POS terminals may have some serious security vulnerabilities
Verifone and Ingenico customers should install the latest patches for their POS terminals now
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security vulnerabilities have been discovered inPOSterminals from Verifone and Ingenico that could have allowed cybercriminals to steal credit card details, clone terminals and commit other forms of financial fraud.
Independent researcher Aleksei Stennikov and head of offensive security research at Cyber R&D Lab, Timur Yunusov first discovered the vulnerabilities over the course of 2018 and 2019 in the Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series POS terminals.
The researchers presented their findings atBlack Hat Europe 2020earlier this month as well as in a newwhite paper. The vulnerabilities have now been addressed by both Verifone and Ingenico and customers should apply the latest security patches to avoid falling victim to any potential attacks.
Vulnerable POS terminals
The use ofdefault passwordsis one of the key vulnerabilities in the affected POS terminals from Verifone and Ingenico as they could provide an attacker with access to a service menu that would allow them to manipulate or change the machines' code in order to run malicious commands. According to Stennikov and Yunusov, these security issues have existed for at least 10 years while some have existed in legacy elements of these devices that are no longer used for up to 20 years.
To exploit these vulnerabilities, an attacker would either need to physically gain access to the POS terminal or do so remotely over the internet. This would allow them to execute arbitrary code, buffer overflows and other common techniques used to achieveprivilege escalationand gain full control over a device to see and steal the data that goes through it.
As a POS terminal is essentially a computer that is connected to the internet, an attacker could gain access to a retailer’s network via phishing or another attack method and then move laterally across the network to attack it. Due to the way POS terminals communicate with the rest of a network, an attacker could access unencrypted card data including Track2 and PIN information in order to steal and clone payment cards.
Retailers using affected POS terminals from Verifone and Ingenico should download and install the latest security patches now. If they haven’t already, retailers should also consider setting up their POS devices on a separate network to protect them further.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
According to Verifone and Ingenico, neither firm has observed any instances of these vulnerabilities being exploited by attackers in the wild.
ViaZDNet
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Dangerous Android banking malware looks to trick victims with fake money transfers
Sophos Firewall hack on government network used an all-new custom malware
Quordle today – hints and answers for Thursday, November 7 (game #1018)
