Skip to main content

POS terminals may have some serious security vulnerabilities

best pos systems
(Image credit: Blake Wisz / Unsplash)

Security vulnerabilities have been discovered in POS terminals from Verifone and Ingenico that could have allowed cybercriminals to steal credit card details, clone terminals and commit other forms of financial fraud.

Independent researcher Aleksei Stennikov and head of offensive security research at Cyber R&D Lab, Timur Yunusov first discovered the vulnerabilities over the course of 2018 and 2019 in the Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series POS terminals.

The researchers presented their findings at Black Hat Europe 2020 earlier this month as well as in a new white paper. The vulnerabilities have now been addressed by both Verifone and Ingenico and customers should apply the latest security patches to avoid falling victim to any potential attacks.

Vulnerable POS terminals

The use of default passwords is one of the key vulnerabilities in the affected POS terminals from Verifone and Ingenico as they could provide an attacker with access to a service menu that would allow them to manipulate or change the machines' code in order to run malicious commands. According to Stennikov and Yunusov, these security issues have existed for at least 10 years while some have existed in legacy elements of these devices that are no longer used for up to 20 years.

To exploit these vulnerabilities, an attacker would either need to physically gain access to the POS terminal or do so remotely over the internet. This would allow them to execute arbitrary code, buffer overflows and other common techniques used to achieve privilege escalation and gain full control over a device to see and steal the data that goes through it.

As a POS terminal is essentially a computer that is connected to the internet, an attacker could gain access to a retailer's network via phishing or another attack method and then move laterally across the network to attack it. Due to the way POS terminals communicate with the rest of a network, an attacker could access unencrypted card data including Track2 and PIN information in order to steal and clone payment cards.

Retailers using affected POS terminals from Verifone and Ingenico should download and install the latest security patches now. If they haven't already, retailers should also consider setting up their POS devices on a separate network to protect them further.

According to Verifone and Ingenico, neither firm has observed any instances of these vulnerabilities being exploited by attackers in the wild. 

Via ZDNet