Know

That's not to say that all point-of-sale devices are unsafe. The current generation of apps that come with a magnetic-stripe card reader, such as Square and GoPayment, are safe.

Speaking about iOS point-of-sale app security at the AppSec USA Conference in New York yesterday (Nov. 21), Park said that, two years ago, it took him only 10 minutes to access people's credit-card data from an iPod-based device used at a major retailer. All it took was jailbreaking the iPod, or bypassing the restrictions Apple built into the operating system in order to take full control of the device's capabilities.

A lot has changed in two years, of course, but retailers using older mobile operating systems, outdated software, or, especially, in-house apps they build themselves are still at a high risk.

Because large retailers are more likely to use these in-house solutions, they're often less secure than small retailers who use off-the-shelf products, Park said in an interview with eSecurity Planet, an IT security blog.

Park found that with most of the in-house apps, encrypting the stored card data is an option, not a default. Some also require users to enter credit-card information by hand, which Park said customers should take as a warning sign — it means customer data is, at least temporarily, stored in a nonencrypted form on the device.

Many point-of-sale apps that do implement encryption do so in their software, not in their device's physical hardware. That makes it easier to access the stored data from the device.

MORE: 40 Free and Useful iPad Apps

When unencrypted credit-card information is easily accessible, store owners might think that having trustworthy employees is enough to protect their customers' data. But that still doesn't protect against man-in-the-middle attacks, in which cybercriminals capture data while it's in transit.

On the whole, Park said, unless a mobile point-of-sale device is using a magnetic-stripe card reader and can encrypt customer data on its hardware, criminals will find it an easy target.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.