Kiosk Public Service Announcement – POS Terminals and PAX
From Krebs Oct 26
- #1 it is still to be determined what has happened.
- PAX terminals are used widely in kiosk machines and all types of Point-Of-Sale
- Couple of financial providers in US and UK have started pulling the terminals
- Cyberheists are common. Think back to Target, Home Depot and Heartland
- Comes at a bad time with holiday season already in swing
- Additional speculation that PAX is a victim
U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.
Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.
In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.
Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.
- I believe we will find out that PAX was the victim of a cyber attack that leveraged vulnerabilities in the PAXSTORE to exploit the app marketplace and a subset of Android terminals. Vulnerabilities that PAX has at least made a concerted effort to patch long before the FBI ever started to investigate. Other than possible negligence, I believe PAX will be found to have not acted maliciously. Not only should PAX survive this ordeal, but it will cause them to strengthen the security of their Android platform and associated security protocols, and ultimately they and their partners and customers will be better off.