Attacking the Buyers and the Sellers: A Tale of Offline Readers and Payees’ Authentication

First, we will look at security analyses we performed against the Square Terminal (https://squareup.com/gb/en/hardware/terminal ), a well-sold PoS (point of sale), when set in offline mode (i.e., not connected to the Internet/payments networks when transactions occur). We show that we can make the PoS work contrary to its EU/UK specifications (with relatively little technical effort), and –in so doing– we are able to bypass customer authentication (PIN, fingerprint, etc.), and make illicit transactions. In this case of offline PoS, the victims are merchants, as well as plastic-cards’ holders. The attacks affect both Visa and Mastercard. Via responsible disclosure, we liaised with all stakeholders, and SquareUp is receptive. Then, we will also look, in more detail than before, at how EU vs UK specification work. All these aspects were also supported by formal verification , which we discuss as well.