U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.
Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.
In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.
Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.
According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.
The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.
“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”
The source was unable to share specific details about the strange network activity that prompted the FBI’s investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.
It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.
Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run. The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.
Update, Oct. 27, 3:08 p.m. ET: Bloomberg reports that FIS Worldpay has removed PAX’s terminals from their infrastructure over security concerns.
FIS Worldpay told Bloomberg the company confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation.”
“While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible,” Bloomberg reported. “The spokesperson said fewer than 5% of Worldpay clients currently use PAX point-of-sale devices. FIS’s shares were down 6.6% Wednesday afternoon in New York.”
Update, Oct. 27, 7:57 p.m. ET: PAX issued the following statement:
On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation.
PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.
Separately, we are aware of media reports regarding the security of PAX Technology’s devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions.
We intend to keep our team and customers apprised of the situation.
In the meantime, it is business as usual at our locations and operations are continuing as normal. The PAX Jacksonville office and warehouse are both open at this time.
Update, Oct. 31, 8:39 p.m.: PAX has issued a Q&A to customers which maintains that concerns over the alleged unexplained traffic from PAX terminals are related to “the optional geolocation feature available on PAX terminals,” and “the use of dynamic IP addresses, commonly used for geolocation.”
“To make geolocation an available feature, PAX SmartPOS terminals utilize a third party geolocation service provider, just as your smartphone does,” the Q&A explains. “These services require devices to communicate geolocation information to third party IP addresses, some of which may be outside the country were the devices are operational.”
Brian, it’s unclear to me if PAX is under investigation or suspicion for possibly being actively involved with their products being used in malicious acts or if they are just full of vulnerabilities being used in device/IoT attacks by other independent parties and PAX isn’t suspected of being involved? Do your sources lean one way or the other?
It’s still being investigated. Krebs is not in the FBI and if he has a source there,
he’d be unlikely to burn them just to preempt the details of an ongoing investigation,
as an investigative journalist. They are “possibly” involved to an extent unknown.
Their response was suspiciously defensive and smokescreeny. That’s all we know,
and if Krebs could verify more than that he’d likely have included it in his reporting.
*(This brings us to the very worst aspect of Krebs on security : waiting for the next one.
I’m also bad at that.)
Time to be patient and wait for the other shoe to drop.
Yessir. And that’s difficult.
Great article! Couldn’t help but notice the quotation marks are in the wrong place for your first update on the 27th October (when quoting a FIS spokesperson).
This is purely racism. Anytime a Chinese company becomes a global player like Pax, it is a target for the US Government, if these companies we owned and operated and located in blond and blue eyed countries, there will not be no issue. Racism, is the core of evil and it is big in the business globally.
Today the U.S and Europe, play the race card on a global scale and not many people are smart enough to see it. The white nations has a trust issue with non white nations. They know the technology of non white nations is better and years ahead, but they will try to play the race card to catchup.
I manage a credit card company is California, and I use Pax terminals. I have no problem with them I deploy them everyday with no issues and they have the built in technology that is far superior than locally produced terminals. The apps and technology Pax gives to its customers through POS is normally a pay for option on locally produced terminals.
I will continue to deploy and purchase PAX equipment. I will sever ties with FIS Worldpay for their race actions against this company. I have already informed my Fis Worldpay merchant that we will be moving them to other platform that support PAX equipment.
It’s not racisit, if any company’s IP traffic is suspect it should be investigated.Heartland was investigated back in 2008 and they’re mostly “blond and blue eyed”… as you put it.
Next time you get a stupid thought like this, let it go before you comment.
Race card? Paranoid much?
-CCCP standard fare. Fake name? New to English for sure.
That + the message + certain phrases used, bigly outstanding.
Far superior propaganda.
You sound like an absolute brainwashed moron.
You should let your customers know that you are choosing to use POS devices that are suspected of being compromised by the CCP because you believe the FBI and processor are paranoid and racist. Let us know how that works out for you.
“The white nations has a trust issue with non white nations.”
That explains Taiwan, Japan, Singapore, India and several others?
Racism exists in the world, your particular set of facts does not.
Good luck with future autocratic apologies and fake excuses,
but your apparent currencies don’t work in free-info countries.
(In English grammar you would say “have” a trust issue not “has”
– although given that you’re trying to smokescreen for mid-kingdom
propaganda efforts, that’s not entirely unexpected now is it.)
“Far superior” lol.. Do they not have google translate in your area?
Or propaganda translate? You might have named yourself McLaren F1,
the decadent west intrinsically respects showy opulence, comrade.
(Your fraudulent application of the race card here is over the top, dawg.)
Race-baiting, bomb-tossing hysteria doesn’t mask the fact that suspicious packets were being sent by PAX devices from multiple locations. Any culture warriors working in cyber are clouded in their vision – our industry is driven by fact & data.
Has it occurred to you that there is a POSSIBILITY the Chinese gov’t can be using PAX as dupes? Anyone who doesn’t think CN is right behind Putinworld as a nation-state paradise is not being honest. Still – PAX is responsible for anything that sneaks around… even if not by their own doing.
Yes because the CCP has been so honest with the rest of the world. Racism, what a joke!
The CCP is such an upstanding government, LOL. You saying we are playing the race card is like saying Covid came from France. Comical at the least. #WakeUp
I am very anti-racist when it comes to whoever is stealing from me and my cardholders. The prison they should go to and the fines they should pay will be multi-cultural, I promise.
As a freedom-loving HKer, I’d avoid your business.
According to California business records Englobe Worldpay, LLC. The company has 1 principal on record. The principal is Ian Eversley from Stockton CA.
In your view PAX equipment has “built in technology that is far superior than locally produced terminals”. What a shame your proofreading and/or composition skills don’t attain the same heights. Look out, sir, the Grammar Police are coming for you!
Hard to accept this as not sock puppetry.
Click on this clowns name…enough said.
China is a murderous dictatorship, torturing it’s citizens, and swarming indigenous bordering autonomous areas with human filth, of the communist regime.
The sooner we go to war with China, the better.
Something tells me you are NOT from california, but maybe from behind the great firewall.
Ian,
Have you always been retarded or is this something new?
What?
The level of retardedness in this comment is beyond comprehension. When transmitting these packets, there should be nothing than card information. If it is discovered something more is being transmitted then there is cause for serious concern since these packets contain sensitive credit card information. It has a distinct size.
You claim to work in payment processing industry and don’t know this? You are doing a disservice to your business clients.
Aw, stepped on your slanted toes?
This is a good test case for all the nonsense about Huawei. I’ve always thought it unlikely that a Chinese vendor would put a multi-billion $ business distributed over 100 countries at risk by aiding PRC spying. If it did, it is bound to be discovered sooner or later and all of that revenue is at risk. If on the other hand, PAX is an unwitting victim of cybercriminals (and the article correctly notes that POS terminals have played that role for years) then it will still lose business, but it will certainly have an incentive to fix its problems. Let’s let the facts come out.
By the way, the racism charge is ludicrous.
“the nonsense about Huawei”
You mean how Meng went to jail for fraud and violating US sanctions,
and China took two Canadians hostage for fake charges the while of,
to release them immediately when Meng plead guilty and went home?
The nonsense is the idea that a company owned by the CCCP, or the
people’s army of china, gets “unfair” scrutiny by the free world. Wrong.
If you can show the FBI is acting out of racism here, go right ahead.
That charge without explanation reeks as much as their smokescreens.
*I meant the general “you” not Milton.
Best comment thus far. “She’s a witch!” is essentially what most others are screaming. Nothing is more American than due process, as evidenced by so many Caucasians joining African Americans in protesting lack of due process due to institutional rasism. Go ahead and bomb me on the real, statistically factual claim of rasism, but it would be more productive to ask yourself why you have already tried and convicted this company. It is just another example of the type of tribalism in the United States that is hurting everyone and affording our enemies a leg up by pitting us against each other.
Love you. Mean it.
“Never interfere with an enemy in the process of destroying himself.”
— Napoleon
Due process = she plead guilty to charges, and China’s monkey court let the 2 hostages go, same day.
Read better Napoleon. Vote for Pedro for better reasons. HUAWEI’S CFO _PLEAD_ GUILTY.
THERE WAS NO RACISM IN THIS STORY, IT WAS 100% MADE UP. YOU ARE BEING SILLY.
Racism exists, using it for a dumb smokescreen without a scintilla of evidence is NOT VALID.
Interesting read!
I think you may have misplaced your quotation marks in your first update, where you quoted an FIS Worldpay spokesperson.
Interesting read!
It seems you might have misplaced your quotation marks in the article’s first update, when you quoted the FIS Worldpay spokesperson.
Then why is the CEO of the pax company unable to answer questions directed? Only if he can explain the situation then all mysteries would be cleared up, and he can’t do that. Also, why the data packet difference and the terminal secretly going to unknown websites? A lot of explaining to do here.
My life, for the head of communications for a processor with PAX devices, has been hell because of this piece. Which has been picked up by every publication and spread to my clients and partners. We are doing damage control because of the mentions of malware and cyberattacks in this article. With zero to back up these claims. So I welcome anyone with concrete evidence of “what” the issue is.
So two choices :
Preemptively secure your network as possible based on an unknown,
(have a backup platform) -or- don’t, and just hope that the extra scrutiny
that these will get (now) is enough to deter any threat actor’s campaigns,
as they either race to exploit them before they’re binned, or they don’t.
Concrete evidence comes down the road. You know that – care to wait?
Business decision time. How exactly are you attempting damage control,
I’m just curious? “Well, we don’t have concrete evidence of that, so it’s fine”
Nation state supply chain attacks are nothing new, so it looks like an advanced threat group is now suspected of abusing POS hardware. These sorts of attacks are notoriously hard to detect and defend against, especially when the supply chain required to build technical components is often complicated, as is the function and operation of these systems once deployed. The security or network teams of the US payment processor, did well to detect unusual activity from PAX-related infrastructure, and may have approached the vendor in the first instance for explanation – which seems perfectly reasonable from a business perspective. The fact that US authorities and other agencies are now investigating this in more detail suggests there is technical evidence that PAX systems were abused by, and facilitated, threat actors or groups unknown. Question is whether this was a result of malicious components built into system architecture, vulnerabilities inherent in poor code, or vulnerabilities/malicious code being applied a specific point in the supply chain – a firmware flash in a US-based PAX warehouse for example…. I’m sure they’ll be a detailed write up on it in good time. Great article, thanks.
couldn’t this be a small cog in a larger push for the one china ideal? nibble at the econ of the enemy states, funnel proceeds to black accounts, cause mayhem and sow concern. In the current times, when global economies are stuttering, larger mechanisms like nation states still have to find money to fund the domestic and military programs. seems to me this is one facet of a huge gemstone, even if its not directly sanctioned by the .cn gov at large, it still seems that to pull something like this off, the ‘gang’ would need a lot of resources time and effort to get into a position where they can ‘effect’ the oppositions infrastructure in such a large and dynamic fashion and that sort of thing is very hard to fly under the radar without someone being in the know. on the other hand, why would you crap on your own doorstep? low hanging fruit maybe? but to burn an entire supplychain provider for what that can gain short term doesn’t seem like a smart idea to me. surely even the strategists in the .cn chain would see that burning chinese companies for a short term gain is counterproductive to the chinese GDP ?
On further reflection i would probably bet this is an off the books group with links to well known apt’s run and funded by the .cn gov in some fashion and they slipped up somewhere and alarms started ringing and the feds got wind of it, did their background work, collected the evidence and swooped. if it had been something like VW or FIAT or some other automotive industry new EV technology being used for drive by intel collection, i think they’d still point the finger at .CN as they are the most aggressive in terms of their cyber operations far reaching and capable groups that pose a real threat today, but you can measure this alongside the North koreans and the israli’s so until the cows come home, its too early to count your bottles of milk 🙂
This, by far, the most logical of the presented replies.
It’s likely not PAX, itself, that was behind this muck raking operation but a third party cyber attack utilizing vulnerabilities of bad code – or, perhaps, even intentionally designed data gathering hardware/code in the systems that was being utilized by a third party without PAX’s knowledge or approval.
As for China… it can’t even be proven they were directly behind it [yet], as Russia and other actors are quick to utilize holes China punches through the western firewalls for their own ends, with little regard if it exposes a Chinese operation so long as they get to cause havoc against US victims.
“that was being utilized by a third party without PAX’s knowledge or approval.”
-is the question. When questioned, they went to the race card smokescreen asap.
They “themselves” did that part, so whatever compartmentalization from scrutiny
you’d think they have in not being the “final threat actors” ultimately “behind” the
malware campaign or whatever term, that’s all going to be investigated in situ.
Hand in glove isn’t necessarily something “we” can publicly expose for “reasons”
but if PAX isn’t cooperating with an investigation into what was actually going on,
that itself is a course of action that demands further examination. Who does that?
Who drops East/West propaganda defense when questioned on odd network traffic?
is there any way to check if these news are actually work together or assist the short selling expert & insider? FIS worldpay told bloomberg that they already decide to drop PAX device 8 Oct, then i found that the short selling activities suddenly become very active for the PAX mother company in Hong Kong Listed Pax Global ticket: 327
It’s so sad to see that so many Americans distrust the honest Chinese companies trying to provide a service. No place is perfect but I think the company is just doing its job while it may be possible that independent people hacking the system (may not, more research needs to be done). I trust China government a lot more than other governments. I’ll leave it at that.
How much does the CCP pay you for each comment?
“I trust China government a lot more than other governments. I’ll leave it at that.”
Why not expand on that, at length? You know, give examples. Why? What?
How have they won your trust in any dimension? I’m genuinely curious now.
If you’ll “leave it at that” you’re leaving it incredulous to most human eyes.
Explain. Make us believe you’re not just saying that for silly reasons.
More sock puppetry detected.
I am from Chicom occupied Hong Kong and every time I see a comment defending the Chicoms/saying that it’s some racially motivated thing, I know that commenter is yet another Chicom apologist. The saving grace of the alliance of western democracies is they don’t do as western leftists/apologists/chicom spies say, and they try to make sense most of the time in the face of CCP’s unlimited warfare.
And as someone from the HK nation I’d do the opposite of Ian Maclaren by ditching PAX immediately. I’d say something more if this place were not moderated.
Does anybody realize that PAX devices run more than just simple payment software… There is a whole ecosystem of apps and integrations. Additionally, some of the devices can be accessed and controlled remotely as a feature… This *could* theoretically be a “backdoor” in plain sight. “They” could use the remote access to do anything the device is capable of, and maybe more… At least some are android based…
Point is, if all the FBI has is suspicious data packets, by what standard are they deeming it suspicious? It wouldn’t necessarily be just payment data coming from the machines… It could be any PAX or Android app running on the device… On the other hand, with the ability to remote access the devices out in the open as a feature, maybe that would be the perfect “hide in plain sight” explanation “they” need to access devices, do harm, and leave (without a trace?).
Who knows… I do know that it can absolutely be true that “they” are up to no good… Doesn’t mean this thing isn’t politically and racially motivated as well… Our “justice” system is quite selective…
Does the FBI raid warehouses for no reason, no. “They” weren’t cooperating.
That much checks out without a “racism” element in any case. “They” = PAX
If there’s something deeper beyond that, PAX is the one that brought up race.
PAX has yet to demonstrate any aspect of this being unfair or racial. Period.
Smokescreens are easy, people are mostly dumb and/or don’t care really.
Thanks for hitting the nail on the head about the lack of cooperation. I guess PAX understands the Fifth rather well.
I enjoyed the article, but you seem to have misplaced the quote marks when quoting the FIS representative (or maybe you meant to quote the Bloomberg article but didn’t make clear where the direct quote ended).
its really beautiful and amazing blog post! Thanks for sharing
Racist, right. When you’ve been caught with your pants down, and all else fails, play the race card. Like racist math, racist physics, etc. Maybe the FBI would also be interested in exactly who would make such a ridiculous post and his connection to PAX.
So what do these PAX terminals look like? Is there anyway for shoppers to identify them?
It’ll be another 30 to 40 years before they raid the voting machines with their chips and boards made in China. Well, if they ever decide to raid.
How stupid can it get to use a Chinese company for this kind of thing? The only thing dumber is using them for AV.
Did the FBI “raid” Solarwinds?
is there any indication that the attack is originated by PAX, or is it possible that PAXˋs machine are just used for the attacks.
Just to compare: Would FBI raid Microsoft if Millions of Windows machine start to send suspicious network traffic?
Before anyone jumps to conclusions on this topic, you should understand first how payment devices, even Android-based, are so different from regular smartphones etc, in terms of security. Payment data on the terminal is completely separate and protected; if a payment terminal sends geolocation data to a 3rd party provider (same as all your smartphones and tablets are doing) this is not really a security issue or risk. Geolocation data of a terminal is not really sensitive info. And you can not have accurate geolocation services without the device communicating with some geolocation server. Also, on payment terminals, the network manager (i.e. the payment provider that uses the terminals) has full control on what the terminal does and does not, where it sends what data etc. And the network owner / manager has to sign all 3rd party apps that go on the terminal, theoretically after auditing them. And apparently the geolocation data packets do NOT have to be same size with the payment data packets – in fact if the data packets going to 3rd parties (geolocation, telemetry, clock synchronization etc) were identical in size and frequency with the payment data packets, THEN we should be worried…. Bottom line – a (business driven) “concern” of a US processor was used by PAX competitors to create reputational damage to PAX, now that they have become the undisputed leader of the POS HW market globally… If you want to know more, read the documents officially released by PAX. Also read the OCCIP document, as OCCIP is the agency “investigating” PAX. It is more than clear.
Is the US still seeking Swedish citizen Tomo Razmilovic the former CEO of POS vendor Symbol Technologies?
It would probably be useful for the SEC and/or banking regulators to require companies to disclose whether the “responsible” officers have the right to reside in a country where they are de-facto exempt from extradition either by black letter law or by “inefficient” judicial process or other means. As Carlos Ghosn and Tomo Razmilovic have demonstrated the risk equation is different when exemption from consequences is just one executive jet ride away.