The biggest news in payments security in the last month concerns allegations that point of sale terminals supplied by PAX Technology have been subverted to have the capability of launching cyberattacks. Details of the allegations can be found at Krebs and Bloomberg; in response, PAX Technology has published a rebuttal.
The main allegation seems to be that the affected PAX terminals (which PAX imply are all Android-based) are capable of acting as command and control centres for launching cyberattacks, including the capability of hosting malware to be distributed as part of such an attack. There seems to be no allegation that payment data itself could be modified (or erroneously created) or leaked. The evidence adduced is that data packets, addressed to unadvertised destinations, contain data above and beyond that necessary to facilitate payments. How it has been deduced that such packets implement the type of attack that has been described has not been publicised, as far as we have been able to discover.
The facts on the ground are that a PAX Technology facility in the US has been raided by federal authorities (and PAX’s US security chief has subsequently resigned) and FIS/Worldpay, one of the world’s foremost payment processors has withdrawn PAX terminals from the US and the UK. That decision cannot have been taken lightly, given the potential for disruption to FIS’s customers at the best of times, and the current difficulty of procuring large volumes of any digital electronic equipment at short notice.
Supposing the allegations to be correct, how might the terminals have been compromised? In principle, that could be with the vendor’s knowledge; it could have occurred unbeknownst to the vendor somewhere in its supply chain; or a vulnerability could have been exploited in selected terminals after deployment.
PAX Technology has sought to explain network traffic that may have led FIS and law enforcement authorities to believe there was illicit traffic. It says that all servers to which the terminals connect are advertised in user documentation, and that non-payment data may be transmitted representing loyalty transactions and geolocation data, for example. It has noted that PCI certifications have been obtained for the relevant terminals. That particular defence doesn’t seem especially relevant to the allegations. PCI is aimed at the protection of payments data, which is not the subject of the allegation, nor are the packets that have been implicated relevant to payments, according to PAX itself.
What are Consult Hyperion’s takeaways from this evolving situation?
Firstly, that large payments networks are absolutely strategic; both with regard to the transactions they support and to the wider economic infrastructure in which they are embedded. It has been our consistent advice to operators of large networks that they should assume that bad actors may have access to very large resources.
Secondly, that certification processes should not be assumed to be capable of identifying all vulnerabilities, because they are restricted in scope; therefore, thorough risk analyses, of wide scope, should be undertaken; and ethical hacking should be employed to identify weaknesses throughout.
Thirdly, that modern supply chains are complex and suppliers to end-customers must involve themselves in the security of subcontractors’ and partners’ design and development practices.
Fourthly, the trend to end-user payment devices being implemented on commercial-off-the-shelf platforms, while having a clear economic advantage, can facilitate a range of attacks that are much harder to implement on custom devices, designed expressly for a particular purpose.
I should say that none of this is being wise after the event; recommendations such as these have been part of the conclusions of many security and risk analysis we have undertaken recently for organisations across the globe using our Structured Risk Analysis (SRA) methodology.
If you’d like to understand more about how Consult Hyperion helps clients with technical and advisory services, and to learn more about how our SRA has delivered value to clients looking to harden their security processes, technical architecture, mobile applications, etc, drop an email to firstname.lastname@example.org or follow us on LinkedIn or Twitter (@chyppings). We’d be delighted to chat!