In the News:
Point-of-sale payment devices made by two of the industry’s biggest manufacturers contained vulnerabilities that made stealing credit card data much simpler. Millions of devices may be affected, according to cybersecurity researchers Timur Yunosov and Aleksei Stennikov, who will present their findings at the Black Hat EU security conference on Thursday.
The weaknesses lay in devices made by Verifone and Ingenico. The first issue was that they used default passwords that let anyone with physical access through to a “service menu.” These menus contained functions that could be abused to write malware onto the terminals. The malware could then hoover up credit card numbers once the device was in use again. Though the terminals did encrypt credit card data, they did so on the same internal system already controlled by the malware, rendering it useless. An attacker would have all the information they required to clone cards and start stealing people’s money.
The obvious barrier to a successful attack is in being able to get access to a terminal for long enough to download the malware. Yunosov, from the Cyber R&D Lab, said it would take between five and ten minutes to connect to the devices via USB and install the malicious card sniffer. One of the vulnerabilities could also have been exploited over the internal network, so if a hacker found a way onto a shop’s IT systems they would have a way to install malware on the terminals to start pilfering credit card information.
The researchers provided Forbes with an image showing they’d fully compromised a Verifone terminal to display whatever they wanted.
Disclosure to Verifone and Ingenico started two years ago and the issues have now been patched, according to the vendors. Both companies said the attacks were limited, given the need for physical access and prior research to hack into them.
A Verifone spokesperson said the affected devices were “legacy” and the company was not aware of the vulnerabilities being exploited by real-world hackers.
“The security firm has validated that our latest patches and software updates, which are available to all customers, remedy these vulnerabilities. Customers are currently in different phases of implementing these patches or software updates,” a spokesperson added.
An Ingenico spokesperson said: “Different vulnerabilities impacting Ingenico POS Telium 2 terminal solutions have been identified. Proper security measures have been developed immediately to include suitable corrections after the vulnerabilities have been identified.
“Ingenico has not been made aware of any fraudulent access to payments data resulting from these vulnerabilities, already fully corrected.” They added the company “is closely monitoring the situation to avoid reoccurrence of this issue.”
The original article can be found here.