Security researchers Aleksei Stennikov and Timur Yunusov recently unearthed vulnerabilities in two of the largest manufacturers of point-of-sale (PoS) devices – Verifone and Ingenico.
The vulnerabilities presented during Black Hat Europe 2020 could have enabled cybercriminals to steal credit card data, clone terminals, and perform other forms of financial fraud. Both buyers and retailers could be affected. More specifically, affected devices include Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series.
The vulnerabilities were disclosed to the vendors, and patches are now available. However, it may take time before all involved parties apply the patches.
Verifone and Ingenico PoS Vulnerabilities Described
One of the flaws in the PoS devices of the two manufacturers allowed the use of default passwords, which could provide hackers with access to a service menu. Once obtained, this access could enable them to manipulate the machines’ code to run malicious commands. Some of the vulnerabilities have been there for at least a decade, and others for up 20 years. The older flaws are mostly located in legacy elements that aren’t in use anymore.
How can hackers exploit the PoS bugs? One way is through physical access to a vulnerable PoS terminal. If this is not possible, access can be obtained remotely via the Internet. Either way, hackers aim to perform arbitrary code execution, buffer overflow attacks, and any other malicious technique that ensures escalation of privileges and admin control. The end purpose, of course, is to steal financial data.
How can remote access to a network be obtained? Through phishing or another type of attack that opens the gate to the network and the PoS device. PoS devices are computers, and if they are connected to the network and the Internet, cybercriminals can attempt to gain access just like in a regular computer attack. Attackers can even access unencrypted card data, including Track2 and PIN details, which could help them steal and clone payment cards.
For security reasons, it’s highly recommended that retailers keep PoS devices on a different network. If attackers gain access to the network through a Windows system, it would be harder for them to reach the PoS terminals.
Both Verifone and Ingenico have confirmed their knowledge of the vulnerabilities. A patch has already been released to prevent attacks. There is no information about the flaws being exploited in the wild. More details are available in the researchers’ report.
In 2018, Positive Technologies researchers reported vulnerabilities in mPoS (mobile Point-of-Sales) devices affecting vendors Square, SumUp, iZettle, and PayPal. The discovery was also announced during the Black Hat conference. Attackers could alter the amount charged to a credit card, or force customers to use other payment methods, like magstripe.