Verifone and Ingenico—security issues and vulnerabilities in POS terminals

Garima Kejriwal

December 10, 2020

Security vulnerabilities were discovered in two leading manufacturers of point-of-sale terminals technology, Verifone and Ingenico, making it open to various cyber-attacks. They were discovered by researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab, during a presentation at Black Hat Europe 2020. A point-of-sale (POS) terminal is a hardware system for processing card payments at retail locations. Software to read magnetic strips of credit and debit cards is embedded in the hardware. When a credit card or debit card is used to pay for something, a conventional POS terminal first reads the magnetic strip to check for sufficient funds to transfer to the merchant and then makes the transfer. The vulnerability discovered that POS terminals, through their default password option enables a cyber-criminal to send arbitrary packets, clone cards, clone terminals, install persistent malware, steal credit card details, and commit other forms of financial fraud at the cost of both buyers and retailers. After the disclosure, Verifone and Ingenico issued security patches to fix the vulnerabilities. However, it can’t be said for certain if it has been applied mandatorily across all POS terminals.

Abridged fromZDNet