Security vulnerabilities have been discovered in POS (opens in new tab) terminals from Verifone and Ingenico that could have allowed cybercriminals to steal credit card details, clone terminals and commit other forms of financial fraud.
Independent researcher Aleksei Stennikov and head of offensive security research at Cyber R&D Lab, Timur Yunusov first discovered the vulnerabilities over the course of 2018 and 2019 in the Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series POS terminals.
The researchers presented their findings at Black Hat Europe 2020 (opens in new tab) earlier this month as well as in a new white paper (opens in new tab). The vulnerabilities have now been addressed by both Verifone and Ingenico and customers should apply the latest security patches to avoid falling victim to any potential attacks.
- We've put together a list of the best endpoint protection (opens in new tab) software
- These are the best payment gateways (opens in new tab) on the market
- Also check out our roundup of the best malware removal (opens in new tab) software
Vulnerable POS terminals
The use of default passwords (opens in new tab) is one of the key vulnerabilities in the affected POS terminals from Verifone and Ingenico as they could provide an attacker with access to a service menu that would allow them to manipulate or change the machines' code in order to run malicious commands. According to Stennikov and Yunusov, these security issues have existed for at least 10 years while some have existed in legacy elements of these devices that are no longer used for up to 20 years.
To exploit these vulnerabilities, an attacker would either need to physically gain access to the POS terminal or do so remotely over the internet. This would allow them to execute arbitrary code, buffer overflows and other common techniques used to achieve privilege escalation (opens in new tab) and gain full control over a device to see and steal the data that goes through it.
As a POS terminal is essentially a computer that is connected to the internet, an attacker could gain access to a retailer's network via phishing or another attack method and then move laterally across the network to attack it. Due to the way POS terminals communicate with the rest of a network, an attacker could access unencrypted card data including Track2 and PIN information in order to steal and clone payment cards.
Retailers using affected POS terminals from Verifone and Ingenico should download and install the latest security patches now. If they haven't already, retailers should also consider setting up their POS devices on a separate network to protect them further.
According to Verifone and Ingenico, neither firm has observed any instances of these vulnerabilities being exploited by attackers in the wild.
- We've also highlighted the best ecommerce platforms (opens in new tab)
Via ZDNet (opens in new tab)