Vulnerabilities Found in PoS Devices – Patches Available

Summary

Researchers disclosed vulnerabilities affecting widely used point-of-sale (PoS) terminals manufactured by Verifone and Ingenico. The primary flaw resides in the use of default password settings, which provides users access to service modes such as hardware configuration and other available functions; Ingenico devices prevented users from changing the default password. These passwords are easily found using a search engine. If an attacker gains access to the service mode, they may be able to leverage additional vulnerabilities to perform various attacks, such as modify data transfer in the PoS terminal, alter transactions, clone credit cards using stolen data, and target banking institutions with additional attacks. The flaw may be exploited either locally or remotely. The default password and arbitrary code execution vulnerabilities affect the Verifone VX520 and Verifone MX series, and the Ingenico Telium 2 series. Though patches were made available to customers in November 2020, the vendors determined that many users have not completed the patching process. At the time of this writing, vendors are unaware of any exploitation of these vulnerabilities.

Recommendations

The NJCCIC recommends owners of affected devices immediately apply patches and change default passwords where possible. Additionally, consider segmenting networks and keeping PoS devices on a separate network from that which general business is conducted. We also advise consumers to make purchases with credit cards when shopping as they often have better consumer fraud protections than debit cards. Further details can be found in the ZDNet article.