NEW YORK—Point-of-sale payment devices made by two of the industry’s biggest manufacturers contained vulnerabilities that made stealing credit card data much simpler, a new report suggests.
Millions of devices may be affected, according to cybersecurity researchers Timur Yunosov and Aleksei Stennikov, who recently presented their findings at the Black Hat EU security conference, Forbes reported.
The weaknesses lay in devices made by Verifone and Ingenico.
The first issue was that the devices used default passwords that let anyone with physical access through to a “service menu.” These menus contained functions that could be abused to write malware onto the terminals, according to the analysis. The malware could then gather up credit card numbers once the device was in use again. Though the terminals did encrypt credit card data, they did so on the same internal system already controlled by the malware, rendering it useless, Forbes reported. An attacker would have all the information they required to clone cards and start stealing people’s money, the report added.
“The obvious barrier to a successful attack is in being able to get access to a terminal for long enough to download the malware. Yunosov, from the Cyber R&D Lab, said it would take between five and ten minutes to connect to the devices via USB and install the malicious card sniffer.
Patches in Place
One of the vulnerabilities could also have been exploited over the internal network, so if a hacker found a way onto a shop’s IT systems they would have a way to install malware on the terminals to start pilfering credit card information,” Forbes explained.
The researchers provided Forbes with an image showing they’d fully compromised a Verifone terminal to display whatever they wanted.
Disclosure to Verifone and Ingenico started two years ago and the issues have now been patched, according to the vendors. Both companies said the attacks were limited, given the need for physical access and prior research to hack into them, Forbes said.