University of California San Francisco
The authors experimentally investigate the security of several Smartphone Point-Of-Sale (POS) systems that consist of a software application combined with an Audio-jack Magnetic Stripe Reader (AMSR). The latter is a small hardware dongle that reads magnetic stripes on payment cards, (sometimes) encrypts the sensitive card data, and transmits the result to the application. Their main technical result is a complete break of a feature-rich AMSR with encryption support. They show how an arbitrary application running on the phone can permanently disable the AMSR, extract the cryptographic keys it uses to protect cardholder data, or gain the privileged access needed to upload new firmware to it.