April 7, 2014 - Mobile point-of-sale (mPOS) devices can be easily hacked, leaving banks, retailers and customers open to fraud, claims MWR InfoSecurity, which has even managed to play Flappy Bird on one reader.

Led by names such as Square, PayPal and iZettle, the mPOS market has mushroomed over the last couple of years, bringing card payments to small- and medium-sized businesses.

Outside of the US, manufacturers have built chip and PIN readers which have been certified as secure by the major card firms.

However, researchers at MWR Labs say that crooks can easily gain control over terminals, display 'try again' messages, switch to insecure mode and capture PINs.

The company's head of research says: "What we have found reveals that criminals can compromise the mPOS payment terminal and get full control over it. This would allow an attacker to gather PIN and credit card data, and event change the software on the device so that it accepts illegitimate payments."

Reporting their findings at the SyScan security conference in Singapore, the team showed that they were even able to use an iZettle-branded card reader built by Miura Systems - which provides devices to PayPal, Payleven and Worldpay, among others - to play a simplified version of the popular game Flappy Bird.

MWR is refusing to provide any details on how it hacked the readers but says that it has notified the vendors involved.