Author Topic: Anthony's Paranoid Guide to Mobile Crypto-Currency Payments  (Read 2408 times)

Offline Anthony1s

  • Litecoin Association Member
  • Jr. Member
  • ***
  • Posts: 25
Anthony's Paranoid Guide to Mobile Crypto-Currency Payments
« on: September 18, 2014, 07:52:40 PM »
I'm gonna link the .pdf I wrote here. I have to reformat everything for forum use and I'm gonna screw it all up. Comments, questions, and tips are appreciated.

https://dl.dropboxusercontent.com/u/17851743/20140918%20-%20MobilePoS%20-%20Guide.pdf



Anthony's Paranoid Guide to Mobile PoS Security using Coinbase and GoCoin
Anthony Scocozzo - Anthony1s - CryptoAnthony
BTC 15cNXNyTb8Zd2b99D8cegMyiY2S4EtKvGV BTC
LTC Lbd2sayJTW98891vskYYzWVEMarSPaPirJ LTC


Introduction

   Point of sale systems security is a very serious business with very serious risks. This is no different with crypto-currencies. As more of us recommend and setup these systems for brick and mortars, and more brick and mortar stores begin using mobile devices to accept Bitcoin and Litecoin payments, the more risk our merchants have for lost or stolen funds if not protected properly. Therefore, I am creating a sort of 'best practices' guide to help educate and prepare us for implementation of these devices. This guide will focus on wifi security, Android security, and Coinbase and GoCoin security when using a tablet as a Point of Sale device in a small brick and mortar store.


Wifi Security

   Since I don't know what transaction information is included in packets, I don't know what compromises might be capable now or in the future. Things constantly change, so constantly educate yourself. Absolute best practices would be to have your mobile PoS device on a completely separate wifi network than any other devices and to add as many layers to the security onion as possible. If possible, you should create a Virtual Access Point (VAP) just for the PoS device. The following are some layers you can add. Keep in mind, I use DD-WRT firmware so some of these features may not be available to you. Any one is not effective by itself. Use as many as possible.

  • Store the router out of reach and out of site. You don't want someone to see your router model and look up exploits for it or even be able to plug into it.
  • Create a backup of the router config before and after applying changes. Store the backups in a safe location.
  • Make sure the router firmware is up to date.
  • Secure the wifi password with the latest encryption and security modes. Currently WPA2 with AES encryption. This is a must and is the most important thing you can do to protect your mobile PoS device.
  • Use a non-guessable wifi password. I recommend a 16 character mix between numbers, lower case and capitol letters. The more complex, the better. Write down the password and keep it safe. You won't really need it in the future, so no need to make it memorable. If using a VAP for the mobile PoS device, your main WLAN password can be easier to remember than your VAP WLAN password.
  • Be conscious of the range of your router. If you don't need a router with high gain antennas and lots of range, then don't get one. Who knows if you have a neighbor trying to snoop in on your wifi.
  • Broadcast only in the mode your PoS device uses. If the device uses wireless-n, only broadcast wireless-n. This will limit the amount of people able to connect to your wifi network. Though most people use wireless-n these days, it makes me feel better knowing someone using a re-purposed old laptop can't connect without purchasing an adapter.
  • Disable WPS. It's really not secure and can easily be brute forced. Preferably you will want a router without WPS capability as some routers are not capable of fully disabling WPS.
  • Use a MAC filter to limit only the PoS device's MAC address to connect to the WLAN it needs to connect to. We all know MAC addresses of a connected device can be seen with a network monitoring tool and easily spoofed. This is not stand-alone security, but merely a deterrent to the undetermined.
  • Don't hide your SSID. It's not a security feature and in some cases can be less secure as your device will ping every device in the area until it can connect to something, thus giving away your SSID. Also hidden SSID's aren't built into the 802.11 spec and some devices have trouble connecting to it.
  • Naming your SSID's. Don't name your SSID with something obvious. For example, don't use "Android PoS VAP" as your SSID name.
  • Change the default login name and password that accesses the router firmware. The name and password you use here doesn't need to be too complex and secure. Something you'll easily remember is fine. Write it down, keep it safe. This is a must! Every router has a guide available, and every guide has default credentials in it.
  • Change the default local IP address your router uses and starts with. Normally this is 192.168.1.1 Change it to something like 192.168.10.1. This isn't a big security advantage, but if an attacker manages to connect to your wifi network, it can slow them down a bit as they have to look up the local IP. Hey, every little bit counts.
  • Always keep an eye on what devices are connected to your network and what devices are trying to connect. Keep logs if you're capable.
  • Walk around your store a couple times a day to see if any laptops have been left around. If found take note of what it's doing, then unplug it, remove the battery, call the police if something serious is going on, then keep it until the owner shows up.
VAP Tips
  • If you want to allow others to connect to the same router, then create a Virtual Access Point for the mobile PoS device and use the main network for other wireless users.
  • Secure the main AP and the VAP with as many of the above settings as you can, while still allowing the people you want connected to connect.
  • For the VAP, limit the max clients able to connect to 1. This will allow only the mobile PoS device to connect to the VAP.
  • Use a different password for the VAP than you use for the Main Access Point. The Main AP password should be secure, but easier to remember than the VAP wifi password.
  • Separate the IP addresses between the Main Access Point, Virtual Access Point, and possibly the LAN IPs into different subnets. If the LAN is using 192.168.10.1, then use 192.168.11.1 for the Main Access Point, and 192.168.12.1 for the VAP. If the LAN devices and WLAN devices don't need to communicate, then move the LAN to a different subnet too... On my home router I needed to configure bridges, DHCP servers, and iptables in this. If you need to do it, Google it.
  • Use AP Isolation on the VAP to prevent other devices from being able to communicate with the mobile PoS devices connected to the VAP.


Securing Android

   This is really just a giant hassle and I don't know where to start. It's been said that mobile PoS devices are more secure than their card reader counterparts, as they generally receive automatic updates from the cloud. However, being a mobile device, this opens up a new set of security concerns. Mainly the convenience of theft and many people's familiarity of the Android or iOS operating system. Also, tablets and smartphones are not designed as strict point of sale devices, they are merely adapted. As smartphones have more features than a tablet, securing a smartphone can become a daunting task. With that said, I will only recommend using a tablet as a PoS device. This will focus on the use-case of a waiter/bartender bringing the PoS device to the customer to pay. A cashier device, like one used at a grocery store is beyond my focus right now and beyond this guide, but I'm sure many of these guidelines could still be used. Like mentioned in the introduction, this will focus on Android only. iOS doesn't really work for true trustless security. You will see why later. Right now, let's see what we can do with Android.

  • Updates. Make sure the Android OS is always up to date, turn on automatic updates for all apps, update yourself - read through the patch notes and changelogs of updates.
  • Mobile PoS tablets ideally should have a less than two year use cycle as a mobile PoS device. This term is limited to two years because, unfortunately, the hardware becomes End of Life and no longer receives updates.
  • Password protection. Require at least a 4-digit pin to unlock the device.
  • Make sure the pin is entered out of site of the customers.
  • Change the PIN each time an employee is fired or quits.
  • Use a surveillance system that covers the entire surface of your building.
  • Do not use a rooted device. I personally like a Nexus 7 or a Nexus 10 tablet. Although they are rootable, they receive the most and quickest updates.
  • Use a separate Google account to sign in. Google accounts have some nice added features. One useful one here is Android Device Manager. Which allows you to locate, ring, lock, and erase your phone remotely, in the event it's lost or stolen.
  • If you are a Bitcoin Integration Services company and distribute PoS devices, you might want to consider using the same Google account for all devices you deploy. This way your clients can contact you to handle a lost device.
  • Disable the Backup and Restore feature. It doesn't really provide anything useful for what we are doing.
  • Disable everything you don't need. NFC, Bluetooth, etc.
  • Starting with Android 4.3, you can now add restricted user profiles to tablets. Sorry Android smartphone and iOS users. This is a saving grace for Android PoS systems, as it allows waiters to have restricted access under managers. For Coinbase and GoCoin use, restrict the waiter profile to only have access to the Coinbase app and the web browser. (Web browsers are insecure, however GoCoin does not have a stand alone app yet)
  • Coinbase Merchant app. The Coinbase merchant app blocks anyone from buying and selling bitcoins. It also includes a kiosk mode feature, which blocks access to everything other than the Coinbase app. This feature is very secure and highly valuable in a mobile PoS application.
  • Whitelist browser to only allow access to gocoin.com. Surefox Kiosk browser is nice for this. It's $35 to unlock all features. Purchasing the license allows you to change the default password to access browser settings, which is needed, otherwise the basic version would be fine.
  • If using GoCoin, only let a trusted party take payments. The reason for this is that GoCoin payments are done through the browser. GoCoin doesn't not have a stand-alone app or kiosk-type mode. Anyone taking payments on your mobile PoS device will be able to see your transaction history, add/remove bank and wire transfer accounts, and change your crypto-currency payout addresses.

Conclusions and Moving Forward

   First of all, this is not a complete guide. Things change often and I also did not mention any specific Coinbase or GoCoin account settings. With that in mind, If there is one thing I want taken away from this, it's that deploying mobile PoS devices at your favorite brick and mortar stores is very involved and should not be taken lightly. Wireless internet is a funky thing, transmission strength will always be a struggle, and encrypted or not you're still sending you data freely through the air for anyone to see. Moving forward, I would really like to see purpose built PoS devices using wired ethernet. Something much more trustless, not easily seen in the air waves, and not easily picked up and walked out with. Not sure how possible this is, because of how crypto-currency works, but it would be extra nice to see wired PoS devices on a completely separate internet than we all use. Good luck and happy deployments.

Offline Anthony1s

  • Litecoin Association Member
  • Jr. Member
  • ***
  • Posts: 25
Re: Anthony's Paranoid Guide to Mobile Crypto-Currency Payments
« Reply #1 on: January 10, 2015, 12:45:38 AM »
I want to update this post, because I found an easier way to setup and manage these point of sale devices. I figure anyone who comes across this thread would like to know. The pro is that it makes iOS devices more secure, so I can recommend them as POS devices now. The con is that it's a subscription based service, so there is a fee involved for using it.

What I'm talking about is Airwatch, MobileIron, or similar alternatives. I recently started working for a hardware deployment company and our clients use these services to manage and deploy their mobile devices. I've only recently looked into these services for my own projects. I probably won't update this post again with anymore information about these services, because I want anyone who needs to use them to research and figure out which company and service would work best for them.

Offline Bossman

  • Hardcore Member
  • *****
  • Posts: 3002
  • In Coblee we trust
Re: Anthony's Paranoid Guide to Mobile Crypto-Currency Payments
« Reply #2 on: January 10, 2015, 05:39:44 AM »
This is a very paranoid guide :P , The amounts of  [ltc] on my mobile wallets are always very small so I'm not too worried about losing them.