The Weakest Link, Part III: Infrastructure Is the Real Vulnerability

Over the past two editions, we looked at why cards are still dangerously easy to exploit — and why mobile wallets, while better, are far from bulletproof. But there’s a deeper issue underneath both.

The real problem isn’t the card. It’s not even the wallet.

It’s the infrastructure holding everything together.

Merchants. Acquirers. Terminals. Mobile PoS devices. They’re all part of a payment chain that still breaks in predictable, exploitable ways – even when you use the “secure” tools.

The mPOS Mess

Over the past few years, mPOS (mobile point-of-sale) systems exploded in popularity. From cafes and street markets to pop-up retail, everyone went lightweight and app-based. Devices got smaller, cheaper, faster to deploy.

Security got left behind.

Many modern mPOS terminals:

• Skip critical token validation checks

• Lack proper firmware updates or attestation

• Use third-party SDKs with zero transparency

• Treat wallet transactions the same way they treat magstripe swipes

The convenience of mobile-first payments came at a price, and we’re seeing that price now in live attacks.

• In our fieldwork, we saw vendors move from standalone terminals to Android-based all-in-ones.

• Most had no biometric enforcement. Some used outdated fallback logic. Few had consistent cryptogram validation.

Trusting the Terminal (When You Shouldn’t)

Most people assume Apple Pay or Google Pay is secure because it requires Face ID or a passcode.

That’s true – until the terminal doesn’t care.

Misconfigured or lazy payment flows allow:

• Biometric-free “Express” transactions on insecure endpoints

• Fallback to legacy logic when wallet features aren’t fully supported

• Token reuse due to missing backend enforcement

Many merchants rely on default settings. Many acquirers don’t push security updates. And many terminals treat tokenized transactions like any other card-present flow.

Real Failures from the Lab

We’ve seen this first-hand:

• NFC emulators tricking poorly configured terminals into authorizing wallet payments

• Cryptograms accepted twice when the merchant never checked freshness

• Express Transit used for purchases well outside its intended use

This isn’t a user hygiene issue. It’s a system design failure.

Even a secure wallet breaks down when the terminal it talks to never validated anything in the first place.

If You Handle Payments, Ask Yourself:

• Are our terminals enforcing one-time token rules?

• Are fallback flows too easy to trigger?

• Do we treat wallet transactions like real identity-verified auth events — or just fast card swipes?

• What happens if the merchant software is sideloaded or tampered with?

If the answer is “we’re not sure,” then you’re open to the exact attacks we’ve documented.

It's Not Just the Card or Wallet. It’s the Ecosystem.

Cards were weak. Wallets are better.

But none of it matters if the system they're built on is still insecure.

Until the infrastructure – the merchant logic, the terminal software, the acquirer networks — are all designed with real threat models in mind, attackers will keep finding their way in.

You can use the best tool in the world. If you plug it into a broken system, it still breaks.

Support the Research

Payment Village is an independent nonprofit founded by hackers and researchers.

We run workshops, CTFs, and live labs at DEF CON and beyond – all community-driven and sponsor-supported.

If your company touches payments, this work matters. → Sponsor our work or forward this to someone who needs to read it.