A Thing
The Green SheetGreen Sheet

Friday, September 10, 2021

PAX patch keeps hackers at bay

On Sept. 8, 2021, Positive Technologies issued a press release regarding three vulnerabilities in PAX S920 and D210 terminals. Artem Ivachev, the company's researcher and reverse engineer, commended PAX for promptly addressing these issues, urging users to install the manufacturer's software patches immediately to protect transactions.

Ivachev stated he found stack buffer overflow errors during a routine investigation, which attackers could exploit to gain access to keystore and protected memory of affected devices. "The chains of these and some other vulnerabilities made it possible to intercept user card data (Track 2, PIN) and send arbitrary data to the processing of the acquiring bank (for this, attackers would need encryption keys that could be extracted from the terminal)," he said in a statement.

Ivachev additionally noted that Positive Technologies was not working directly with PAX to address these issues but has audited POS devices for financial institutions and other clients to determine cyber threat models.

"During these audits, our experts test if real-world cyber threats can be realized on the terminal under several different scenarios to identify possible weaknesses and methods malicious hackers could leverage in attacks," he said. "The process usually lasts for about three months, and we report those findings back to the bank and other affected entities so the risks we identify can be addressed before criminals exploit them."

Hybrid POS models

As POS technology evolves from fixed points of sale to myriad points of interaction, remote key injection and terminal provisioning provide opportunities for terminal estate holders and criminals alike, security experts have noted.

Commenting on POS digital transformation, Justin Pike, founder and chairman of MYPINPAD, mentioned that the PCI Security Standard Council (PCI SSC) introduced new security standards in 2019: Software-based PIN entry on Contactless Solutions (SPoC), which pertains to PIN entry and Contactless Payments on Contactless Solutions (CPoC), which uses near-field communications technology without PIN entry, extended PCI compliance beyond fixed POS hardware to phones, tablets and other connected devices.

In a March 12, 2021 blog post titled, "Payments in 2021 and Beyond: the final bastion for payment security is software," Pike stressed the importance of securing all software-based payments solutions with dynamic, modern, end-to-end security.

"The hardware-based payment terminals we are all familiar with are like Fort Knox," Pike wrote. "PCI standards have done an incredible job of ensuring the ongoing security of these boxes." He added that software-based solutions tend to outperform traditional terminal software, which has limited reporting capability, by working in tandem with artificial intelligence, to monitor, detect and eliminate fraud attacks anywhere globally, "in almost real time."

Ivachev agreed that POS terminals need robust security to protect many pieces of software, including third-party applications, which power a range of ancillary applications, which may include firmware, drivers, Bluetooth, Wi-Fi, General Packet Radio Service, Domain Name System, Dynamic Host Configuration Protocol services, operating system loaders (such as U-Boot and RedBoot), and drivers for Near Field Communication, smart cards and magnetic card readers.

"All these pieces of software should always be updated to the latest versions for optimal POS security; however, this usually doesn't happen, because there are often difficulties adapting a new software version to a specific version of the terminal," Ivachev said.

Software-based HSMs, SIMs

John Cragg, chief executive officer at MYHSM, extolled the value of managed payment hardware security modules (HSMs) as a secure, cost-effective alternative to on-premise, hardware based HSMs. "We've leveraged the trend towards cloud services to become the first global company to offer such a hosted service using Thales payShield HSMs in world-class data centers," he said. "The payShield Payment HSM security solution delivers high assurance protection for ATMs and POS credit and debit payment transactions."

Will LaSala, director of security solutions, security evangelist at OneSpan, has seen a similar evolution from hardware-based to virtual secure elements in mobile phones, which has enabled hackers to scale, he stated. "Today's newer phones, like the Pixel 3, Pixel 4, Pixel 5, have virtual SIM cards, so you don't actually have to get a physical SIM card," LaSala said, adding that attackers can inject stolen user credentials into a virtual SIM card and then sign up with T-Mobile, AT&T or any carrier that supports virtual SIMs, using a stolen username and password.

Before virtual SIMs, a criminal would have to would walk into a cell phone store, oftentimes using a fake ID, and the store would issue a new physical SIM card, LaSala explained. Before today's batch processed SIM swaps, there were targeted attacks against individuals, he added. Today's attacks are broader, he noted, and criminals can buy a list of phone numbers and IMEI numbers and batch force them to see which ones work.

"Once an IMEI number and phone number have been changed, banks and service providers have a difficult time validating their customers," LaSala said. "How do they know that you're the right person when hackers have changed your security questions? It's definitely a big mess and the United States is behind other regions when dealing with this type of attack."

Modern POS systems

Ivachev emphasized that POS terminals should block attackers from opening the terminal shell and gaining access to hardware, PIN-code encryption keys and other transaction data, which should all be destroyed from the inside if the terminal detects tampering. Most terminals have built-in tamper detection but in some cases, criminals can exploit tamper errors and gain access to sensitive data, he added.

"Through terminals, criminals can steal user data, as well as attack card processing and other bank service systems," Ivachev said. "To counter this, you need to update third-party software on the terminal in a timely fashion, search for software vulnerabilities (including by third-party forces through Bug Bounty programs) and fix them."

Most modern hardware platforms are designed to make it complicated for hackers to exploit vulnerabilities, even those that are not yet fixed in the terminal software, Ivachev explained, noting that continuous updates are the best defense against known and emerging threats. He advised payments industry stakeholders to invest in modern systems with updated processors, Systems on a Chip (SOCs) and robust software, adding that vulnerabilities in updated Android operating systems tend to be more difficult to exploit than on other terminals.

Ivachev praised PAX for swiftly remediating S920 and D210 device vulnerabilities. "[W]e did not participate in the creation of patches, but we have confirmed that these vulnerabilities are no longer present in the new version of the software and commend PAX Technology for addressing the issues." 

end of article

Editor's Note: The Green Sheet also reached out to PAX Technology for comment on this story.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing