FBI Raids Chinese Point of Sale Giant Pax Technology

a reply to: AugustusMasonicus

I do a lot of work with NCR, i'm sure most of the card readers those machines use here in the UK are Ingenico, now you've raised this issue i'll be paying more attention that's for sure.

Do Pax manufacture and re-brand EPOS hardware or just the EFT readers?

a reply to: AugustusMasonicus

That's crazy...8 years!

With the level of cyber tracking they already use in china I imagine they would know quite a lot about everybody anywhere that used their terminals. Wonder if it was state sponsored and if they will skip back to china before being arrested?

I just literally got home from loading out money 2020 show. Did you see the game show stage out in the expo hall? That's the one I helped build.

a reply to: AugustusMasonicus

POS systems combined with Wi-Fi or similar, whether through the Internet or an Intranet are NOT secure to begin with.

It doesn't matter WHICH system it is....RUBY, PAX, etc...

As you know, Wireless Security is an oxymoron, and, most, if not, all of these systems use wireless somewhere.

They'd be stupid not to utilize these systems as part of a botnet.

originally posted by: ElGoobero
So Chin has had eight years to get our info
and now its safe for Bai-Den to close the door and be a security hero?

Not really seeing the political angle, this is more of an economic issue in my opinion since most of the United States likes cheap Chinese garbage.

originally posted by: Hypntick
These types of supply chain style attacks are one of the reasons that some of us in the know have been discussing supply chain security for years now. Not only when it comes to hardware and validating that what you're buying actually is what you're buying, but also the software side of things that the code is secure and has not been tampered with. It's just now gaining traction when it comes to those types of assessments and audits, when myself and other colleagues have been talking about it for a decade now.

I agree, however the standards are loose at best right now and there is no compulsion to be proactive.

originally posted by: Grenade
Do Pax manufacture and re-brand EPOS hardware or just the EFT readers?

I'm fairly certain they have a POS device family.

originally posted by: RickyD
With the level of cyber tracking they already use in china I imagine they would know quite a lot about everybody anywhere that used their terminals. Wonder if it was state sponsored and if they will skip back to china before being arrested?

They are claiming it was a third party attack privately and only addressed the stock drop publicly. Needless to say that if Fiserv got pissy about it it's probably something very serious.

I just literally got home from loading out money 2020 show. Did you see the game show stage out in the expo hall? That's the one I helped build.

I did. Did you work the Journey performance too?

originally posted by: MykeNukem
POS systems combined with Wi-Fi or similar, whether through the Internet or an Intranet are NOT secure to begin with.

The issue is the extra data in kernel transmission, it provided information that you would normally have to try and piece together with corresponding data in other transmissions which made it easier to identify the owner.

Just an FYI, outside of the local TV station which filmed the raid by drone there is almost no word of this in the news.

Reminder: Ask which brand of payment device a merchant is using and do not use a Pax terminal.

a reply to: AugustusMasonicus

Insurance providers are starting to wise up to it, most of the engagements I've been on involving supply chain assessments or audits have been driven by their cyber insurance providers. So even if there is no legal or regulatory standard stating they must perform these things, the folks who hold the money are making sure that their clients have at least some bare minimum protections and validation in place. It's not how I would have started enforcing it personally, however when a lot of the lack of controls is tied to "budget" or "headcount costs", this is a good way to give them a financial kick in the pants to start at least acting like they're doing something.

a reply to: Hypntick

Agreed. There is a recent EO from the White House regarding cyber but we haven't seen any type of talk let alone enforcement around the requirements.

a reply to: AugustusMasonicus

Nah I worked on the general session stage on day 1 then helped build the serendipity stage for 3 days. I wasn't the board operator for this gig though so I wasn't there for the show run. I was happy to get out of downtown though...EDC was a pain to deal with when coming and going.

originally posted by: AugustusMasonicus

originally posted by: MykeNukem
POS systems combined with Wi-Fi or similar, whether through the Internet or an Intranet are NOT secure to begin with.

The issue is the extra data in kernel transmission, it provided information that you would normally have to try and piece together with corresponding data in other transmissions which made it easier to identify the owner.

Yea this one is interesting for sure. I was just speaking of POS in general.

I'd like to see the PCAPs and what tipped them off.

Makes it spiffy when all the data is nicely packaged.

ETA: I used to take care of a POS system called RUBY for Shell Canada that we would push firmware updates after closing with zero interaction from the owner (this was early 2K. I wonder if these have the same capability? if so, the hardware has to go for sure. Wish there was more info.

originally posted by: RickyD
Nah I worked on the general session stage on day 1 then helped build the serendipity stage for 3 days. I wasn't the board operator for this gig though so I wasn't there for the show run. I was happy to get out of downtown though...EDC was a pain to deal with when coming and going.

Well, the show looked much better set up than it was attended. Kind of a dud compared to the Amsterdam show and the pre-Vid shows.

originally posted by: MykeNukem
I'd like to see the PCAPs and what tipped them off.

Same. I'm sure at some point whatever the FBI gets from Fiserv will come out especially with Pax claiming a hack and in light of retailers dropping them. If it was a hack I'd think they'd want to clear this up right away.

ETA: I used to take care of a POS system called RUBY for Shell Canada that we would push firmware updates after closing with zero interaction from the owner (this was early 2K. I wonder if these have the same capability? if so, the hardware has to go for sure. Wish there was more info.

Good question. I think at this point we need more info to determine where the scrypt originated and how widespread it was but I keep going back to the one person who claims they reported this 8 years ago.