Positive Technologies have looked at seven readers that cost less than 50$ – some of which are even from well-known companies like Paypal and Square. The results are not very promising. Five devices sport security vulnerabilities that would allow cybercriminals to trick customers into overpaying while two devices could be used to read out the PINs in plaintext.
For the first vulnerability hackers or fraudulent merchant would need to exploit Bluetooth and an insecure form of pairing that the readers use. After the task is accomplished the cybercriminal can tamper with the values: The final bill will now be higher than the amount on the reader that the customer gets to see.
The second vulnerability which would allow hackers to steal PIN numbers, was only present in devices manufactured Miura. Both PayPal and Square apparently were using them – at least until now. The attack is a bit more complicated since it includes an older firmware version that criminals might have to install first. Nonetheless such an attack (including downgrading the firmware if necessary and starting to exploit the devices) would only take a couple of minutes.
While all of the companies are working on fixing the issues and a making sure, that the vulnerabilities will be gone in the future, old devices that are still out there will stay insecure. No one can say how long they will stay in service and how many of them will be abused.