Point-of-sale (PoS) terminals made by Ingenico and Verifone, two of the world’s largest manufacturers, are said to contain security issues. According to Forbes, the vulnerabilities in the system makes credit cards data-stealing much more accessible and simpler to hackers.
In a Black Hat EU conference held last Thursday, December 10, 2020, cybersecurity researchers Aleksei Stennikov and Timur Yunosov said that the security issues within the PoS terminals may lead to millions of devices becoming compromised.
Among the models that were vulnerable to cyberattacks include the Ingenico Telium 2 series, the Verifone MX series, and the Verifone VX520, shared Threat Post.
These machines are reportedly used across various industries and different retailers, with more than seven million VX520 terminals, sold alone.
One of the issues presented by two researchers is that the point-of-sale terminals used the same default passwords in their systems. Forbes states that this allows individuals to access the service menu provided they have the default password.
These service menus can be exploited by threat hackers as these contained functions that open up the POS terminals to malware. Threat Post states that a simple Google search can offer hackers insight into the default passwords used by these PoS machines.
Ingenico reportedly even prevents the default passwords from being changed.
In a statement by the researchers on the Cyber R&D Lab blog, they said that “Through use of default passwords, we were able to execute arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows).”
“These PoS terminal weaknesses enable an attacker to send arbitrary packets, clone cards, clone terminals, and install persistent malware,” continued the researchers.
Another main vulnerability that the researchers presented is that the PoS terminals could have been made vulnerable via the internal network, states Forbes. This can alter transactions and many others.
Threat Post revealed that the issues have since been addressed, with the vendors issuing a patch for the said vulnerabilities. Ingenico, in particular, maintained that they have not been made aware of any fraudulent access to payments.
