Cyber security expert Brian Krebs reported in his blog Krebs on Security that the US warehouse of leading Chinese payment terminal manufacturer PAX Technology was raided today by the FBI. Headquartered in Shenzen, China, the Jacksonville, FL, facility is the US headquarters for PAX, who has over 60 million point-of-sale payment terminals deployed in 120 countries, including a large installed footprint in the US.
Krebs reports that he has obtained information from a trusted source that the FBI began investigating PAX after a major US payments processor identified unusual network packets originating from the company’s payment terminals. The payment processor reportedly found that the PAX terminals were being used both as a repository for malicious files, or a malware “dropper,” and as “command-and-control” locations for staging attacks and collecting information.
According to Krebs’ source, “FBI and MI5 are conducting an intensive investigation into PAX. A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
In an official statement issued by the FBI, investigators said that only that they were executing a court-authorized search warrant in conjunction with the Dept. of Customs and Border Protection (CBP), and the Naval Criminal Investigative Service (NCIS).
According to Krebs, “My sources say that there is tech proof of the way that the terminals were used in attack ops; the packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”
What is interesting to note here is that following a rash of attacks and subsequent breaches of the point-of-sale (POS) systems of large retailers like Home Depot, Target, and others, POS software providers pivoted to remove payment data from their systems. The broad functionality of POS systems needed to run a retailer’s business requires many integrations to other retailer systems like finance, inventory, etc., and many points of access, creating vulnerabilities even where systems are fully PCI compliant.
Most POS software providers now operate payments in what is known as a “semi-integrated” environment, where the POS system only “wakes up” the payment terminal to accept the customer payment credentials, which the payment terminal then sends directly to the processor, only returning a token and approval code to the POS system. This architecture keeps sensitive customer payment information only within the payment terminal, a purpose-built device that is security-certified to very high standards, and considered to be much more secure.
Despite the ongoing attacks to retailer and processor systems, including the 2008 breach of Heartland Payments Systems that exposed 100 million customer payment credentials, this is the first known infiltration of a payment terminal itself operating in a stand-alone or semi-integrated environment.
PAX is a leading provider of terminals that POS software companies operate in a semi-integrated environment, as well as to banks and processors that deploy them as stand-alone payment terminals. The Android OS and robust SDK make them a favorite in many diverse card acceptance environments, and consumers like the simple keyboard layout and clear prompts.
Bloomberg reported that leading global payment processor WorldPay from FIS has begun to replace Pax devices with payment terminals manufactured by French company Ingenico and US-based Verifone.
WorldPay issued a statement stating that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation,” according to a spokesperson. “While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible.”
PAX CEO Andy Chau issued a rebuttal saying that, “PAX would like to assure all customers that we stand behind the security of our products and services. Every PAX device goes through stringent internal and external testing and certifications to ensure payment data is protected in accordance with industry security standards. Our policies are designed to ensure that information sent through PAX devices is transmitted securely only to the intended recipients.”
Overview by Don Apgar, Director, Merchant Services Advisory Practice at Mercator Advisory Group
