I am somewhat familiar with enterprise mobile device security. I can’t really say much more about how.
I would not use one of these devices to pay at a major retailer or chain restaurant. I’m less confident in them than I am in something like a Square reader on the local taco truck, for the following reason:
If there’s a major flaw discovered in the hardware or software running a small scale POS, the POS vendor will ship a new version out, force security updates down the throats of their retail customers, and the retailer might be out a few hundred bucks and a couple of days worth of inconvenience.
The enterprise retailers (or large chains) will likely have thousands or tens of thousands of devices to update or replace, and probably a three year plan on getting it done. It’s actually cheaper for them to eat a marginal increase in their breach insurance premiums than to fix the root cause of the problem.
Hopefully they’re using the chip, so nothing is (supposedly) stored. I just assume my credit card will be stolen, because if it’s not the pay at the table thing, it’s another waiter skimming it, or the next terminal I use, any of the places that I have recurring payments setup, or the bank themselves that leak it. I just get issued a new card, have to spend 45 minutes or so updating my recurring payments, and life goes on. If I’m going to go down the hole of which POS is secure enough to trust, then I may as well not buy anything. And don’t tell me cash is more secure, it just has different risks.
I take it a little further, if I’m there for a quick meal before an appointment…I’ll tell the server as soon as I am seated “Hey, Michelle, I’m a little bit rushed today, I need to be out of here in 30 minutes”.
The answer has always been “no problem”. And if I pick a menu item that has a long prep time, the waiter will let me know. iMHO, the restaurants love it when I do this - they can feed me quick and send me on my way, freeing up the table…without worrying about me feeling that I was being rushed.
Bet you didn’t know that when restaurant staff converge on a table to sing “Happy Birthday” to a patron, it’s meant to distract other diners so that accomplices can go through their coat pockets and purses.
The thing that makes these vulnerable isn’t the wireless. It’s:
a. Since customers have access to the device, prior to chip cards, it would be possible to install skimmers in these fairly easily.
b. Upstream, there’s a computer inside the restaurant these devices talk to. But that computer would be vulnerable even if all the devices were wired. There have been mass credit card hacks where hackers got into the upstream computer and got a bunch of card numbers at once.
With chip cards I wouldn’t worry about it. Those are much, much harder to steal from - I haven’t read of any thieves doing it. (I have read of security researchers finding vulnerabilities but large scale crooks have not yet found a way to exploit them)
What gets me is when I’m not particularly rushed. I might be enjoying a leasurely meal with friends spanning 90 minutes or more. In that circumstance, I’m even more annoyed when they disappear at check time. Places in NYC seem to be the worst, but I’ve seen this everywhere. (Fortunately rare, but quite annoying when it happens).