Update now: Researchers warn of security vulnerabilities in these widely used point-of-sale terminals

Security researchers disclose vulnerabilities including default passwords in two of the largest PoS manufacturers in the world.

How did my credit card details get stolen and used half the world away?

Security vulnerabilities in point-of-sale (PoS) terminals produced by two of the biggest manufacturers of these devices in the world could have allowed cyber criminals to steal credit card details, clone terminals and commit other forms of financial fraud at the cost of both buyers and retailers.

The vulnerabilities in Verifone and Ingenico products – which are used in millions of stores around the world – have been detailed by independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab, during a presentation at Black Hat Europe 2020.

After being disclosed to the vendors, the vulnerabilities can now be fixed by applying security patches – although it can't be certain at all if retailers and others involved in the distribution and use of the PoS terminals have applied the updates.

SEE: Network security policy (TechRepublic Premium)

One of the key vulnerabilities in both brands of device is the use of default passwords that could provider attackers with access to a service menu and the ability to manipulate or change the code on the machines in order to run malicious commands.

Researchers say these security issues have existed for at least 10 years while some have even existed in one form or another for up to 20 years – although the latter are mostly in legacy elements of the device that are no longer used.

Attackers could gain access to the devices to manipulate them in one of two ways. Either they're able to physically gain access to the PoS terminal, or they're able to remotely gain access via the internet and then execute arbitrary code, buffer overflows and other common techniques that can provide attackers with an escalation of privileges and the ability to control the device – and see and steal the data that goes through it.

Remote access is possible if an attacker gains access to the network via phishing or another attack and then moves freely around the network to the PoS terminal.

Ultimately, the PoS machine is a computer and if it's connected to the network and the internet, then attackers can attempt to gain access to and manipulate it like any other insecure machine.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

The way the PoS terminal communicates with the rest of the network means attackers could access unencrypted card data including Track2 and PIN information, providing all the necessary information required to steal and clone payment cards. 

In order to protect against attacks exploiting PoS vulnerabilities, it's recommended that retailers using the devices ensure they're patched and up to date, and they should avoid using default passwords where possible.

It's also recommended that, if possible, PoS devices are on a different network to other devices, so if an attacker does gain access to the network via a Windows system, it's not as simple for them to pivot to the PoS devices.

SEE: This new ransomware is growing in strength and could become a major threat warn researchers

Both PoS device manufacturers have confirmed they were informed of the vulnerabilities and that a patch has been released to prevent attackers exploiting them. Neither firm is aware of any instances of the vulnerabilities being exploited in the wild.

"Ingenico has not been made aware of any fraudulent access to payments data resulting from these vulnerabilities, already fully corrected. Every day, Ingenico works hard to implement, on a continuing basis, the highest standards of latest security technologies in order to protect its customers and end users and is closely monitoring the situation to avoid reoccurrence of this issue," an Ingenico spokesperson told ZDNet. 

"We are aware of the issues raised potentially affecting a subset of our legacy payment devices. To date we are not aware of these vulnerabilities being exploited in the market," a Verifone spokesperson told ZDNet.

"The security firm has validated that our latest patches and software updates, which are available to all customers, remedy these vulnerabilities. Customers are currently in different phases of implementing these patches or software updates".

MORE ON CYBERSECURITY