With the evolution of payment methods, commercial payment methods have evolved from traditional cash purchase to current credit card transactions. The recording of goods delivery and payment has also transformed from a cash billing to the use of large point-of-sale (POS) machines and small mobile payment devices. The emergence of these financial tools not only provides a more convenient consumer experience and helps merchants solve problems but brings a new appearance to the entire consumer environment. In recent years, even more convenient mobile integrated payment tools named as Android Tap on Phone and iPhone Tap to Pay have emerged, which turns mobile phones into mobile payment devices and offers a different look for commercial off-the-shelf (COTS) devices. However, there are potential risks hidden under the benefits brought by new COTS device payment services. The personal information audit for application of COTS device payment services may become a gateway for malicious merchants who can use these COTS payment devices to deploy small-scale malicious payment attacks in crowded areas and form an easy-to-execute and low-cost attack model.
This study not only discovers an attack model from the hidden problems of the new COTS device payment services but explores the factors and success rate required for implementing this attack. Moreover, we conduct an experiment to simulate how an attacker passes personal and merchant audit, which is applied for iPhone tap to pay. After that, we use the iPhone to carry out small-scale and unauthorized payment acceptance attacks on victims. Subsequently, we assess the feasibility and the impact of using this attack for small-scale malicious payments and substantiate an attack model named Merchant's COTS Fraud Attack (MCFA), which can be regarded as a foundational reference to enhance the security of payment acceptance services using COTS devices.