FBI Raids Chinese Point of Sale Giant Pax Technology

U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations. Source

Citing a “trusted source,” Krebs said the Federal Bureau of Investigation had launched an investigation after a “major” U.S. processor began inquiring about “unusual” network packets flowing from Pax terminals. The processor discovered the terminals were serving as “a repository of malicious files” and as a “command and control” for attacks and information gathering, according to the source. Krebs adds, however, that the source could not pass along specifics about the “strange network activity” that drew the attention of the FBI. Source

Reading between the lines? This means your personal data is most likely in the hands of the Chinese if you've ever used any payment device manufactured by Pax and the likelihood is that you have.

Ironically enough this occurred yesterday while most of the world's finance, payment and fintech companies were at Money 20/20 in Las Vegas where I am not at at with DB this very moment. Seriously.

The 'major' company is Fiserv and 'unusual' packets are part of what's known as the kernel stack and are used in every card transaction involving a device. In layman's terms it's supposed to be a very simple protocol where the device and the card have an exchange like this:

Device: Is the card here?
Card: Yes, I am here.
Device: What is the amount?
Card: The amount is X.
Device: Since the amount is X and is below the threshold set by the issuer this does not need further scrutiny. Transaction may commence.
Card: Thank you.

Being that there was more data than the above being transferred, which is outside of the kernel certification process, it means that the device was collecting potentially all the data encrypted on your credit, debit or charge card and funneling that data to whomever planted the malicious scrypt on the device. It really could only be one of two sources, the manufacturer themselves or the government as these kernels need to be certified prior to installation and changes could only be made at the factory if all of their devices, as is alleged, were transmitting the data.

Additionally, the person we spoke with at the event in Las Vegas who is considered extremely knowledgeable on these matters indicated that a confidential witness had let the FBI know of potential issues with Pax EIGHT YEARS AGO. That's right, they've been scamming your data for almost a decade and nothing was done up until today.

This attack and all others that have been occurring should alarm everyone. There is little to no oversight when it comes to cybersecurity and even when there is, like in this case, it can be circumvented without further and ongoing field testing of devices which is presently not required. Two major United States retailers have already signaled to Pax they will be removing their terminals in the wake of this data breach and anyone out there purchasing items with their cards should ask the merchant what type of terminal they are using if they still have that type of platform.

Sadly this is not getting much play at this time but it is a very serious issue and should concern people not just domestically but abroad as well since Pax is one of the largest terminal manufacturers in the world.

LOL and people call me paranoid for use cash still. At the gas station, shopping, whatever. Don't even have a debit card.

Device? No thank you.

Not at all surprised that the FBI knew about this 8 years ago either.
Makes you wonder who is getting kickbacks.

a reply to: AugustusMasonicus

Whoa whoa whoa.

Whoa.

What's the FBI doing investigating matters like these when white supremacy is tearing this country to shreds?!

a reply to: AugustusMasonicus

Wow. I guess my biggest question is why wouldn't any traffic from the device have to be whitelisted to send data to only to certain IP addresses? I can lock down even my lowly Office 365 subscription by whitelisted addresses if I want to.

Have fun in Vegas, where you are not at.

There is a reason why i generally pay cash only at small shops. I have a pretty good idea what the processing device relates to by manufacturer, at least for the bigger/legit processors like Aloha EDC, Shift4/Lighthouse, etc. Im still not able to figure out how i can't use a wifi POS due to PCI, but these people are transacting across mobile phones.

Problem is, the public needs the data from these companies that used Pax. Not the other way around. This is on the companies, not the people.

The people deserve to know what companies are using this specific type of terminal, and from what times. The gov't, and FBI, are responsible for letting the people (WHO PAY THEIR SALARIES) know what is going on and how to fix it.

But what....we get an article and a thread on ATS?
How convenient.

Did you know Musk just gained $26+B in wealth?
Because that is what's on the MSM right now.


Smh.

originally posted by: AugustusMasonicus

Additionally, the person we spoke with at the event in Las Vegas who is considered extremely knowledgeable on these matters indicated that a confidential witness had let the FBI know of potential issues with Pax EIGHT YEARS AGO. That's right, they've been scamming your data for almost a decade and nothing was done up until today.

A "decade" is probably a bit of an understatement. It had most likely been going on for several years before that 'confidential witness' eventually came forward.

originally posted by: chiefsmom

LOL and people call me paranoid for use cash still. At the gas station, shopping, whatever. Don't even have a debit card.

I only recently used my debit card for the first time, and I didn't even know how to use it. I previously had one I used somewhat regularly, but I closed my account with that bank several years ago. The one I have now, I tried sliding it through the scanner thing, but apparently it has a chip in it and doesn't work on the slide thingy.. The cashier had to do it for me. I couldn't figure it out. lol

It's only a matter of time before cash is completely gone. I just hope that's still far enough away that I'll be long gone by the time it happens.

originally posted by: peter_kandra
I guess my biggest question is why wouldn't any traffic from the device have to be whitelisted to send data to only to certain IP addresses?

That's a good question, however Pax Technology's IP would be on any internal IP since they are the processors and once the kernel interchange occurs have access to the full data transmittal from every transaction which they then sound down the payment scheme to eventually reach the acquiring banks and ultimate payment.

What seems to be happening, and I'm speculating, is the additional data obtained during the kernel exchange is being synced to the full transaction data to have a more complete picture of who (the purchaser) is on the other end and their personal information.

Kind of telling what “crimes” the FBI considers worthy of a sense of urgency, China stealing our personal info, meh...8 yrs. later. Now parents confronting school boards about Their Child’s education, they’re on it within days !

I’ve since switched to a local credit union for my banking needs, but remember at my old bank if you used your ATM card at least 6 times a month, they waived certain fees, wonder if that’s connected to this in any way ?

originally posted by: bigfatfurrytexan
There is a reason why i generally pay cash only at small shops. I have a pretty good idea what the processing device relates to by manufacturer, at least for the bigger/legit processors like Aloha EDC, Shift4/Lighthouse, etc. Im still not able to figure out how i can't use a wifi POS due to PCI, but these people are transacting across mobile phones.

Oddly enough Pax is big with small merchants so you will most likely see them there.

The WiFi POS issue is more that there aren't any fully adopted standards yet, but this is coming as your payment information will eventually migrate completely to your phone/device and physical cards will be less prevalent.

originally posted by: havok
The people deserve to know what companies are using this specific type of terminal, and from what times. The gov't, and FBI, are responsible for letting the people (WHO PAY THEIR SALARIES) know what is going on and how to fix it.

I'm sure for national merchants this will come out quickly, they are being dropped as we speak by major companies in the US and UK, but they have well over a 100,000,000 terminals worldwide, getting a full list of every mom and pop in a timely fashion won't happen which is why I cautioned all of you to be proactive and query your merchant.

originally posted by: BrokenCircles
A "decade" is probably a bit of an understatement. It had most likely been going on for several years before that 'confidential witness' eventually came forward.

No doubt, it seems to have been an very lengthy and ongoing illegal data collection program.

originally posted by: MountainLaurel
I’ve since switched to a local credit union for my banking needs, but remember at my old bank if you used your ATM card at least 6 times a month, they waived certain fees, wonder if that’s connected to this in any way ?

No, Pax makes payment terminals, the kind you see at the store that may or may not print receipts or have you sign on the screen, etc, based on the age of the device.

a reply to: MountainLaurel

Kind of telling what “crimes” the FBI considers worthy of a sense of urgency, China stealing our personal info, meh...8 yrs. later. Now parents confronting school boards about Their Child’s education, they’re on it within days !

Hopefully one of the PAX system was hosting some Hollywood movie torrents so the FBI makes it a priority.

We know how much our socialist hollywood friend love to give and share their movies with society.


To be honest , this is minor to some of the other risks we face everyday with American DOD contractors that subcontract the subcontracts that end up using Chinese made chips on DOD systems.

originally posted by: AugustusMasonicus

originally posted by: MountainLaurel
I’ve since switched to a local credit union for my banking needs, but remember at my old bank if you used your ATM card at least 6 times a month, they waived certain fees, wonder if that’s connected to this in any way ?

No, Pax makes payment terminals, the kind you see at the store that may or may not print receipts or have you sign on the screen, etc, based on the age of the device.

Ohhh, ok, I understand now, thanks. You’re right about these machine’s showing up more and more in smaller businesses, will have to pay closer attention to if they are PAX machines.

The good old days when you had to call up the credit card company and write down the authorization number. It was just 30 years ago and no skimmers or scammers…except those using stolen credit cards that you had to take away from them. Fun, fun, fun.

a reply to: AugustusMasonicus

US Govt uses FISERV a lot.

Time for Biden to protest, by boycotting the Olympics in China this Winter.

originally posted by: AugustusMasonicus

 

Additionally, the person we spoke with at the event in Las Vegas who is considered extremely knowledgeable on these matters indicated that a confidential witness had let the FBI know of potential issues with Pax EIGHT YEARS AGO. That's right, they've been scamming your data for almost a decade and nothing was done up until today.

So Chin has had eight years to get our info
and now its safe for Bai-Den to close the door and be a security hero?
I wonder what sort of stuff will happen next summer before the election.

a reply to: AugustusMasonicus

As someone who works in the cybersecurity industry, anyone that thinks their entire social and financial profile is not stored in China, the EU, the US, etc. etc. is deluding themselves. If it's connected it can be popped and most likely already has been popped and no one noticed or noticed years after the fact. I know of two ongoing investigations with major companies that would cause mass chaos were they announced publicly.

These types of supply chain style attacks are one of the reasons that some of us in the know have been discussing supply chain security for years now. Not only when it comes to hardware and validating that what you're buying actually is what you're buying, but also the software side of things that the code is secure and has not been tampered with. It's just now gaining traction when it comes to those types of assessments and audits, when myself and other colleagues have been talking about it for a decade now.

originally posted by: AgarthaSeed
a reply to: AugustusMasonicus

Whoa whoa whoa.

Whoa.

What's the FBI doing investigating matters like these when white supremacy is tearing this country to shreds?!

LOL

Thank you sir , you have made my day .