MPoC Solutions:
Principal Threats and Importance of Penetration Testing
PCI MPoC Standard
The Payment Council Industry (PCI) Security Standards Council (SSC) released in 2022 a standard called MPoC (Mobile Payments on COTS Solution) to support the development of mobile payment acceptance solutions.
This program allows usage of a mobile device with a dedicated application as a POS (Point of Sale) instead of an expensive payment terminal.
MPoC Solution Principal Threats
While such mobile point of sales systems offer many benefits, they also come with security risks that have to be taken into account during development of an MPoC solution.
The main difference between a dedicated POS terminal and a mobile application on COTS is that the former is a hardware device specifically designed to protect sensitive payment assets such as card's PAN (Primary Account Number) and cardholder PIN (Personal Identification Number).
On the contrary, a mobile device shall be considered as an untrusted platform meaning that integrated security controls provided by the device operating system (OS) can be deactivated. In that case an attacker can gain full control over the device and applications running on it.
That is why an MPoC solution shall introduce additional robust security mechanisms to protect sensitive data that it handles.
The MPoC specification defines security requirements that shall be fulfilled by a mobile payment on COTS solution to protect the confidentiality and integrity of sensitive
payment information handled by the solution. In particular, there a list of requirements covering software protection mechanisms of the MPoC solution.
Some of these security measures are embedded in the application and serves for the purpose of local detection of a security compromise like rooting, debugging, tampering with the application, presence of hooking framework, etc.
There are various software protection tools available for mobile applications that offer code obfuscation and runtime security measures. However, these tools must be properly configured and integrated into the application. Based on our experience, this is not always done correctly, which can lead to security vulnerabilities. Therefore, it is essential to independently test the integration of these tools in the application.
Online nature of mobile devices used for MPoC applications provides additional assurance via a remote attestation system which can monitor the integrity of the device and the application, detect anomalies and threats and implement countermeasures.
However, like any security mechanism, remote attestation has its vulnerabilities and challenges.
Here are some common vulnerabilities associated with remote attestation:
- Spoofing Attacks: an attacker may attempt to spoof device data collected by the attestation system and mislead it into accepting a compromised mobile device or the application as trustworthy.
- Replay Attacks: an attacker intercepts and reuses valid attestation data to deceive the remote verifier.
- Man-in-the-Middle (MitM) Attacks: an attacker intercepts and alters the communication between the COTS and the attestation system.
- Configuration Flaws: incorrect or insecure configurations of attestation services can make the attestation process ineffective.
Key Assets and Their Protection
Among all assets defined by the MPoC specification, the most sensitive are the following:
- the card's PAN
- the cardholder PIN.
The PAN can be retrieved by an attacker when it is received via the phone's NFC interface before being encrypted if the MPoC solution does not implement efficient anti-hooking, anti-tampering and anti-debugging mechanisms.
The PIN can be intercepted when it is entered by a cardholder or when it is present in the memory before being encrypted. Different runtime security measures such as anti-rooting, integrity protection, code obfuscation, etc. should thwart execution of such attacks.
Importance of Regular Penetration Testing
Implementing sufficient level of security for an MPoC application is a very complex task and it requires deep knowledge of the mobile security.
In addition, maintaining security of an MPoC solution shall be an ongoing process that involves adapting to new threats, leveraging advancements in technology and complying with evolving regulations.
There are several reasons why security evaluation and penetration testing shall be performed regularly:
- New Attack Methods: New attack techniques are developed regularly, requiring continuous updates to security measures.
- Zero-Day Vulnerabilities: These are previously unknown vulnerabilities in software that are exploited by attackers before the vendor releases a fix. Keeping mobile platform OS updated helps protect against these types of threats.
That is why the MPoC specification contains requirements for penetration testing (1A-1.3 and 4A-3.1) that shall be executed before initial deployment of the MPoC solution and at least annually thereafter.
This penetration testing must be performed by the personnel with professional skills and experience both in mobile security and payment processing domains.
An MPoC solution, like any other security system, must undergo independent testing to verify its effectiveness and the reliability of its security assurance.
IS Laboratory offer
This service can be proposed by IS Laboratory as our engineers have significant expertise in security evaluations and penetration testing of different types of payment solutions.
IS Laboratory can verify whether your solution implements required level of assets protection and give recommendations to harden its security against state-of-the-art attacks.
Moreover, IS Laboratory can organize workshops, provide advisory services for MPoC vendors or perform a gap analysis to assess readiness of your solution for the MPoC certification.
If you have any questions regarding any help that IS Laboratory can provide for vendors of MPoC or any other mobile solution that has special security requirements, please contact us at contact@is-laboratory.com
© IS Laboratory SAS, 2024
Nous avons besoin de votre consentement pour charger les traductions
Nous utilisons un service tiers pour traduire le contenu du site web qui peut collecter des données sur votre activité. Veuillez consulter les détails dans la politique de confidentialité et accepter le service pour voir les traductions.