If you have a debit card, chances are you have used the point-of-sale (PoS) terminals manufactured by PAX Technology.
With more than 60 million terminals and service provided in over 120 countries, many people around the world have used the devices by this China-headquartered company while shopping—knowingly or not.
But according to a report by a Florida-based news station, PAX transactions could come along with more diabolical intentions than a simple digital payment.
Federal law enforcement are investigating suspicious activity of malware and data transfers connected to PAX's payment system.
FBI raids PAX warehouses
WOKV News in Jacksonville, Florida, broke the story that FBI, DHS, and NCIS agents raided three of PAX's American warehouses.
The FBI gave the station basic information on the unfolding events:
"The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff's Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time."
Action News Jax reporter Courtney Cole also shared images on Twitter of her coverage.
This is a look at the investigation FBI investigation from our @ActionNewsJax Sky Vision Drone. There are several agencies involved in this investigation @ PAX Technology Warehouse. ⬇️ We've seen FBI, Homeland Security + JSO here to assist. pic.twitter.com/ZY24YfDI52— Courtney Cole (@CourtneyANJax) October 26, 2021
Why was U.S. law enforcement raiding a Chinese payment company?
In a report by Krebs on Security, Brian Krebs discussed information he had gathered from unnamed sources about why the search was happening.
"According to that source, the payment processor found that the PAX terminals were being used both as a malware 'dropper'—a repository for malicious files—and as 'command-and-control' locations for staging attacks and collecting information.
'FBI and MI5 are conducting an intensive investigation into PAX,' the source said. 'A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.'"
At the time of publishing, PAX Technology has not made any public comments or released information on their website or social media. Further, the company appears to make contact very difficult, offering no phone numbers, email information, or social media messaging readily available to non-vendors.
On Oct. 28, Bloomberg News reported that Patty Walters, Senior Vice President of Security and Services, had resigned from the company, but did not wish to elaborate on why she made this decision.
According to sources in Krebs' reporting, PAX is making claims the investigation is "racially and politically motivated."
PAX Technology: victim or perpetrator in cyberattack?
A big question concerning this event right now: Is this raid connected to a larger problem?
Many are speculating on social media about the ramifications of what a compromise of this extent could mean. And there's a lot off speculation over whether the company is being attacked or is itself the attacker.
One blog commenter summed it up this way.
"Unwilling victim of poor security controls on its devices, or press-ganged / coerced victim of the PLA [People's Liberation Army] and other nefarious forces of the CCP [Chinese Communist Party]? One wonders but based upon the shrill response to inquiries collusion with offensive state forces of the Chinese Communist Party would appear the more likely. In other words this was a strategic attack against the businesses of US and UK."
Another commenter mused on implications of how this could happen if the company had met PCI standards.
"Remember that the PCI certification is mainly about protecting PIN and card data – not preventing the device from doing other bad things. In this case it may be that the malware is not stealing card data like most previous attacks (Target etc., which really drove the push for PCI DSS, P2PE etc) but rather simply using the terminals as a launching pad for other network based attacks on infrastructure – a very different threat than what PCI, EMV etc are normally focused on."
In a cybersecurity forum on Reddit, one Redditor called bllinker shared his thoughts.
"Maybe I'm misreading it but isn't this pretty d*** huge? First instance I've heard of attacks on US businesses through Chinese partners which has prompted this is level of conspicuous action (an actual raid)."
Ryan Gallagher, a reporter for Bloomberg, also tweeted about this incident, citing it could have major consequences for businesses all over the world.
Pax's "point of sale" devices are used by millions of people daily to make or receive payments. It has supplied 60 million terminals to 120+ countries, according to its website. So this incident has wide ramifications for businesses that rely on the company's technology. pic.twitter.com/3vtBh18Lo4— Ryan Gallagher (@rj_gallagher) October 27, 2021
One company named Bessemer System FCU, which appeared to be one of PAX's clients, tweeted about how cybercriminals were causing disruption via the malware-infected payment system.
Card account takeovers we experienced were being used for foreign cryptocurrency purchases. Fraud monitoring calls were being directed to the thieves who had changed contact info on the accounts. Really smart. Really expensive.— Bessemer System FCU (@BessemerFCU) October 28, 2021
At this stage in the game, there are a lot of questions PAX Technology will need to answer.
SecureWorld News will update this story as more details become available.
This blog post was updated on 10/28 to include the tweet by Bessemer System FCU and information that PAX Senior Vice President of Security and Services resigned.
Share your thoughts in the comments below.