India's largest platform and marketplace for GCCs, AI & Analytics leaders & professionals

Sign in

India's largest platform and marketplace for GCCs, AI & Analytics leaders & professionals
Become a Thought Leader
Become a 3AI Member

Sign in

3AI Digital Library

< Go Back

PoS Terminals Open Consumers to Fraud

3AI December 13, 2020

Point-of-sale terminal vendors Verifone and Ingenico have issued mitigations after researchers found the devices use default passwords.

Point-of-sale terminal vendors Verifone and Ingenico have issued mitigations after researchers found the devices use default passwords.

Researchers are detailing widespread security issues in point-of-sale (PoS) terminals – specifically, three terminal device families manufactured by vendors Verifone and Ingenico.

The issues, which have been disclosed to the vendors and since patched, open several popular PoS terminals used by retailers worldwide to a variety of cyberattacks. Affected devices include Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series. These devices are widely used by retailers – for instance, more than 7 million VeriFone VX520 terminals have been sold.

“Through use of default passwords, we were able to execute arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows),” said researchers with the Cyber R&D Lab team, in a new analysis of the flaws this week. “These PoS terminal weaknesses enable an attacker to send arbitrary packets, clone cards, clone terminals,and install persistent malware.”

PoS terminals are devices that read payment cards (such as credit or debit cards). Of note, the affected devices are PoS terminals – the device used to process the card – as opposed to PoS systems, which include the cashier’s interaction with the terminal as well as the merchants’ inventory and accounting records.

Security Issues

Researchers disclosed two security issues in these PoS terminals. The primary issue is that they ship with default manufacturer passwords – which a Google search can easily reveal.

“Those credentials provide access to special ‘service modes,’ where hardware configuration and other functions are available,” said researchers. “One manufacturer, Ingenico, even prevents you from changing those defaults.”

Looking closer at the special “service modes,” researchers then found that they contain ‘undeclared functions’ after tearing down the terminals and extracting their firmware.

“In Ingenico and Verifone terminals, these functions enable execution of arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows),” said researchers. “For over 20-years, these ‘service super modes’ have allowed undeclared access. Often, the functions are in deprecated or legacy code that’s still deployed with new installs.”

Attackers could leverage these flaws to launch an array of attacks. For instance, the arbitrary code-execution issue could allow attackers to send and modify data transfers between the PoS terminal and its network. Attackers could also read the data, allowing them to copy people’s credit card information and ultimately run fraudulent transactions.

“Attackers can forge and alter transactions,” they said. “They can attack the acquiring bank via server-side vulnerabilities, for example in the Terminal Management System (TMS). This invalidates the inherent trust given between the PoS terminal and its processor.”

Researchers reached out to both Verifone and Ingenico, and patches for the problems have since been issued.

Verifone was informed at the end of 2019, and researchers confirmed that vulnerabilities were fixed later in 2020. “In Nov 2020 PCI has released an urgent update of Verifone terminals across the globe,” said researchers.

Meanwhile, researchers said it took almost two years to reach Ingenico and receive a confirmation of that fix.

“Unfortunately, they didn’t partner with us through the remediation process, but we’re glad it’s fixed now,” they said.

    3AI Trending Articles

  • Understanding Language Model Evaluation Metrics: A Comprehensive Overview

    Featured Article: Author: Mradul Jain, AB InBev Large language models, such as GPT, Llama, Bard, etc. have gained immense popularity for their ability to generate coherent and contextually relevant text. Evaluating the performance of these models is crucial to ensure their reliability and utility. To accomplish this, a range of metrics have been developed. In […]

  • JPMorgan Completes Live Intraday Repo Transaction using Blockchain

    IBM-Launches-New-Blockchain-Project-Collaborating-with-Big-Firms

    Investment bank JPMorgan says it has completed a live intraday repo transaction using a blockchain solution that will soon see a commercial launch. The repo trade was carried out between JPMorgan’s broker-dealer and banking entity, the bank announced Thursday. The blockchain application used was developed in-house by the bank’s blockchain business arm, Onyx, and is said to […]

  • Blockchain Powered Smartphones by Fesschain

    Firm has tied up with a private manufacturer that can produce 10,000 pieces a day. But Fesschain is now scouting for a suitable location in Noida to set up its own production unit Homegrown blockchain technology company Fesschain is targetting almost 10 shipments of its smartphones in the next 6-12 months. The company, which has recently entered mobile handset […]

  • CxOs’ guide to achieve “escape velocity” for NextGen approaches!

    Featured Article Author: Vivek Mahendra, Managing Partner, Vivikta Advisory Prelude This is an Enterprise Architect’s perspective on the approach to scale the NextGen Solutions (read, AI/Generative AI/LLMs/Deep Learning led business solutions). A part of the 3 Point-of-View Thought Leadership series, this article focuses on the two foundational aspects – Leadership Archetypes its impact and learnings […]