Sunday, May 27, 2012

ZTE Mobile Payment Network (MPN) USB Dongle Security

I had the chance to take a look at a relatively new USB dongle to handle credit card and debit card transactions using smartphones, either Apple iOS (iPhone, iPad, iTouch) Android and probably Blackberry devices ZTE MPN has the small dongle you attach to your smartphone's earphone and uses sound waves to translate card information swiped on the card reader to sound waves. An app in the smartphone communicates with a central server for authentication and authorization. Now what makes this ZTE product good news? it's cheap and can be deployed easily, ZTE even proudly declares it certified and being used in CHina by China UnionPay (CUP) the greatest drawback? It's not really secure. No PCI PED certification, PCI PTS or the more popular FIPS 140-2 Level 2 or level 3 certification. They say they need to input the ATM PIN on the cellphone using the app but that's just where the problem lie. PIN entry must be done on certified devices. Even using their product's cryto program and key injection to manage encryption keys remotely won't cut it. their device must take the form of a new POS terminal ZTE people think just because they're using their product in China that it will be accepted in the Philippines :(