Yesterday, October 26th, Action News Jacksonville reported FBI personnel executed a court-issued search warrant at Pax Technology in Jacksonville, FL. Very few details were known until Krebs on Security, a cyber crime focused publication, reported further details:
Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.
According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
According to Krebs, the search was a result of a joint investigation opened by the FBI, Department of Homeland Security, Department of Customs and Border Protection, and Naval Criminal Investigative Services.
Sounds like a big deal right?
It might be.
What about Payments Industry Certifications?
You might be thinking “How this could be possible with PCI and EMV certifications?”. Apparently, this process is not as stringent as you would think. Manufacturers get certified once every two years and there’s absolutely no enforcement or monitoring after that. It is mostly a paperwork game, the process is easy to game, and a malicious company can change anything they want after the ROC’s and certification letters come in.
Our industry uses certifications as security theatre and they have very little to do with actual security. Waving around certifications like they mean something may impress the bros at ETA, but they don’t mean much in the real world. A comment from a payments equipment developer:
I’ve personally worked for companies that put in all the security safeguards for the QSA, and then ripped them all out as soon as the paperwork was signed. I’ve seen payment devices deployed in the field with 777 unix permissions on the file system.
For those who aren’t super nerds, a 777 permission is “anyone can do anything” – not great for a device designed to safeguard payment information.
Another developer added this comment:
I have worked directly with these terminals. They are running old versions of Android. It is up to the end user to update the firmware, etc. as newer versions come out. They also open up multiple Websocket/MQTT connections out to IP addresses in mainland China. Partners have complained about this and questioned why that is necessary. The terminals also have cameras and microphones on them, just like any android does. It will be very interesting to see where this goes.
What does the FBI investigation on PAX mean for the payments industry?
Last week, WorldPay/FIS, one of the world’s largest processors, discontinued certification for PAX devices. I have a hard time believing that the two events are not connected. Other companies, like PaySafe, have temporarily suspended deployment of PAX devices while others are loading up on these same devices assuming that “this too shall pass”.
If PAX has somehow left openings in their firmware for malicious files or deployment of malware and that is discovered as a result of this investigation, two things can happen – PAX will implode, or security firmware will be pushed out to all devices. I think it’s pretty safe to count on the latter – there are just too many of these devices out there – millions – and too many point of sale systems that rely on semi- or full-integration to the PAX devices.
In September, Pax addressed security issues that were discovered by Positive Technologies, just as Ingenico did in 2020 on their Telium series and Verifone’s systems as well. These things happen, and fixes/patches are deployed to address them. As technology safeguards get stronger, hackers get more inventive. It’s like the old adage – one that is more poignant than ever today – hard times create hard men, hard men create soft times, soft times create soft men, soft men create hard times.
After all, Micros, one of the most popular legacy point of sale systems in the market today, is a gaping vortex of security problems. Granted, this is a point of sale system and not an actual payment device, but the logic remains the same. It’s still in the market, Oracle (it’s owner) and Shift4 (it’s primary processing partner and gateway) have made changes and updates to protect the system. It’s still not great, but it’s still in the market running just about every single airport snack you purchase.
What are we doing?
Until this is addressed, we are halting deployment of Pax A-series, which operate on an old version of Android. The S-series, their older hardware, has an OS that is more protected as it doesn’t have as many capabilities for third-party applications, and will continue to be deployed on an “integration need” basis.