U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.
FBI agents entering PAX Technology offices in Jacksonville today. Source: WOKV.com.
Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.
In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.
Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.
According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.
The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.
“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”
The source was unable to share specific details about the strange network activity that prompted the FBI’s investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.
It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.
Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run. The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.
Thank you for all you do to keep us informed.
It is rare for payment terminals to be compromised. Target & Home Depot had their point-of-sale systems compromised. Not the terminals connected to those systems. Barnes & Noble in 2021 (https://arstechnica.com/information-technology/2012/10/hackers-steal-data-from-compromised-barnes-noble-payment-terminals/) is one of the few
Think you mean 2012 instead of 2021, unless the folks at B&N have some bad news coming their way!
Spotted that too Tim, was hoping I’d find a clarification on that here in the comments.
Spot on Tim.
Unwilling victim of poor security controls on its devices, or press-ganged / coerced victim of the PLA and other nefarious forces of the CCP? One wonders but based upon the shrill response to inquiries collusion with offensive state forces of the Chinese Communist Party would appear the more likely. In other words this was a strategic attack against the businesses of US and UK.
C’mon, man, that is “racially and politically motivated.”
lol c’mon, man, can’t a lying dog face pony corrupt politician make some dirty money the old fashion way?!.. by selling out his country to a known and confirmed enemy?
my goodness man.. if you don’t trust me?!.. then you ain’t american.
but hide your kids, fair warning. No move along.. nothin to see here, git!
Da! But true nonetheless
This has little to do with race and everything to do with politics. The Chinese Communist Party through its Ministry of State Security and various branches of the Peoples Liberation Army has made it a key strategic imperative to infiltrate the governments and corporations of foreign powers, no matter how big or small, and what ethnicity or nationality for at least a decade. This has been directed at both military espionage and the wholesale theft of commercial trade secrets and intellectual property to support the CCPs ‘Made in China 2025’ program and others before it.
The Mandiant APT1 report published in 2013 highlighted the nefarious activities going back years of just one of the PRCs military units – China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398). Of course there are many more. Some, whose activities are directed at western powers and others at the PRCs neighbors including Taiwan.
Viewed in isolation through the conceptual lens of innocence this may be just another of many manufacturers of low quality products that failed to adequately secure their technology and who were victimized by cyber criminals from who knows where. Viewed through a different lens this may be a far more nefarious problem of back-doored Chinese made technology sold globally with far darker state espionage purposes. It certainly wouldn’t be the first either.
C’mon Man.. is your full name Ricked Rolled?
Everyone knows the CCP is the sweetest, kindess, most truth worthy iron fisted dictators on planet earth!
They’ve even setup nice lodging and housing for the uyghur muslims and promised them liberty and freedom via a steel boot to the face.
Xinnyy the pooh would be very disappointed in your harsh assessment of the CCP.. he might even think you might think you have dementia or somthin?!!!
Well best be gettin back to hidden, dont want the possums to get lonely.
I have personal experience with thier espionage techniques and it thier efforts are well documented for at least 40 years. The internet just made it easier. They have a superiority complex and disdain for anyone not Chinese.
They remind me of the Japanese in December 1941.
That worked out well for the Japanese….
American’s today are not the Americans of the 1940s. Already 40% of our population are traitors to the USA who supported and continue to support the overthrow of a fairly elected government based on believing their own lies. Don’t expect the same outcome for the US in a WWIII.
Typical paranoia of destruction. It seems that your media has done a very successful job in discrediting the Communist Party. The Communist Party has become a devil in your mind. I think it’s sad that you are full of biased remarks.What China should do is to develop itself through its own strength, not to destroy others.This is something you can’t understand, because you are always full of aggression, superiority and ignorance. I think PAX only wants to do business with you guys, not help the Communist Party. And The Chinese Communist Party will not have such low-level needs. What we have achieved now is beyond the imagination of you fools.We have learned or are learning from you in some areas, just as you have learned from us. Or we all share the common knowledge of mankind in various fields. However, we have surpassed you in some areas, and these areas have been increasing.Put down your arrogance. Only when we all live in peace can the people of the world have a future. Don’t be fooled by politicians.
My comments have been deleted. Is that what you call freedom of speech?
Freedom of speech only applies to government suppressing it. This is a private publication owned by Brian Krebs and and moderated by him and the people he employs. They can delete any messages they feel don’t meet the standards of the board, which he sets.
Just like Twitter banning Donald Trump. That’s not stifling Free Speech. That’s private companies deciding they’re not going to perpetuate gross violation of their published standards.
I don’t see any pending comments from you. I don’t generally delete comments here, except from people who are quick to mistake my automated spam detection system for “censorship”.
It does feel like it could be Politically motivated.
Bingo!
I would like to point out a common misunderstanding that appears in this article. It is actually uncommon for payment terminals to be compromised. Many of these devices are typically independently certified and tested under the PTS standard. Payment workstations, the Point of Sale system itself which are PC’s or tablets, are another matter. Many of these POS breaches involved terminals running in a “fully integrated” mode where the POS received the card data and facilitated the communication with the payment processor. I can’t think of single major breach that was actually the card entry device and not the POS system.
Pax, like Verifone and Ingenico have many PTS certified terminal models. In this case, if certified devices were responsible for this traffic then that would be huge news! A PAX supplied POS workstation or tablet would seem more likely.
I write payment terminal firmware for a living and you are very naive.
Even some of their newer Android based chip card machines are running fairly old versions of android. At least both the a920 and a80 are running something like android 7.
I worked at PAX. Same warehouse off beach by the radio stations. This article is true.
Listen, if you go around telling these salespeople and client managers what’s really going on in the code, they won’t be able to sell your software in good conscience. So let’s just keep everything on a need-to-know basis…
This is absolutely correct and a very important distinction.
It’s not even close to correct and if you read the article, it’s the actual terminals that were running malware. And payments industry certifications are a joke. You get certified once every two years and there’s absolutely no enforcement or monitoring after that. They’re mostly paperwork, the process is easy to game, and a malicious company can change anything they want after the ROC’s and certification letters come in. You sound like you work for an ISO or processor in deep trouble now.
SREDD Coder – you live in the real world! We are looking for a terminal firmware developer, but it’s a challenging specialty to find. Any suggestions where to look for trustworthy people with this skillset?
You can connect with me,email address:476088799@qq.com
I’ve been in the industry for 20+ years. The Whittle Group is terrific. https://whittlegroup.com/
in a nutshell… this is the long game for CCP.. they want full control of all production of any computer system, software, manufacturing, new tech gained by legal or illegal means if possible.
By doing so they can and will install backdoors, malware, root kits, ect into the device from start to finish..
no need for hackers or fear of hackers getting traced back to them.. if security vuls are baked into the cake from the start.
Back before credit card processors allowed payments over the Internet, so quite some time ago, there was a unique company that could process payments over the Internet. What they had done was take payment terminals and hack them so that the card-not-present data coming from the Internet was injected into the payment terminal and processed as a card-present payment. The guy that did the hack said it took him a couple of hours to figure out the first terminal, and then a few minutes after that, most of which was drilling a hole into a particular part of the case and squirting in foam to lock up the anti-tamper microswitch.
So even before Internet-connected devices these things were only about as secure as a generic laptop with case-open detection. Now, with Internet connections and legacy firmware going back twenty years with patches upon patches upon patches to handle all the broken variants of cards and protocols and whatnot and a total absence of secure coding practices, it’s not surprising to that they could be overrun with malware. In fact the biggest difficulty I can see is that the lack of spare space for the code/data and godawful existing code running on some custom BSP that it has to interface with would make it tricky to write.
Citation needed
I remember them days. Then once card not present (internet based) started taking off it as no fun getting them approved by credit. Lol. You know there are several ways fraud or gathering data can be obtained if the POS provider is in on it. Yet to me just because they raided a POS provider facility doesn’t mean that the company itself was involved. Might be an company involved, might be company is a tool for Chinese government or could be the act of someone else and company was just access point for them to try to obtain info. I can say that if the fraud guys that work in that dark corner of the server (joke) started watching any transaction coming from a certain POS system it was serious. Those people dont scream fox in the hen house unless there is a fox in hen house.
Remember that the PCI certification is mainly about protecting PIN and card data – not preventing the device from doing other bad things. In this case it may be that the malware is not stealing card data like most previous attacks (Target etc., which really drove the push for PCI DSS, P2PE etc) but rather simply using the terminals as a launching pad for other network based attacks on infrastructure – a very different threat than what PCI, EMV etc are normally focused on.
Couple this with the trend towards turning the payment devices into more general purpose platforms for running merchant applications (POS, loyalty etc) and general purpose operating systems (with PAX and others adopting Android – often older versions) it could well be that malware targeting phones has “crossed over”, whether deliberate or accidental. Either way, doesn’t look good for PAX.
Assumed it is Android based devices it would be interesting to see the application signing and authorisation methods, is app signing authorised by PAX only or can it be a 3rd party as well?
These are most likely Android terminals. Pax is regularly deploying firmware updates to the platform, which could have been used to plant the malware. Original PCI PTS certification can be easily compromised via the flawed firmware release management with and even without PAX direct involvement.
While I agree that it is rare for payment terminals themselves to be compromised, many devices now are 2-in1 ie they function as both the POS (running Android) and the (hardened) terminal itself. PAX indeed have a range of such devices. So likely to be the POS apart if the device compromised- but still the device 🙂
It’s an open secret in the payments industry that PAX was started with stolen IP. No surprise at all to see them involved in something like this.
Along with the rest of China.
Really ? So you say Pax was started by ripping of Softpay ? Or Verix ? Or ACT/UCL ?
Come on, this is nonsense.
On the other hand, S920 design was copied by another company (Vx690).
Same happened with Huawei against Cisco
Remember, this is from a totalitarian country that unleashed the pandemic on the world
I wonder if the malware is in the show URL?
The difference between this scenario and the many data breaches of the past is that PAX has/had infected payment terminals – all of the other breaches were the result of infected point-of-sale systems – not hardware payment terminals.
Oh my God…..What are we going to do???
The same thing they always do Pinky.
OK slow your roll everybody… We don’t have enough information here!
The Heartland breach ended up being an inside job done with a keylogger. (this was not the initial conclusion)
If this was done to glean credit card numbers, then someone is doing a lot of work for very little money.
It doesn’t make sense.
They could’ve been hacked.
Why don’t we let the FBI do their job without speculation!
Finally a common sense comment here.
SREDD Coder – you live in the real world! We are looking for a terminal firmware developer, but it’s a challenging specialty to find. Any suggestions where to look for trustworthy people with this skillset?
I am a retired embedded programmer but I still do contract work. I have coding since the early 80’s.
Reply with a phone number if you want to chat.
SRED Coder knows this industry well. Many payment terminal vendors remove anti-tamper hardware after the device is approved by PCI.
https://youtu.be/RDrfE9I8_hs
They could’ve been hacked. Why don’t we let the FBI do their job without speculation!
Plenty or ignorant racist and subjects of MKUltra and Operation Mockingbird.
Did they find proof that Huawei phones and 5g equipment was spying on people? After two years niet, nada. But they sure banned them.
Could be a hack for sure or could be another geopolitical shakeup from the USA. They don’t want Chinese made & designed devices in the hands of Americans.
I did research on them for fun but was not looking for malware. But I can state the both the Prolin based ones and the Android ones are a security mess -> https://git.lsd.cat/g/pax-pwn
But in general, as far as I could observe, they do not expose by default any port not even in LAN thus should be hard to compromise in mass. Not that US or EU vendors are any better in terms of security though.
All businesses in China must commit to the CCP that their businesses will support and cooperate with the CCP.
I wonder what this means for Disney. I know that they use pax devices all across both Walt Disney World and Disneyland…
Mike, is that you???
SREDD Coder is correct. I have worked directly with these terminals. They are running old versions of Android. It is up to the end user to update the firmware, etc. as newer versions come out. They also open up multiple Websocket/MQTT connections out to IP addresses in mainland China. Partners have complained about this and questioned why that is necessary. The terminals also have cameras and microphones on them, just like any android does. It will be very interesting to see where this goes.
“PAX is now claiming that the investigation is racially and politically motivated.”
Which is the typical response when a Chinese company is accused of wrongdoing. Don’t deny it. Don’t show that the investigators are incorrect. They immediately throw down the race card and whine that it’s all politically motivated when caught with their hands in the cookie jar. Just so predictable from the Chinese it’s disgusting.