PSA Kiosk – FBI Raids Chinese Point-of-Sale Giant PAX Technology

By | October 30, 2021

Kiosks Public Service Announcement – POS Terminals and PAX

Pax Cyber Heist

Pax Cyber Heist

Originally from Krebs Oct 26

Updates:

In Brief

  • #1 it is still to be determined what has happened.
  • PAX terminals are used widely in kiosk machines and all types of Point-Of-Sale
  • Couple of financial providers in US and UK have started pulling the terminals
  • Cyberheists are common. Think back to Target, Home Depot and Heartland
  • Comes at a bad time with holiday season already in swing
  • Additional speculation that PAX is a victim

Excerpt

U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

Other Speculation

  • I believe we will find out that PAX was the victim of a cyber attack that leveraged vulnerabilities in the PAXSTORE to exploit the app marketplace and a subset of Android terminals. Vulnerabilities that PAX has at least made a concerted effort to patch long before the FBI ever started to investigate. Other than possible negligence, I believe PAX will be found to have not acted maliciously. Not only should PAX survive this ordeal, but it will cause them to strengthen the security of their Android platform and associated security protocols, and ultimately they and their partners and customers will be better off.
  • May have something to do with geo-location. Perhaps a cloud connection fetching/providing to a non-standard cloud connection.  With temperature detection devices using facial recog, it was documented that calls to Dahua server in China were in fact being performed.  That sort of thing typically becomes action trigger for people like FBI.

Statement by PAX

​Good evening,

Please see statement below from PAX Technology, Inc. regarding recent events:

On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation.

 PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.

 Separately, we are aware of media reports regarding the security of PAX Technology’s devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions.

 We intend to keep our team and customers apprised of the situation.

 In the meantime, it is business as usual at our locations and operations are continuing as normal. The PAX Jacksonville office and warehouse are both open at this time.

 -PAX Technology, Inc.

 If you have any questions, please email me directly.

Thank you,

 

Related

Author: Staff Writer

Craig Keefner -- With over 40 years in the industry and technology, Craig is widely considered to be an expert in the field. Major early career kiosk projects include Verizon Bill Pay kiosk and hundreds of others. Craig helped start kioskmarketplace and formed the KMA. Note the point of view here is not necessarily the stance of the Kiosk Association or kma.global