Bad news for credit card users, as it appears that the POS (point-of-sale) terminals made by two of the biggest manufacturers in the world contain several security vulnerabilities that favored stealing card data.
Cybersecurity researchers Timur Yunosov and Aleksei Stennikov revealed that millions of devices, coming from Verifone and Ingenico, are affected, as they used default passwords that allowed anyone with physical access to go through a “service menu”. Here, certain functions can be used to write malware able to hoover up credit card numbers, once the device is used again.
Such POS terminals are encrypting credit card data but they are doing it through the internal system, controlled by malware. This means that an attacker can easily access this information and clone cards, in order to steal people’s money.
In most cases, it takes between five and ten minutes to connect to a POS through its USB port and install the malware. But this is not everything…
Another one of the vulnerabilities which was exploited in many credit card theft cases had to do with internal networks, as it made finding a way into a shop’s IT systems and installing malware easy! But this doesn’t mean that you should totally avoid paying through these devices with your credit cards.
Both Verifone and Ingenico released statements two years ago, revealing that their security issues have been patched and added that the attacks were limited, as hackers needed physical access and prior research in order to hack them.
“The security firm has validated that our latest patches and software updates, which are available to all customers, remedy these vulnerabilities. Customers are currently in different phases of implementing these patches or software updates,” a Verifone spokesperson said. At the same time, Ingenico admitted to identifying different vulnerabilities impacting their terminals and developing suitable corrections.