By Dale S. Laszig
DSL Direct LLC
When payment data is compromised, it is rarely a personal heist. Bad guys crack a safe filled with millions of credentials, which they market, exploit and ravage. Occasionally, fraudsters will trip an alarm, setting off advanced fraud detection systems that warn users of their bad intent. Other times, they go undetected for months, robbing data and credentials with impunity until a retailer or financial institution makes an announcement from a script we can recite from memory.
Digital commerce is a spawning ground for competing technologies, good and bad. Good tech strives to keep us connected, protected, engaged and transacting. Bad tech lurks behind familiar brand symbols, spraying and preying unceasingly, trying to rob us of our identities and money. Good and bad tech are playing an impersonal, high stakes game.
Why do forensic investigations take months to complete? Maybe it’s because bad actors are stealthy and have learned how to cover their tracks. It takes time to sift through the minutiae of a compromised database, and no two attacks are completely alike; each is tailored to specific characteristics of a network, database and security infrastructure.
Like all technology, there can be more to a POS system than meets the eye. The worst thing we can do as a payments community is generalize or rush to judgement. The best thing we can do is stand together against all types of attacks. Why give bad actors a chance to divide and conquer?
The payments journey has become more collaborative in recent years; individual brands have learned that no one company can be all things to all people. We've knocked down proprietary technology silos in favor of open-source systems and APIs. We've shared ideas, technologies and inspiration to advance payment card security, cross-border commerce and global app marketplaces. These collaborations were well underway before COVID-19 inspired us to use our platform to help neighbors, merchants and each other survive a global business shutdown.
In our payments ecosystem, when a member gets hurt, we are all impacted. We have stood together against supply chain challenges and natural and economic disasters. Why stop now, when one of our leading manufacturers is under attack? Few facts are available regarding accusations against PAX Technology, only that some machines may have been compromised.
This is not the first time someone has publicized a vulnerability in a credit card terminal. At the 2020 Black Hat EU conference, Verifone and Ingenico were cited for vulnerabilities in select legacy models, which both firms promptly rebutted. If we allow merchants to succumb to a mob mentality and aggressively swap out PAX equipment for other brands, it would be a wasted effort for them and for us. It would be far more prudent to let PAX, a longstanding and proven technology partner, provide guidance and oversight to help our merchants protect their existing infrastructure.
We owe it to ourselves and to our customers to get more information before we act, or we could expose our customers to another attack against a different hardware platform. I learned this the hard way when my mobile phone was hacked, and I ran to another mobile carrier, only to be promptly hacked again before my new service order was processed.
My recent experience as a victim in a large class of impacted consumers was not all terrible. It showed me there are systems in place to help those affected navigate remediation, patch vulnerabilities and stay safe. It showed me what matters is not whether an individual or company gets attacked; bad things happen to good people and are no cause for shame. What matters is how the individual or company responds to the crisis. And from what I can see, PAX is doing everything right.
Companies like PAX, with global reach and strong capitalization, will always be compelling targets for malicious parties. However, few facts are available about two recent high-profile incidents at PAX Technology. The first attack, reported by The Green Sheet on Sept. 10, 2021, involved a third-party developer citing a code vulnerability in the company’s S920 and D210 devices, which PAX had previously addressed and patched. The second attack, which The Green Sheet reported on Oct. 28, 2021, involved an FBI raid of the company’s Jacksonville, Fla., headquarters, ostensibly due to security concerns.
In an Oct. 29, 2021 blog post, "PAX Technology announcement and resumption of trading," PAX maintained that subsequent to the FBI raid, the company had not seen any material adverse changes to its operations or business, nor had it seen any cyberattacks perpetrated from PAX devices anywhere in the world. The company affirmed it would continue to serve partners and customers to the best of its ability, using high product standards.
"The Company notes the KrebsOnSecurity Article did not provide particulars of any such 'reports,'" PAX representatives wrote. "It only referred to a second hand hearsay quote from the 'source' of the writer that referred to other unnamed sources that 'there is tech proof of the way that the terminals were used in attack ops.'" PAX noted these are unsubstantiated allegations.
It may not be clear to payments industry outsiders, but POS terminals have come a long way from auth and settlement. To my earlier point, there is more to POS terminals and their underpinning technologies than meets the eye. PAX acknowledged this in its Oct. 29 statement, by attempting to explain the inner workings of their terminals.
Large data packets transmitted from PAX devices may look suspicious to an untrained eye, but today's terminals transmit more than just payment data, PAX engineers explained. Terminals may also indicate geolocation, loyalty programs and telemetry data that reference a central processing unit’s memory usage and software update histories, they added.
"Therefore, depending on how consumer businesses (where the Group’s payment terminals are typically deployed) are operated and the configuration of communication of the applications with host, 'data packets' or 'network packets' sizes can vary and be larger than what basic payment data would involve," wrote PAX Technology engineers.
Until more facts come to light, all I am saying is give PAX a chance.
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email firstname.lastname@example.org, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next