Threats include interception of card PINs and charging of attacker-chosen amounts
Positive Technologies researchers have discovered vulnerabilities in Verifone point of sale (POS) terminals. Various MX, VX and UX terminals are potentially impacted. Attackers could exploit them to intercept payment card PINs, show a transaction amount on the terminal that does not equal the amount charged, send a request to the acquiring bank for an arbitrary amount, and more. Vulnerable terminals are used at retailers around the world. Verifone has released new firmware versions addressing these problems and recommends updating terminals as soon as possible.
Positive Technologies banking security expert Timur Yunusov described: "POS terminals tend to belong to banks, with access performed by the retailers leasing the devices or else maintenance contractors. With these vulnerabilities, a malicious employee or contractor could leverage physical access to modify the device. We estimate that up to 90 percent of POS terminals with these vulnerabilities continue in service at retailers."
The issues are caused by the ability to bypass encryption and other security restrictions, cause a buffer overflow, and abuse system passwords and an insecure reset mode. Because of these and other issues, it is possible to write malware to the terminal for full control of the card handling process. For example, a criminal could read cards, including their magnetic stripe (for use in regions where magstripe transactions are still allowed, including the U.S. and some Asian countries), or send arbitrary authorization commands to acquiring banks.
Vulnerable terminals could also be used in Distributed Guessing Attacks. To learn an unknown card field—for example, the three-digit CVV2 security code—an attacker can attempt to pay with the card on hundreds of different online stores simultaneously, trying a different CVV2 code on each store until finding the correct value.
Positive Technologies experts Dmitry Sklyarov, Alexey Stennikov, and Egor Zaytsev 1 took part in the research. The vulnerabilities received identifiers CVE-2019-14711 (CVSS v3.0 score 8.8), CVE-2019-14712 (8.2), CVE-2019-14713 (8.2), CVE-2019-14715 (7.6), CVE-2019-14716 (7.3), CVE-2019-14717 (8.2), CVE-2019-14718 (8.2), CVE-2019-14719 (6.3).
For updates to eliminate the vulnerabilities, clients should contact their vendor, bank, or service provider to install the firmware indicated in the Verifone advisory. In the mean time, since the attacks require physical access to the terminal, Verifone recommends the normal merchant best practices of terminal management including the use of a secure password scheme, rebooting terminals (this could flush any malware from the device), and always maintaining vigilance against unauthorized attachments on credit card terminals.
Since some models are approaching their end of life, one mitigation is to request that the vendor, bank, or service provider replace affected terminals with newer equivalents.
- Alexey Stennikov and Egor Zaytsev currently work as independent researchers.