Feds execute search warrant on Chinese POS giant; PAX Technology issues response

Nov. 2, 2021

KrebsOnSecurity reported that U.S. federal investigators on Oct. 26 raided the Florida offices of PAX Technology Inc., a Chinese provider of point-of-sale devices widely used on kiosk equipment globally.

Headquartered in Shenzhen, China, PAX has more than 60 million POS terminals in use in 120 countries. The raid at PAX’s Florida office was tied to reports that its systems might have been involved in cyberattacks on U.S. and EU organizations.

A post by the security investigative organization alleged: “KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

“According to that source," the report continued, "the payment processor found that the PAX terminals were being used both as a malware -dropper’ – a repository for malicious files - and as “command-and-control” locations for staging attacks and collecting information."

Go here to read the full Krebs report.

Responding to the Krebs report and another by Bloomberg, PAX Technology issued a press release on Oct. 29 stating that the KrebsOnSecurity article “did not provide particulars of any such ‘reports’. It only referred to a secondhand hearsay quote from the ‘source’ of the writer that referred to other unnamed sources that “there is tech proof of the way that the terminals were used in attack ops.”

The announcement continued:

"[PAX Technologies'] products and services are subject to, and are certified to be compliant with, the Payment Card Industry (PCI) compliance standards and all relevant laws and mandatory regulations of countries worldwide. They are therefore designed to achieve the requisite industry standards for certain cybersecurity (including online security in connection with malicious software). Similar to other reputable industry peers, the Group has always taken, and continues proactively to take, the initiative to enhance security standards of its products both generally and in collaboration with its customers and external third-party test laboratories to carry out product certifications, software penetration testing and other stringent security-related controls, where appropriate, carry out necessary fixing and mitigating measures in a timely manner."

PAX’s Florida office has resumed normal operations.

Related

182350781 | Kanawat | Dreamstime.com
Security Article Hero
Security systems and locks

Stepping up security: pandemic ripple effect and police reform prompt operators to ramp up surveillance and vigilance

Aug. 19, 2021
From wrongdoers with pry bars and bolt cutters to cybercriminals hacking into networks, securing the assets of a vending and micro market business can be a full-time, costly job...
PCI Security Standards Council, LLC
Mv7 W4y Kr 400x400
Mobile payment systems

PCI Security Standards Council Publishes New Standard For Contactless Payments

Dec. 4, 2019
WAKEFIELD, Mass., 4 December 2019 — Today the PCI Security Standards Council (PCI SSC) published a new data security standard for solutions that enable merchants to accept contactless...